Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,465)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2015-7729 1Sap 1Hana May 6, 2026 Oct 15, 2015 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Eval injection in test-net.xsjs in the Web-based Development Workbench in SAP HANA Developer Edition DB 1.00.091.00.1418659308 allows remote authenticated users to execute arbitrary XSJS code via unspecified vectors, aka...Show more Eval injection in test-net.xsjs in the Web-based Development Workbench in SAP HANA Developer Edition DB 1.00.091.00.1418659308 allows remote authenticated users to execute arbitrary XSJS code via unspecified vectors, aka SAP Security Note 2153892.Show less
CVE-2015-5647 1Cybozu 1Garoon May 6, 2026 Oct 12, 2015 N/A· v4 N/A· v3 8.5 HIGH· v2 The RSS Reader component in Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 allows remote authenticated users to execute arbitrary PHP code via unspecified vectors, aka CyVDB-866.
CVE-2015-5646 1Cybozu 1Garoon May 6, 2026 Oct 12, 2015 N/A· v4 N/A· v3 8.5 HIGH· v2 Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 allows remote authenticated users to execute arbitrary PHP code via unspecified vectors, aka CyVDB-863 and CyVDB-867.
CVE-2015-5644 1Icz 1Matchasns May 6, 2026 Oct 6, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The installer in ICZ MATCHA SNS before 1.3.7 does not properly configure the database, which allows remote attackers to execute arbitrary PHP code via unspecified vectors.
CVE-2015-5643 1Icz 1Matchasns May 6, 2026 Oct 6, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The installer in ICZ MATCHA INVOICE before 2.5.7 does not properly configure the database, which allows remote attackers to execute arbitrary PHP code via unspecified vectors.
CVE-2015-5687 1Anchorcms 1Anchor Cms May 6, 2026 Oct 5, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 system/session/drivers/cookie.php in Anchor CMS 0.9.x allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in a cookie.
CVE-2015-7381 1Refbase 1Refbase May 6, 2026 Sep 28, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructur...Show more Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructureFile parameter, a different issue than CVE-2015-6008.Show less
CVE-2015-5603 1Atlassian 1Hipchat May 6, 2026 Sep 21, 2015 N/A· v4 N/A· v3 6.5 MEDIUM· v2 The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability."
CVE-2015-5693 1Symantec 1Web Gateway May 6, 2026 Sep 20, 2015 N/A· v4 N/A· v3 7.9 HIGH· v2 The management console on Symantec Web Gateway (SWG) appliances with software before 5.2.2 DB 5.0.0.1277 allows remote authenticated users to execute arbitrary commands via vectors related to "traffic capture."
CVE-2014-8778 1Checkmarx 1Cxsast May 6, 2026 Sep 16, 2015 N/A· v4 N/A· v3 9.0 HIGH· v2 Checkmarx CxSAST (formerly CxSuite) before 7.1.8 allows remote authenticated users to bypass the CxQL sandbox protection mechanism and execute arbitrary C# code by asserting the (1) System.Security.Permissions.Permission...Show more Checkmarx CxSAST (formerly CxSuite) before 7.1.8 allows remote authenticated users to bypass the CxQL sandbox protection mechanism and execute arbitrary C# code by asserting the (1) System.Security.Permissions.PermissionState.Unrestricted or (2) System.Security.Permissions.SecurityPermissionFlag.AllFlags permission.Show less
CVE-2014-2331 1Check Mk Project 1Check Mk May 6, 2026 Aug 31, 2015 N/A· v4 N/A· v3 8.5 HIGH· v2 Check_MK 1.2.2p2, 1.2.2p3, and 1.2.3i5 allows remote authenticated users to execute arbitrary Python code via a crafted rules.mk file in a snapshot. NOTE: this can be exploited by remote attackers by leveraging CVE-2014...Show more Check_MK 1.2.2p2, 1.2.2p3, and 1.2.3i5 allows remote authenticated users to execute arbitrary Python code via a crafted rules.mk file in a snapshot. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2330.Show less
CVE-2015-2308 1Sensiolabs 1Symfony May 6, 2026 Jun 24, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="...Show more Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.Show less
CVE-2015-4726 1Audiosharescript 1Audioshare May 6, 2026 Jun 23, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in ajax/myajaxphp.php in AudioShare 2.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the config['basedir'] parameter.
CVE-2015-4338 1Xcloner 1Xcloner May 6, 2026 Jun 17, 2015 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as d...Show more Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php.Show less
CVE-2015-0935 1Bomgar 1Remote Support May 6, 2026 May 25, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 Bomgar Remote Support before 15.1.1 allows remote attackers to execute arbitrary PHP code via crafted serialized data to unspecified PHP scripts.
CVE-2015-2945 1H Fj 1Mt Phpincgi May 6, 2026 May 25, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 mt-phpincgi.php in Hajime Fujimoto mt-phpincgi before 2015-05-15 does not properly restrict URLs, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted request...Show more mt-phpincgi.php in Hajime Fujimoto mt-phpincgi before 2015-05-15 does not properly restrict URLs, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted request, as exploited in the wild in May 2015.Show less
CVE-2015-1699 1Microsoft 8Windows 7 Windows 8Windows 8.1+5 more May 6, 2026 May 13, 2015 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a...Show more Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted Journal file, aka "Windows Journal Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-1675, CVE-2015-1695, CVE-2015-1696, CVE-2015-1697, and CVE-2015-1698.Show less
CVE-2015-1698 1Microsoft 8Windows 7 Windows 8Windows 8.1+5 more May 6, 2026 May 13, 2015 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a...Show more Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted Journal file, aka "Windows Journal Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-1675, CVE-2015-1695, CVE-2015-1696, CVE-2015-1697, and CVE-2015-1699.Show less
CVE-2015-1697 1Microsoft 8Windows 7 Windows 8Windows 8.1+5 more May 6, 2026 May 13, 2015 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a...Show more Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted Journal file, aka "Windows Journal Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-1675, CVE-2015-1695, CVE-2015-1696, CVE-2015-1698, and CVE-2015-1699.Show less
CVE-2015-1696 1Microsoft 8Windows 7 Windows 8Windows 8.1+5 more May 6, 2026 May 13, 2015 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a...Show more Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted Journal file, aka "Windows Journal Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-1675, CVE-2015-1695, CVE-2015-1697, CVE-2015-1698, and CVE-2015-1699.Show less

Previous 1...221222223...324 Next