Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,467)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-6455 1Ntp 1Ntp May 13, 2026 Mar 27, 2017 N/A· v4 7.0 HIGH· v3 4.4 MEDIUM· v2 NTP before 4.2.8p10 and 4.3.x before 4.3.94, when using PPSAPI, allows local users to gain privileges via a DLL in the PPSAPI_DLLS environment variable.
CVE-2015-0855 1Pitivi 1Pitivi May 13, 2026 Mar 23, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The _mediaLibraryPlayCb function in mainwindow.py in pitivi before 0.95 allows attackers to execute arbitrary code via shell metacharacters in a file path.
CVE-2016-1602 1Suse 3Linux Enterprise Desktop Linux Enterprise ServerSuse Linux Enterprise Server May 13, 2026 Mar 23, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A code injection in the supportconfig data collection tool in supportutils in SUSE Linux Enterprise Server 12 and 12-SP1 and SUSE Linux Enterprise Desktop 12 and 12-SP1 could be used by local attackers to execute code as...Show more A code injection in the supportconfig data collection tool in supportutils in SUSE Linux Enterprise Server 12 and 12-SP1 and SUSE Linux Enterprise Desktop 12 and 12-SP1 could be used by local attackers to execute code as the user running supportconfig (usually root).Show less
CVE-2017-6186 1Bitdefender 3Antivirus Plus Internet SecurityTotal Security May 13, 2026 Mar 21, 2017 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 Code injection vulnerability in Bitdefender Total Security 12.0 (and earlier), Internet Security 12.0 (and earlier), and Antivirus Plus 12.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, in...Show more Code injection vulnerability in Bitdefender Total Security 12.0 (and earlier), Internet Security 12.0 (and earlier), and Antivirus Plus 12.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Bitdefender process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.Show less
CVE-2016-8020 1Mcafee 1Virusscan Enterprise May 13, 2026 Mar 14, 2017 N/A· v4 8.0 HIGH· v3 6.0 MEDIUM· v2 Improper control of generation of code vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote authenticated users to execute arbitrary code via a crafted HTTP request paramete...Show more Improper control of generation of code vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote authenticated users to execute arbitrary code via a crafted HTTP request parameter.Show less
CVE-2017-2968 1Adobe 1Campaign May 13, 2026 Feb 15, 2017 N/A· v4 9.1 CRITICAL· v3 7.5 HIGH· v2 Adobe Campaign versions 16.4 Build 8724 and earlier have a code injection vulnerability.
CVE-2016-8354 1Schneider Electric 1Unity Pro May 13, 2026 Feb 13, 2017 N/A· v4 7.0 HIGH· v3 5.1 MEDIUM· v2 An issue was discovered in Schneider Electric Unity PRO prior to V11.1. Unity projects can be compiled as x86 instructions and loaded onto the PLC Simulator delivered with Unity PRO. These x86 instructions are subsequent...Show more An issue was discovered in Schneider Electric Unity PRO prior to V11.1. Unity projects can be compiled as x86 instructions and loaded onto the PLC Simulator delivered with Unity PRO. These x86 instructions are subsequently executed directly by the simulator. A specially crafted patched Unity project file can make the simulator execute malicious code by redirecting the control flow of these instructions.Show less
CVE-2015-8771 1Gosa Project 1Gosa Plugin May 13, 2026 Feb 13, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The generate_smb_nt_hash function in include/functions.inc in GOsa allows remote attackers to execute arbitrary commands via a crafted password.
CVE-2016-5727 1Simplemachines 1Simple Machines Forum May 13, 2026 Feb 9, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 LogInOut.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via vectors related to variables derived from user input in a foreach loop.
CVE-2016-5726 1Simplemachines 1Simple Machines Forum May 13, 2026 Feb 9, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Packages.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the themechanges array parameter.
CVE-2016-6175 1Php Gettext Project 1Php Gettext May 13, 2026 Feb 7, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.
CVE-2016-7102 1Owncloud 1Owncloud Desktop Client May 13, 2026 Jan 23, 2017 N/A· v4 8.4 HIGH· v3 4.6 MEDIUM· v2 ownCloud Desktop before 2.2.3 allows local users to execute arbitrary code and possibly gain privileges via a Trojan library in a "special path" in the C: drive.
CVE-2016-2242 1Exponentcms 1Exponent Cms May 13, 2026 Jan 23, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php.
CVE-2016-10157 1Akamai 1Netsession May 13, 2026 Jan 23, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Akamai NetSession 1.9.3.1 is vulnerable to DLL Hijacking: it tries to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because the mentioned DLL is missing from the installation, thus making...Show more Akamai NetSession 1.9.3.1 is vulnerable to DLL Hijacking: it tries to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because the mentioned DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code within the Akamai NetSession process space.Show less
CVE-2017-5543 1Intelliants 1Subrion May 13, 2026 Jan 20, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks via crafted serialized data in a salt cookie in a login request.
CVE-2016-10072 1Wampserver 1Wampserver May 6, 2026 Dec 27, 2016 N/A· v4 7.5 HIGH· v3 6.9 MEDIUM· v2 WampServer 3.0.6 has two files called 'wampmanager.exe' and 'unins000.exe' with a weak ACL for Modify. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated priv...Show more WampServer 3.0.6 has two files called 'wampmanager.exe' and 'unins000.exe' with a weak ACL for Modify. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. To properly exploit this vulnerability, the local attacker must insert an executable file called wampmanager.exe or unins000.exe and replace the original files. The next time one of these programs is launched by a more privileged user, malicious code chosen by the local attacker will run. NOTE: the vendor disputes the relevance of this report, taking the position that a configuration in which "'someone' (an attacker) is able to replace files on a PC" is not "the fault of WampServer.Show less
CVE-2016-7968 1Kde 1Kmail May 6, 2026 Dec 23, 2016 N/A· v4 6.5 MEDIUM· v3 7.5 HIGH· v2 KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed.
CVE-2016-7967 1Kde 1Kmail May 6, 2026 Dec 23, 2016 N/A· v4 8.1 HIGH· v3 5.8 MEDIUM· v2 KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.
CVE-2016-7966 4Debian FedoraprojectKde+1 more 4Debian Linux FedoraKmail+1 more May 6, 2026 Dec 23, 2016 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space int...Show more Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.Show less
CVE-2016-7787 2Kde Opensuse 3Kde Cli Tools LeapOpensuse May 6, 2026 Dec 23, 2016 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user.

Previous 1...219220221...324 Next