Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,461)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2013-1412 1Dleviet 1Datalife Engine May 6, 2026 Jun 2, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 DataLife Engine (DLE) 9.7 allows remote attackers to execute arbitrary PHP code via the catlist[] parameter to engine/preview.php, which is used in a preg_replace function call with an e modifier.
CVE-2013-1397 1Sensiolabs 1Symfony May 6, 2026 Jun 2, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml\Parser::parse function, a different vulnerability t...Show more Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml\Parser::parse function, a different vulnerability than CVE-2013-1348.Show less
CVE-2013-1348 1Sensiolabs 1Symfony May 6, 2026 Jun 2, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different vulnerability than CVE-2013-1397.
CVE-2013-5036 1Squash 1Square Squash May 6, 2026 May 27, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The Square Squash allows remote attackers to execute arbitrary code via a YAML document in the (1) namespace parameter to the deobfuscation function or (2) sourcemap parameter to the sourcemap function in app/controllers...Show more The Square Squash allows remote attackers to execute arbitrary code via a YAML document in the (1) namespace parameter to the deobfuscation function or (2) sourcemap parameter to the sourcemap function in app/controllers/api/v1_controller.rb.Show less
CVE-2013-0724 1Wpshopstyling 1Wp Ecommerce Shop Styling May 6, 2026 May 27, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in includes/generate-pdf.php in the WP ecommerce Shop Styling plugin for WordPress before 1.8 allows remote attackers to execute arbitrary PHP code via a URL in the dompdf paramete...Show more PHP remote file inclusion vulnerability in includes/generate-pdf.php in the WP ecommerce Shop Styling plugin for WordPress before 1.8 allows remote attackers to execute arbitrary PHP code via a URL in the dompdf parameter.Show less
CVE-2014-2720 1Izarc 1Izarc May 6, 2026 May 27, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 IZArc 4.1.8 displays a file's name on the basis of a ZIP archive's Central Directory entry, but launches this file on the basis of a ZIP archive's local file header, which allows user-assisted remote attackers to conduct...Show more IZArc 4.1.8 displays a file's name on the basis of a ZIP archive's Central Directory entry, but launches this file on the basis of a ZIP archive's local file header, which allows user-assisted remote attackers to conduct file-extension spoofing attacks via a modified Central Directory, as demonstrated by unintended code execution prompted by a .jpg extension in the Central Directory and a .exe extension in the local file header.Show less
CVE-2014-2196 1Cisco 1Wide Area Application Services May 6, 2026 May 26, 2014 N/A· v4 N/A· v3 9.3 HIGH· v2 Cisco Wide Area Application Services (WAAS) 5.1.1 before 5.1.1e, when SharePoint prefetch optimization is enabled, allows remote SharePoint servers to execute arbitrary code via a malformed response, aka Bug ID CSCue1847...Show more Cisco Wide Area Application Services (WAAS) 5.1.1 before 5.1.1e, when SharePoint prefetch optimization is enabled, allows remote SharePoint servers to execute arbitrary code via a malformed response, aka Bug ID CSCue18479.Show less
CVE-2012-5649 1Apache 1Couchdb May 6, 2026 May 23, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to execute arbitrary code via a JSONP callback, related to Adobe Flash.
CVE-2014-3789 1Cogentdatahub 1Cogent Datahub May 6, 2026 May 22, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 GetPermissions.asp in Cogent Real-Time Systems Cogent DataHub before 7.3.5 allows remote attackers to execute arbitrary commands via unspecified vectors.
