Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,465)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2014-3177 1Google 1Chrome May 6, 2026 Aug 27, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vul...Show more Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3176.Show less
CVE-2014-3176 1Google 1Chrome May 6, 2026 Aug 27, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vul...Show more Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177.Show less
CVE-2014-5261 1Cacti 1Cacti May 6, 2026 Aug 22, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool commandline in lib/rrd.php.
CVE-2014-4767 1Ibm 1Websphere Application Server May 6, 2026 Aug 22, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8.5.5.3 does not properly use the Liberty Repository for feature installation, which allows remote authenticated users to execute arbitrary code via uns...Show more IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8.5.5.3 does not properly use the Liberty Repository for feature installation, which allows remote authenticated users to execute arbitrary code via unspecified vectors.Show less
CVE-2014-5210 1Alienvault 1Open Source Security Information Management May 6, 2026 Aug 21, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 an...Show more The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.Show less
CVE-2014-5158 1Alienvault 1Open Source Security Information Management May 6, 2026 Aug 21, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.
CVE-2014-5194 1Sphider 1Sphider May 6, 2026 Aug 7, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Static code injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote authenticated users to inject arbitrary PHP code into settings/conf.php via the _word_upper_bound parameter.
CVE-2014-3429 3Ipython MageiaOpensuse 3Ipython Notebook MageiaOpensuse May 6, 2026 Aug 7, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.
CVE-2013-7394 1Splunk 1Splunk May 6, 2026 Aug 7, 2014 N/A· v4 N/A· v3 9.0 HIGH· v2 The "runshellscript echo.sh" script in Splunk before 5.0.5 allows remote authenticated users to execute arbitrary commands via a crafted string. NOTE: this issue was SPLIT from CVE-2013-6771 per ADT2 due to different vu...Show more The "runshellscript echo.sh" script in Splunk before 5.0.5 allows remote authenticated users to execute arbitrary commands via a crafted string. NOTE: this issue was SPLIT from CVE-2013-6771 per ADT2 due to different vulnerability types.Show less
CVE-2014-0479 2Canonical Debian 2Reportbug Reportbug May 6, 2026 Aug 6, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 reportbug before 6.4.4+deb7u1 and 6.5.x before 6.5.0+nmu1 allows remote attackers to execute arbitrary commands via vectors related to compare_versions and reportbug/checkversions.py.
CVE-2014-5090 1Status2k 1Status2k May 6, 2026 Aug 6, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 admin/options/logs.php in Status2k allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the Location field in Add Logs in the Admin Panel.
CVE-2014-3560 3Canonical RedhatSamba 3Enterprise Linux SambaUbuntu Linux May 6, 2026 Aug 6, 2014 N/A· v4 N/A· v3 7.9 HIGH· v2 NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to execute arbitrary code via unspecified vectors that modify heap memory, involving a sizeof operation on...Show more NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to execute arbitrary code via unspecified vectors that modify heap memory, involving a sizeof operation on an incorrect variable in the unstrcpy macro in string_wrappers.h.Show less
CVE-2014-3545 1Moodle 1Moodle May 6, 2026 Jul 29, 2014 N/A· v4 N/A· v3 6.0 MEDIUM· v2 Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz.
CVE-2014-3541 1Moodle 1Moodle May 6, 2026 Jul 29, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitra...Show more The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.Show less
CVE-2014-5112 1Netfortris 1Trixbox May 6, 2026 Jul 28, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter.
CVE-2014-1557 3Debian MozillaOracle 5Debian Linux FirefoxFirefox Esr+2 more May 6, 2026 Jul 23, 2014 N/A· v4 N/A· v3 9.3 HIGH· v2 The ConvolveHorizontally function in Skia, as used in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, does not properly handle the discarding of image data during function executio...Show more The ConvolveHorizontally function in Skia, as used in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, does not properly handle the discarding of image data during function execution, which allows remote attackers to execute arbitrary code by triggering prolonged image scaling, as demonstrated by scaling of a high-quality image.Show less
CVE-2014-1556 1Mozilla 3Firefox Firefox EsrThunderbird May 6, 2026 Jul 23, 2014 N/A· v4 N/A· v3 9.3 HIGH· v2 Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to execute arbitrary code via crafted WebGL content constructed with the Cesium JavaScript library.
CVE-2014-3518 1Redhat 4Jboss Enterprise Application Platform Jboss Enterprise Brms PlatformJboss Enterprise Portal Platform+1 more May 6, 2026 Jul 22, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not pro...Show more jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.Show less
CVE-2014-1999 1Fuelphp 1Fuelphp May 6, 2026 Jul 20, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The auto-format feature in the Request_Curl class in FuelPHP 1.1 through 1.7.1 allows remote attackers to execute arbitrary code via a crafted response.
CVE-2014-4663 1Binarymoon 2Timthumb Wordthumb May 6, 2026 Jul 15, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.

Previous 1...228229230...324 Next