Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,461)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2014-2558 1Skyphe 1File Gallery May 6, 2026 May 6, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 The File Gallery plugin before 1.7.9.2 for WordPress does not properly escape strings, which allows remote administrators to execute arbitrary PHP code via a \' (backslash quote) in the setting fields to /wp-admin/option...Show more The File Gallery plugin before 1.7.9.2 for WordPress does not properly escape strings, which allows remote administrators to execute arbitrary PHP code via a \' (backslash quote) in the setting fields to /wp-admin/options-media.php, related to the create_function function.Show less
CVE-2013-7034 1Livezilla 1Livezilla May 6, 2026 May 5, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The setCookieValue function in _lib/functions.global.inc.php in LiveZilla before 5.1.2.1 allows remote attackers to execute arbitrary PHP code via a serialized PHP object in a cookie.
CVE-2014-2170 1Cisco 2Telepresence Tc Software Telepresence Te Software May 6, 2026 May 2, 2014 N/A· v4 N/A· v3 9.0 HIGH· v2 Cisco TelePresence TC Software 4.x and 5.x before 5.1.7 and 6.x before 6.0.1 and TE Software 4.x and 6.0 allow remote authenticated users to execute arbitrary commands by using the commands as arguments to tshell (aka tc...Show more Cisco TelePresence TC Software 4.x and 5.x before 5.1.7 and 6.x before 6.0.1 and TE Software 4.x and 6.0 allow remote authenticated users to execute arbitrary commands by using the commands as arguments to tshell (aka tcsh) scripts, aka Bug ID CSCue60202.Show less
CVE-2013-7284 1Malcolm Nooning 1Pirpc May 6, 2026 Apr 29, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The PlRPC module, possibly 0.2020 and earlier, for Perl uses the Storable module, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly handled when it is deserialized.
CVE-2014-2996 1Xcloner 1Xcloner May 6, 2026 Apr 25, 2014 N/A· v4 N/A· v3 7.1 HIGH· v2 XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a gen...Show more XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a generate action to index2.php. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have the privileges to execute code. NOTE: this can be leveraged by remote attackers using CVE-2014-2579.Show less
CVE-2014-2909 1Siemens 6Simatic S7 Cpu 1211c Simatic S7 Cpu 1200 FirmwareSimatic S7 Cpu 1212c+3 more May 6, 2026 Apr 25, 2014 N/A· v4 N/A· v3 5.8 MEDIUM· v2 CRLF injection vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary HTTP headers via unspecified vectors.
CVE-2014-0472 2Canonical Djangoproject 2Django Ubuntu Linux May 6, 2026 Apr 23, 2014 N/A· v4 N/A· v3 5.1 MEDIUM· v2 The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leverag...Show more The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."Show less
CVE-2013-6469 1Redhat 2Jboss Fuse Service Works Jboss Overlord Run Time Governance May 6, 2026 Apr 22, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 JBoss Overlord Run Time Governance (RTGov) 1.0 for JBossAS allows remote authenticated users to execute arbitrary Java code via an MVFLEX Expression Language (MVEL) expression. NOTE: some of these details are obtained f...Show more JBoss Overlord Run Time Governance (RTGov) 1.0 for JBossAS allows remote authenticated users to execute arbitrary Java code via an MVFLEX Expression Language (MVEL) expression. NOTE: some of these details are obtained from third party information.Show less
CVE-2014-2921 1Pimcore 1Pimcore May 6, 2026 Apr 21, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote at...Show more The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character.Show less
CVE-2014-0111 1Apache 1Syncope May 6, 2026 Apr 17, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templ...Show more Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links of resource mappings."Show less
CVE-2014-2866 1Paperthin 1Commonspot Content Server May 6, 2026 Apr 15, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on client JavaScript code for access restrictions, which allows remote attackers to perform unspecified operations by modifying this code.
CVE-2013-7362 1Sap 1Ccms Agent May 6, 2026 Apr 10, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 An unspecified RFC function in SAP CCMS Agent allows remote attackers to execute arbitrary commands via unknown vectors.
CVE-2013-6468 1Redhat 3Jboss Bpm Suite Jboss DroolsJboss Enterprise Brms Platform May 6, 2026 Apr 10, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expressio...Show more JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.Show less
CVE-2014-1716 3Debian GoogleOpensuse 3Chrome Debian LinuxOpensuse May 6, 2026 Apr 9, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype function in runtime.cc in Google V8, as used in Google Chrome before 34.0.1847.116, allows remote attackers to inject arbitrary web script or HTML via...Show more Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype function in runtime.cc in Google V8, as used in Google Chrome before 34.0.1847.116, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)."Show less
CVE-2014-1691 1Horde 1Horde Application Framework May 6, 2026 Apr 1, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in th...Show more The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.Show less
CVE-2013-3998 1Ibm 1Infosphere Biginsights May 6, 2026 Mar 26, 2014 N/A· v4 N/A· v3 3.5 LOW· v2 CRLF injection vulnerability in the Web Application Enterprise Console in IBM InfoSphere BigInsights 1.1 and 2.x before 2.1 FP2 allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response...Show more CRLF injection vulnerability in the Web Application Enterprise Console in IBM InfoSphere BigInsights 1.1 and 2.x before 2.1 FP2 allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.Show less
CVE-2014-1979 1Nttdocomo 1Spmode Mail Android May 6, 2026 Mar 19, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The NTT DOCOMO sp mode mail application 5900 through 6300 for Android 4.0.x and 6000 through 6620 for Android 4.1 through 4.4 allows remote attackers to execute arbitrary Java methods via Deco-mail emoticon POP data in a...Show more The NTT DOCOMO sp mode mail application 5900 through 6300 for Android 4.0.x and 6000 through 6620 for Android 4.1 through 4.4 allows remote attackers to execute arbitrary Java methods via Deco-mail emoticon POP data in an e-mail message.Show less
CVE-2014-0057 1Redhat 2Cloudforms Cloudforms 3.0 Management Engine May 6, 2026 Mar 18, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors.
CVE-2013-1850 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Mar 14, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP c...Show more Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file.Show less
CVE-2013-6943 1Citrix 1Netscaler Application Delivery Controller Firmware May 6, 2026 Mar 11, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Citrix NetScaler Application Delivery Controller (ADC) 9.3.x before 9.3-64.4, 10.0 before 10.0-77.5, and 10.1 before 10.1-118.7 allows remote attackers to conduct an LDAP injection attack via vectors related to SSH and W...Show more Citrix NetScaler Application Delivery Controller (ADC) 9.3.x before 9.3-64.4, 10.0 before 10.0-77.5, and 10.1 before 10.1-118.7 allows remote attackers to conduct an LDAP injection attack via vectors related to SSH and Web management usernames.Show less

Previous 1...231232233...324 Next