Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,459)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2013-1899 2Canonical Postgresql 2Postgresql Ubuntu Linux Apr 29, 2026 Apr 4, 2013 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users...Show more Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).Show less
CVE-2013-2617 1Curl Project 1Curl Apr 29, 2026 Mar 20, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
CVE-2013-2616 1Rubygems 1Mini Magick Apr 29, 2026 Mar 20, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
CVE-2013-2615 1Rubygems 1Fastreader Apr 29, 2026 Mar 20, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
CVE-2013-1875 1Rubygems 1Command Wrap Apr 29, 2026 Mar 20, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.
CVE-2013-2549 1Adobe 1Acrobat Reader Apr 29, 2026 Mar 11, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 Unspecified vulnerability in Adobe Reader 11.0.02 allows remote attackers to execute arbitrary code via vectors related to a "break into the sandbox," as demonstrated by George Hotz during a Pwn2Own competition at CanSec...Show more Unspecified vulnerability in Adobe Reader 11.0.02 allows remote attackers to execute arbitrary code via vectors related to a "break into the sandbox," as demonstrated by George Hotz during a Pwn2Own competition at CanSecWest 2013.Show less
CVE-2013-0912 1Google 1Chrome Apr 29, 2026 Mar 11, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 WebKit in Google Chrome before 25.0.1364.160 allows remote attackers to execute arbitrary code via vectors that leverage "type confusion."
CVE-2013-1762 1Stunnel 1Stunnel Apr 29, 2026 Mar 8, 2013 N/A· v4 N/A· v3 6.6 MEDIUM· v2 stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted r...Show more stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a buffer overflow.Show less
CVE-2013-1491 1Oracle 2Jdk Jre Apr 29, 2026 Mar 8, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code v...Show more The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via vectors related to 2D, as demonstrated by Joshua Drake during a Pwn2Own competition at CanSecWest 2013.Show less
CVE-2013-1488 1Oracle 2Jdk Jre Apr 29, 2026 Mar 8, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "imp...Show more The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.Show less
CVE-2013-0401 1Oracle 2Jdk Jre Apr 29, 2026 Mar 8, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via v...Show more The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.Show less
CVE-2012-4840 1Ibm 1Cognos Business Intelligence Apr 29, 2026 Mar 5, 2013 N/A· v4 N/A· v3 5.0 MEDIUM· v2 IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF2, 10.1.1 before IF2, and 10.2 before IF1 allows remote attackers to conduct XPath injection attacks, and call XPath extension functions, via unspecif...Show more IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF2, 10.1.1 before IF2, and 10.2 before IF1 allows remote attackers to conduct XPath injection attacks, and call XPath extension functions, via unspecified vectors.Show less
CVE-2013-0108 1Honeywell 3Comfortpoint Open Manager Station Enterprise Buildings IntegratorSymmetre Apr 29, 2026 Feb 24, 2013 N/A· v4 N/A· v3 6.8 MEDIUM· v2 An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and R410.2; ComfortPoint Open Manager (aka CPO-M) Station R100; and HM...Show more An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and R410.2; ComfortPoint Open Manager (aka CPO-M) Station R100; and HMIWeb Browser client packages allows remote attackers to execute arbitrary code via a crafted HTML document.Show less
CVE-2012-4707 13s Software 1Codesys Gateway Server Apr 29, 2026 Feb 24, 2013 N/A· v4 N/A· v3 10.0 HIGH· v2 3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to execute arbitrary code via vectors that trigger an out-of-bounds memory access.
CVE-2012-0439 1Novell 1Groupwise Apr 29, 2026 Feb 24, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 An ActiveX control in gwcls1.dll in the client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary code via (1) a pointer argument to the SetEngine method or (2)...Show more An ActiveX control in gwcls1.dll in the client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary code via (1) a pointer argument to the SetEngine method or (2) an XPItem pointer argument to an unspecified method.Show less
CVE-2013-0077 1Microsoft 4Windows Server 2003 Windows Server 2008Windows Vista+1 more Apr 29, 2026 Feb 13, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 Quartz.dll in DirectShow in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via crafted media content in (1) a media file, (2) a media s...Show more Quartz.dll in DirectShow in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via crafted media content in (1) a media file, (2) a media stream, or (3) a Microsoft Office document, aka "Media Decompression Vulnerability."Show less
CVE-2013-1638 1Opera 1Opera Browser Apr 29, 2026 Feb 8, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 Opera before 12.13 allows remote attackers to execute arbitrary code via crafted clipPaths in an SVG document.
CVE-2013-1637 1Opera 1Opera Browser Apr 29, 2026 Feb 8, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 Opera before 12.13 allows remote attackers to execute arbitrary code via vectors involving DOM events.
CVE-2013-0758 5Canonical MozillaOpensuse+2 more 14Enterprise Linux Desktop Enterprise Linux EusEnterprise Linux Server+11 more Apr 29, 2026 Jan 13, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 allow remote attackers...Show more Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 10.x before 10.0.12 and 17.x before 17.0.2, and SeaMonkey before 2.15 allow remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging improper interaction between plugin objects and SVG elements.Show less
CVE-2013-0745 4Canonical MozillaOpensuse+1 more 9Firefox Linux Enterprise DesktopLinux Enterprise Server+6 more Apr 29, 2026 Jan 13, 2013 N/A· v4 N/A· v3 9.3 HIGH· v2 The AutoWrapperChanger class in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not properly interact with garbag...Show more The AutoWrapperChanger class in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not properly interact with garbage collection, which allows remote attackers to execute arbitrary code via a crafted HTML document referencing JavaScript objects.Show less

Previous 1...238239240...323 Next