Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,466)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2016-9949 2Apport Project Canonical 2Apport Ubuntu Linux May 6, 2026 Dec 17, 2016 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 An issue was discovered in Apport before 2.20.4. In apport/ui.py, Apport reads the CrashDB field and it then evaluates the field as Python code if it begins with a "{". This allows remote attackers to execute arbitrary P...Show more An issue was discovered in Apport before 2.20.4. In apport/ui.py, Apport reads the CrashDB field and it then evaluates the field as Python code if it begins with a "{". This allows remote attackers to execute arbitrary Python code.Show less
CVE-2016-9862 1Phpmyadmin 1Phpmyadmin May 6, 2026 Dec 11, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in phpMyAdmin. With a crafted login request it is possible to inject BBCode in the login page. All 4.6.x versions (prior to 4.6.5) are affected.
CVE-2016-5424 2Debian Postgresql 2Debian Linux Postgresql May 6, 2026 Dec 9, 2016 N/A· v4 7.1 HIGH· v3 4.6 MEDIUM· v2 PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via...Show more PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.Show less
CVE-2016-1000003 1Mirror Manager Project 1Mirror Manager May 6, 2026 Oct 7, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Mirror Manager version 0.7.2 and older is vulnerable to remote code execution in the checkin code.
CVE-2016-5149 2Google Opensuse 2Chrome Leap May 6, 2026 Sep 11, 2016 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The extensions subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to identify an associated extension, which allows remote attackers to cond...Show more The extensions subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to identify an associated extension, which allows remote attackers to conduct extension-bindings injection attacks by leveraging script access to a resource that initially has the about:blank URL.Show less
CVE-2016-7110 1Huawei 1Uma May 6, 2026 Sep 7, 2016 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 allows remote attackers to execute arbitrary commands via "special characters," a different vulnerability than CVE-2016-7109.
CVE-2016-7109 1Huawei 1Uma May 6, 2026 Sep 7, 2016 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 allows remote attackers to execute arbitrary commands via "special characters," a different vulnerability than CVE-2016-7110.
CVE-2015-5721 1Misp Project 1Malware Information Sharing Platform May 6, 2026 Sep 3, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Malware Information Sharing Platform (MISP) before 2.3.90 allows remote attackers to conduct PHP object injection attacks via crafted serialized data, related to TemplatesController.php and populate_event_from_template_a...Show more Malware Information Sharing Platform (MISP) before 2.3.90 allows remote attackers to conduct PHP object injection attacks via crafted serialized data, related to TemplatesController.php and populate_event_from_template_attributes.ctp.Show less
CVE-2016-2119 1Samba 1Samba May 6, 2026 Jul 7, 2016 N/A· v4 7.5 HIGH· v3 6.8 MEDIUM· v2 libcli/smb/smbXcli_base.c in Samba 4.x before 4.2.14, 4.3.x before 4.3.11, and 4.4.x before 4.4.5 allows man-in-the-middle attackers to bypass a client-signing protection mechanism, and consequently spoof SMB2 and SMB3 s...Show more libcli/smb/smbXcli_base.c in Samba 4.x before 4.2.14, 4.3.x before 4.3.11, and 4.4.x before 4.4.5 allows man-in-the-middle attackers to bypass a client-signing protection mechanism, and consequently spoof SMB2 and SMB3 servers, via the (1) SMB2_SESSION_FLAG_IS_GUEST or (2) SMB2_SESSION_FLAG_IS_NULL flag.Show less
CVE-2016-5734 1Phpmyadmin 1Phpmyadmin May 6, 2026 Jul 3, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute...Show more phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.Show less
CVE-2016-1413 1Cisco 1Secure Firewall Management Center May 6, 2026 May 28, 2016 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The web interface in Cisco Firepower Management Center 5.4.0 through 6.0.0.1 allows remote authenticated users to modify pages by placing crafted code in a parameter value, aka Bug ID CSCuy76517.
CVE-2016-3154 1Spip 1Spip May 6, 2026 Apr 8, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PH...Show more The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.Show less
CVE-2016-3153 2Debian Spip 2Debian Linux Spip May 6, 2026 Apr 8, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.
CVE-2015-5970 1Novell 1Zenworks Configuration Management May 6, 2026 Feb 18, 2016 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The ChangePassword RPC method in Novell ZENworks Configuration Management (ZCM) 11.3 and 11.4 allows remote attackers to conduct XPath injection attacks, and read arbitrary text files, via a malformed query involving a s...Show more The ChangePassword RPC method in Novell ZENworks Configuration Management (ZCM) 11.3 and 11.4 allows remote attackers to conduct XPath injection attacks, and read arbitrary text files, via a malformed query involving a system entity reference.Show less
CVE-2016-1986 1Hp 1Continuous Delivery Automation May 6, 2026 Feb 12, 2016 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 HP Continuous Delivery Automation (CDA) 1.30 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
CVE-2016-0033 1Microsoft 1.net Framework May 6, 2026 Feb 10, 2016 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 does not prevent recursive compilation of XSLT transforms, which allows remote attackers to cause a denial of service (performance degradation) via craf...Show more Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 does not prevent recursive compilation of XSLT transforms, which allows remote attackers to cause a denial of service (performance degradation) via crafted XSLT data, aka ".NET Framework Stack Overflow Denial of Service Vulnerability."Show less
CVE-2016-1985 1Hp 1Operations Manager May 6, 2026 Jan 30, 2016 N/A· v4 10.0 CRITICAL· v3 10.0 HIGH· v2 HPE Operations Manager 8.x and 9.0 on Windows allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
CVE-2015-8761 1Values Project 1Values May 6, 2026 Jan 8, 2016 N/A· v4 9.0 CRITICAL· v3 6.0 MEDIUM· v2 The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the "Import value sets" permission to execute arbitrary PHP code via the exported values li...Show more The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the "Import value sets" permission to execute arbitrary PHP code via the exported values list in a ctools import.Show less
CVE-2015-5242 1Redhat 1Gluster Storage May 6, 2026 Nov 25, 2015 N/A· v4 N/A· v3 6.0 MEDIUM· v2 OpenStack Swift-on-File (aka Swiftonfile) does not properly restrict use of the pickle Python module when loading metadata, which allows remote authenticated users to execute arbitrary code via a crafted extended attribu...Show more OpenStack Swift-on-File (aka Swiftonfile) does not properly restrict use of the pickle Python module when loading metadata, which allows remote authenticated users to execute arbitrary code via a crafted extended attribute (xattrs).Show less
CVE-2015-7905 1Unitronics 1Visilogic Oplc Ide May 6, 2026 Nov 13, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 Unitronics VisiLogic OPLC IDE before 9.8.02 allows remote attackers to execute unspecified code via unknown vectors.

Previous 1...220221222...324 Next