Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,460)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2013-3906 1Microsoft 8Excel Viewer LyncOffice+5 more Apr 22, 2026 Nov 6, 2013 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execu...Show more GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.Show less
CVE-2013-4438 1Saltstack 1Salt Apr 29, 2026 Nov 5, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already...Show more Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe.Show less
CVE-2013-6366 1Vmware 1Hyperic Hq Apr 29, 2026 Nov 4, 2013 N/A· v4 N/A· v3 6.5 MEDIUM· v2 The Groovy script console in VMware Hyperic HQ 4.6.6 allows remote authenticated administrators to execute arbitrary code via a Runtime.getRuntime().exec call.
CVE-2013-6349 1Mcafee 1Email Gateway Apr 29, 2026 Nov 2, 2013 N/A· v4 N/A· v3 8.5 HIGH· v2 McAfee Email Gateway (MEG) 7.0 before 7.0.4 and 7.5 before 7.5.1 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
CVE-2013-3631 1Nas4free 1Nas4free Apr 29, 2026 Nov 2, 2013 N/A· v4 N/A· v3 6.0 MEDIUM· v2 NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced \| Execute Command" feature. NOTE: this issue might not be a vulnerability, si...Show more NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced \| Execute Command" feature. NOTE: this issue might not be a vulnerability, since it appears to be part of legitimate, intentionally-exposed functionality by the developer and is allowed within the intended security policy.Show less
CVE-2013-3630 1Moodle 1Moodle Apr 29, 2026 Nov 1, 2013 N/A· v4 N/A· v3 4.6 MEDIUM· v2 Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.
CVE-2013-2208 1Andreas Krennmair 1Tpp Apr 29, 2026 Oct 28, 2013 N/A· v4 N/A· v3 6.8 MEDIUM· v2 tpp 1.3.1 allows remote attackers to execute arbitrary commands via a --exec command in a TPP template file.
CVE-2013-4957 1Puppet 1Puppet Enterprise Apr 29, 2026 Oct 25, 2013 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The dashboard report in Puppet Enterprise before 3.0.1 allows attackers to execute arbitrary YAML code via a crafted report-specific type.
CVE-2013-3244 1Sap 1Erp Central Component Apr 29, 2026 Oct 24, 2013 N/A· v4 N/A· v3 6.0 MEDIUM· v2 Multiple unspecified vulnerabilities in the CJDB_FILL_MEMORY_FROM_PPB function in the Project System (PS-IS) module for SAP ERP Central Component (ECC) allow remote attackers to execute arbitrary code via a (1) RFC or (2...Show more Multiple unspecified vulnerabilities in the CJDB_FILL_MEMORY_FROM_PPB function in the Project System (PS-IS) module for SAP ERP Central Component (ECC) allow remote attackers to execute arbitrary code via a (1) RFC or (2) SOAP-RFC request.Show less
CVE-2013-6025 1Sybase 1Adaptive Server Enterprise Apr 29, 2026 Oct 19, 2013 N/A· v4 N/A· v3 4.0 MEDIUM· v2 The XMLParse procedure in SAP Sybase Adaptive Server Enterprise (ASE) 15.7 ESD 2 allows remote authenticated users to read arbitrary files via a SQL statement containing an XML document with an external entity declaratio...Show more The XMLParse procedure in SAP Sybase Adaptive Server Enterprise (ASE) 15.7 ESD 2 allows remote authenticated users to read arbitrary files via a SQL statement containing an XML document with an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.Show less
CVE-2013-4830 1Hp 1Service Manager Apr 29, 2026 Oct 16, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 HP Service Manager 9.30 through 9.32 allows remote attackers to execute arbitrary code via an unspecified "injection" approach.
CVE-2013-4203 1Richard Cook 1Rgpg Apr 29, 2026 Oct 11, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.
CVE-2013-5325 1Adobe 2Acrobat Acrobat Reader Apr 29, 2026 Oct 9, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 Adobe Reader and Acrobat 11.x before 11.0.05 on Windows allow remote attackers to execute arbitrary JavaScript code in a javascript: URL via a crafted PDF document.
CVE-2013-3894 1Microsoft 8Windows 7 Windows 8Windows Rt+5 more Apr 29, 2026 Oct 9, 2013 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT allow remote atta...Show more The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT allow remote attackers to execute arbitrary code via a crafted CMAP table in a TrueType font (TTF) file, aka "TrueType Font CMAP Table Vulnerability."Show less
CVE-2013-3200 1Microsoft 8Windows 7 Windows 8Windows Rt+5 more Apr 29, 2026 Oct 9, 2013 N/A· v4 N/A· v3 7.2 HIGH· v2 The USB drivers in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows R...Show more The USB drivers in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT allow physically proximate attackers to execute arbitrary code by connecting a crafted USB device, aka "Windows USB Descriptor Vulnerability."Show less
CVE-2013-4330 1Apache 1Camel Apr 29, 2026 Oct 4, 2013 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple{}" in a CamelFileName message header to a (...Show more Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple{}" in a CamelFileName message header to a (1) FILE or (2) FTP producer.Show less
CVE-2013-6009 1Open Xchange 1Open Xchange Appsuite Apr 29, 2026 Oct 3, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 CRLF injection vulnerability in Open-Xchange AppSuite before 7.2.2, when using AJP in certain conditions, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the ajax/...Show more CRLF injection vulnerability in Open-Xchange AppSuite before 7.2.2, when using AJP in certain conditions, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the ajax/defer servlet.Show less
CVE-2013-0689 2Emerson Enea 4Dl 8000 Remote Terminal Unit OseRoc 800 Remote Terminal Unit+1 more Apr 29, 2026 Oct 3, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 The TFTP server on the Emerson Process Management ROC800 RTU with software 3.50 and earlier, DL8000 RTU with software 2.30 and earlier, and ROC800L RTU with software 1.20 and earlier allows remote attackers to upload fil...Show more The TFTP server on the Emerson Process Management ROC800 RTU with software 3.50 and earlier, DL8000 RTU with software 2.30 and earlier, and ROC800L RTU with software 1.20 and earlier allows remote attackers to upload files and consequently execute arbitrary code via unspecified vectors.Show less
CVE-2013-5942 1Graphite Project 1Graphite Apr 29, 2026 Sep 27, 2013 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/...Show more Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) whitelist/views.py, a different vulnerability than CVE-2013-5093.Show less
CVE-2013-5093 1Graphite Project 1Graphite Apr 29, 2026 Sep 27, 2013 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized ob...Show more The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object.Show less

Previous 1...234235236...323 Next