CVE-2013-4321 1Typo3 1Typo3 May 6, 2026 May 20, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file....Show more The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.Show less
CVE-2014-3444 1Realnetworks 1Realplayer May 6, 2026 May 20, 2014 N/A· v4 N/A· v3 9.3 HIGH· v2 The GetGUID function in codecs/dmp4.dll in RealNetworks RealPlayer 16.0.3.51 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (write access violation and application crash) via a...Show more The GetGUID function in codecs/dmp4.dll in RealNetworks RealPlayer 16.0.3.51 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (write access violation and application crash) via a malformed .3gp file.Show less
CVE-2014-3453 1Flag Module Project 1Flag May 6, 2026 May 17, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Eval injection vulnerability in the flag_import_form_validate function in includes/flag.export.inc in the Flag module 7.x-3.0, 7.x-3.5, and earlier for Drupal allows remote authenticated administrators to execute arbitra...Show more Eval injection vulnerability in the flag_import_form_validate function in includes/flag.export.inc in the Flag module 7.x-3.0, 7.x-3.5, and earlier for Drupal allows remote authenticated administrators to execute arbitrary PHP code via the "Flag import code" text area to admin/structure/flags/import. NOTE: this issue could also be exploited by other attackers if the administrator ignores a security warning on the permissions assignment page.Show less
CVE-2014-1613 1Dotclear 1Dotclear May 6, 2026 May 16, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.ph...Show more Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php.Show less
CVE-2014-1813 1Microsoft 1Web Applications May 6, 2026 May 14, 2014 N/A· v4 N/A· v3 8.5 HIGH· v2 Microsoft Web Applications 2010 SP1 and SP2 allows remote authenticated users to execute arbitrary code via crafted page content, aka "Web Applications Page Content Vulnerability."
CVE-2014-1806 1Microsoft 1.net Framework May 6, 2026 May 14, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 The .NET Remoting implementation in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly restrict memory access, which allows remote attackers to execute arbitrary code via vectors i...Show more The .NET Remoting implementation in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly restrict memory access, which allows remote attackers to execute arbitrary code via vectors involving malformed objects, aka "TypeFilterLevel Vulnerability."Show less
CVE-2014-0251 1Microsoft 8Office Web Apps Server Project ServerSharepoint Designer+5 more May 6, 2026 May 14, 2014 N/A· v4 N/A· v3 9.0 HIGH· v2 Microsoft Windows SharePoint Services 3.0 SP3; SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1; SharePoint Foundation 2010 SP1 and SP2 and 2013 Gold and SP1; Project Server 2010 SP1 and SP2 and 2013 G...Show more Microsoft Windows SharePoint Services 3.0 SP3; SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1; SharePoint Foundation 2010 SP1 and SP2 and 2013 Gold and SP1; Project Server 2010 SP1 and SP2 and 2013 Gold and SP1; Web Applications 2010 SP1 and SP2; Office Web Apps Server 2013 Gold and SP1; SharePoint Server 2013 Client Components SDK; and SharePoint Designer 2007 SP3, 2010 SP1 and SP2, and 2013 Gold and SP1 allow remote authenticated users to execute arbitrary code via crafted page content, aka "SharePoint Page Content Vulnerability."Show less
CVE-2013-4581 1Gitlab 2Gitlab Gitlab Shell May 6, 2026 May 12, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote attackers to execute arbitrary code via a crafted change using SSH.
CVE-2013-0210 1Theforeman 1Foreman May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The smart proxy Puppet run API in Foreman before 1.2.0 allows remote attackers to execute arbitrary commands via vectors related to escaping and Puppet commands.
CVE-2013-0171 1Theforeman 1Foreman May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Foreman before 1.1 allows remote attackers to execute arbitrary code via a crafted YAML object to the (1) fact or (2) report import API.
CVE-2014-2936 1Caldera 1Caldera May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The directory manager in Caldera 9.20 allows remote attackers to conduct variable-injection attacks in the global scope via (1) the maindir_hotfolder parameter to dirmng/index.php, or an unspecified parameter to (2) PPD/...Show more The directory manager in Caldera 9.20 allows remote attackers to conduct variable-injection attacks in the global scope via (1) the maindir_hotfolder parameter to dirmng/index.php, or an unspecified parameter to (2) PPD/index.php, (3) dirmng/docmd.php, or (4) dirmng/param.php.Show less

Previous 1...230231232...324 Next