Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,460)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2013-5369 1Ibm 1Spss Analytical Decision Management Apr 29, 2026 Sep 16, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 IBM SPSS Analytical Decision Management 6.1 before IF1, 6.2 before IF1, and 7.0 before FP1 IF6 might allow remote attackers to execute arbitrary code by deploying and accessing a service.
CVE-2013-5674 1Moodle 1Moodle Apr 29, 2026 Sep 16, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via...Show more badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.Show less
CVE-2013-4813 1Hp 2Identity Driven Manager Procurve Manager Apr 29, 2026 Sep 16, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 The Agent (aka AgentController) servlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allows remote attackers to execute arbitrary commands via a HEAD request, aka ZD...Show more The Agent (aka AgentController) servlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allows remote attackers to execute arbitrary commands via a HEAD request, aka ZDI-CAN-1745.Show less
CVE-2013-4810 1Hp 2Application Lifecycle Management Procurve Manager Apr 21, 2026 Sep 16, 2013 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvoke...Show more HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.Show less
CVE-2013-4338 1Wordpress 1Wordpress Apr 29, 2026 Sep 12, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations...Show more wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations.Show less
CVE-2013-0810 1Microsoft 4Windows Server 2003 Windows Server 2008Windows Vista+1 more Apr 29, 2026 Sep 11, 2013 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, and Windows Server 2008 SP2 allow remote attackers to execute arbitrary code via a crafted screensaver in a theme file, aka "Windows Theme Fil...Show more Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, and Windows Server 2008 SP2 allow remote attackers to execute arbitrary code via a crafted screensaver in a theme file, aka "Windows Theme File Remote Code Execution Vulnerability."Show less
CVE-2013-2582 1Open Xchange 2Open Xchange Appsuite Open Xchange Server Apr 29, 2026 Sep 5, 2013 N/A· v4 N/A· v3 5.0 MEDIUM· v2 CRLF injection vulnerability in the redirect servlet in Open-Xchange AppSuite and Server before 6.22.0 rev15, 6.22.1 before rev17, 7.0.1 before rev6, and 7.0.2 before rev7 allows remote attackers to inject arbitrary HTTP...Show more CRLF injection vulnerability in the redirect servlet in Open-Xchange AppSuite and Server before 6.22.0 rev15, 6.22.1 before rev17, 7.0.1 before rev6, and 7.0.2 before rev7 allows remote attackers to inject arbitrary HTTP headers and conduct open redirect attacks by leveraging improper sanitization of whitespace characters.Show less
CVE-2013-1647 1Open Xchange 1Open Xchange Server Apr 29, 2026 Sep 5, 2013 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Multiple CRLF injection vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting...Show more Multiple CRLF injection vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter, as demonstrated by (1) the location parameter to ajax/redirect or (2) multiple infostore URIs.Show less
CVE-2013-5647 1Adam Zaninovich 1Sounder Apr 29, 2026 Aug 29, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.
CVE-2013-2035 1Redhat 1Hawtjni Apr 29, 2026 Aug 28, 2013 N/A· v4 N/A· v3 4.4 MEDIUM· v2 Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwri...Show more Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.Show less
CVE-2013-4172 1Redhat 1Cloudforms Management Engine Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 8.5 HIGH· v2 The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors.
CVE-2013-3373 1Bestpractical 1Rt Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 5.0 MEDIUM· v2 CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a MIME header.
CVE-2013-1435 1Cacti 1Cacti Apr 29, 2026 Aug 23, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 (1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.
CVE-2013-2802 1Sixnet 2Rtu Firmware Udr Apr 29, 2026 Aug 21, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 The universal protocol implementation in Sixnet UDR before 2.0 and RTU firmware before 4.8 allows remote attackers to execute arbitrary code; read, modify, or create files; or obtain file metadata via function opcodes.
CVE-2013-2161 2Openstack Opensuse 4Folsom GrizzlyHavana+1 more Apr 29, 2026 Aug 20, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 XML injection vulnerability in account/utils.py in OpenStack Swift Folsom, Grizzly, and Havana allows attackers to trigger invalid or spoofed Swift responses via an account name.
CVE-2013-2121 2Redhat Theforeman 2Foreman Openstack Apr 29, 2026 Jul 31, 2013 N/A· v4 N/A· v3 6.0 MEDIUM· v2 Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create bookmarks to execute arbitrary code via a controller...Show more Eval injection vulnerability in the create method in the Bookmarks controller in Foreman before 1.2.0-RC2 allows remote authenticated users with permissions to create bookmarks to execute arbitrary code via a controller name attribute.Show less
CVE-2013-3402 1Cisco 1Unified Communications Manager Apr 29, 2026 Jul 18, 2013 N/A· v4 N/A· v3 6.5 MEDIUM· v2 An unspecified function in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) allows remote authenticated users to execute arbitrary commands via unknown vectors, aka Bug ID CSCuh73440.
CVE-2013-2135 1Apache 1Struts Apr 29, 2026 Jul 16, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
CVE-2013-2134 1Apache 1Struts Apr 29, 2026 Jul 16, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-20...Show more Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.Show less
CVE-2013-1777 2Apache Ibm 2Geronimo Websphere Application Server Apr 29, 2026 Jul 11, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which a...Show more The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object.Show less

Previous 1...235236237...323 Next