Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,465)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2014-4043 2Gnu Opensuse 2Glibc Opensuse May 6, 2026 Oct 6, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabil...Show more The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.Show less
CVE-2014-2044 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Oct 6, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and exec...Show more Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.Show less
CVE-2013-1436 1Xmonad 1Xmonad Contrab May 6, 2026 Oct 6, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title,...Show more The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.Show less
CVE-2014-6298 1Mm Forum Project 1Mm Forum May 6, 2026 Oct 3, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Unrestricted file upload vulnerability in the mm_forum extension before 1.9.3 for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecifie...Show more Unrestricted file upload vulnerability in the mm_forum extension before 1.9.3 for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.Show less
CVE-2014-3947 1Alex Kellner 1Powermail May 6, 2026 Oct 3, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Unrestricted file upload vulnerability in the powermail extension before 1.6.11 and 2.x before 2.0.14 for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with a crafted extension, then accessi...Show more Unrestricted file upload vulnerability in the powermail extension before 1.6.11 and 2.x before 2.0.14 for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with a crafted extension, then accessing it via unspecified vectors.Show less
CVE-2012-5495 1Plone 1Plone May 6, 2026 Sep 30, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back."
CVE-2012-5493 1Plone 1Plone May 6, 2026 Sep 30, 2014 N/A· v4 N/A· v3 8.5 HIGH· v2 gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors.
CVE-2012-5488 1Plone 1Plone May 6, 2026 Sep 30, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.
CVE-2012-5485 1Plone 1Plone May 6, 2026 Sep 30, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.
CVE-2014-2639 1Hp 1Mpio Device Specific Module Manager May 6, 2026 Sep 28, 2014 N/A· v4 N/A· v3 4.6 MEDIUM· v2 Unspecified vulnerability in HP MPIO Device Specific Module Manager before 4.02.00 allows local users to gain privileges via unknown vectors.
CVE-2014-6446 1Infusionsoft Gravity Forms Project 1Infusionsoft Gravity Forms May 6, 2026 Sep 26, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilitie...Show more The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.php.Show less
CVE-2014-5324 1Najeebmedia 1N Media File Uploader May 6, 2026 Sep 26, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Unrestricted file upload vulnerability in the N-Media file uploader plugin before 3.4 for WordPress allows remote authenticated users to execute arbitrary PHP code by leveraging Author privileges to store a file.
CVE-2006-1318 1Microsoft 1Office May 6, 2026 Sep 19, 2014 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed c...Show more Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."Show less
CVE-2013-4444 1Apache 1Tomcat May 6, 2026 Sep 12, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by u...Show more Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.Show less
CVE-2014-5519 1Phpwiki Project 1Phpwiki May 6, 2026 Sep 11, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtain...Show more The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.Show less
CVE-2014-2223 1Plogger 1Plogger May 6, 2026 Sep 11, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Unrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-z...Show more Unrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then accessing the PHP file via a direct request to it in plog-content/uploads/archive/.Show less
CVE-2014-3910 1Emurasoft 1Emftp May 6, 2026 Sep 5, 2014 N/A· v4 N/A· v3 4.4 MEDIUM· v2 Emurasoft EmFTP allows local users to gain privileges via a Trojan horse executable file that is launched during an attempt to read a similarly named file that lacks a filename extension.
CVE-2014-2378 1Sensysnetworks 4Trafficdot VdsVsn240 F+1 more May 6, 2026 Sep 5, 2014 N/A· v4 N/A· v3 7.6 HIGH· v2 Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse u...Show more Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update.Show less
CVE-2014-5340 1Check Mk Project 1Check Mk May 6, 2026 Sep 2, 2014 N/A· v4 N/A· v3 9.3 HIGH· v2 The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automa...Show more The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automation URL.Show less
CVE-2014-0485 1S3ql Project 1S3ql May 6, 2026 Sep 2, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

Previous 1...227228229...324 Next