Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,459)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2012-5836 4Canonical MozillaOpensuse+1 more 8Firefox Linux Enterprise DesktopLinux Enterprise Server+5 more Apr 29, 2026 Nov 21, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving the setting of Casca...Show more Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving the setting of Cascading Style Sheets (CSS) properties in conjunction with SVG text.Show less
CVE-2012-5777 1Phome 1Empirecms Apr 29, 2026 Nov 16, 2012 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Eval injection vulnerability in the ReplaceListVars function in the template parser in e/class/connect.php in EmpireCMS 6.6 allows user-assisted remote attackers to execute arbitrary PHP code via a crafted template.
CVE-2012-4884 1Bestpractical 1Rt Apr 29, 2026 Nov 11, 2012 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to create arbitrary files via unspecified vectors related to the GnuPG client.
CVE-2012-2971 - - Apr 29, 2026 Oct 20, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 The server in CA ARCserve Backup r12.5, r15, and r16 on Windows does not properly process RPC requests, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted request.
CVE-2012-2290 1Emc 1Networker Module For Microsoft Applications Apr 29, 2026 Oct 18, 2012 N/A· v4 N/A· v3 9.3 HIGH· v2 The client in EMC NetWorker Module for Microsoft Applications (NMM) 2.2.1, 2.3 before build 122, and 2.4 before build 375 allows remote attackers to execute arbitrary code by sending a crafted message over a TCP communic...Show more The client in EMC NetWorker Module for Microsoft Applications (NMM) 2.2.1, 2.3 before build 122, and 2.4 before build 375 allows remote attackers to execute arbitrary code by sending a crafted message over a TCP communication channel.Show less
CVE-2012-0182 1Microsoft 1Word Apr 29, 2026 Oct 9, 2012 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Word 2007 SP2 and SP3 does not properly handle memory during the parsing of Word documents, which allows remote attackers to execute arbitrary code via a crafted document, aka "Word PAPX Section Corruption Vuln...Show more Microsoft Word 2007 SP2 and SP3 does not properly handle memory during the parsing of Word documents, which allows remote attackers to execute arbitrary code via a crafted document, aka "Word PAPX Section Corruption Vulnerability."Show less
CVE-2011-4342 1Backwpup 1Backwpup Apr 29, 2026 Oct 8, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter.
CVE-2011-4639 1Spamtitan 1Webtitan Apr 29, 2026 Oct 8, 2012 N/A· v4 N/A· v3 6.5 MEDIUM· v2 The (1) Traceroute and (2) Ping implementations in tools.php in SpamTitan WebTitan before 3.60 allow remote authenticated users to execute arbitrary commands via shell metacharacters in an argument, as demonstrated by an...Show more The (1) Traceroute and (2) Ping implementations in tools.php in SpamTitan WebTitan before 3.60 allow remote authenticated users to execute arbitrary commands via shell metacharacters in an argument, as demonstrated by an && (ampersand ampersand) sequence.Show less
CVE-2012-5304 1Yuriy V Semenikhin 1Yvs Image Gallery Apr 29, 2026 Oct 6, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 Static code injection vulnerability in administration/install.php in YVS Image Gallery allows remote attackers to inject arbitrary PHP code into functions/db_connect.php via unspecified vectors. NOTE: this is only a vul...Show more Static code injection vulnerability in administration/install.php in YVS Image Gallery allows remote attackers to inject arbitrary PHP code into functions/db_connect.php via unspecified vectors. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation.Show less
CVE-2011-4932 1Impresspages 1Impresspages Cms Apr 29, 2026 Oct 6, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 Eval injection vulnerability in ip_cms/modules/standard/content_management/actions.php in ImpressPages CMS 1.0.12 and possibly other versons before 1.0.13 allows remote attackers to execute arbitrary code via the cm_grou...Show more Eval injection vulnerability in ip_cms/modules/standard/content_management/actions.php in ImpressPages CMS 1.0.12 and possibly other versons before 1.0.13 allows remote attackers to execute arbitrary code via the cm_group parameter.Show less
CVE-2012-5293 1Redgraphic 1Sapid Cms Apr 29, 2026 Oct 4, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple PHP remote file inclusion vulnerabilities in SAPID CMS 1.2.3 Stable allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[root_path] parameter to usr/extensions/get_tree.inc.php or (2...Show more Multiple PHP remote file inclusion vulnerabilities in SAPID CMS 1.2.3 Stable allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[root_path] parameter to usr/extensions/get_tree.inc.php or (2) root_path parameter to usr/extensions/get_infochannel.inc.php.Show less
CVE-2012-5231 1Jessgramp 1Minicms Apr 29, 2026 Oct 1, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 miniCMS 1.0 and 2.0 allows remote attackers to execute arbitrary PHP code via a crafted (1) pagename or (2) area variable containing an executable extension, which is not properly handled by (a) update.php when writing f...Show more miniCMS 1.0 and 2.0 allows remote attackers to execute arbitrary PHP code via a crafted (1) pagename or (2) area variable containing an executable extension, which is not properly handled by (a) update.php when writing files to content/, or (b) updatenews.php when writing files to content/news/.Show less
CVE-2012-5224 1Vbadvanced 1Vbadvanced Cmps Apr 29, 2026 Oct 1, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in vb/includes/vba_cmps_include_bottom.php in vBadvanced CMPS 3.2.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the pages[template] parameter.
CVE-2012-5223 1Crawlability 1Vbseo Apr 29, 2026 Oct 1, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 The proc_deutf function in includes/functions_vbseocp_abstract.php in vBSEO 3.5.0, 3.5.1, 3.5.2, 3.6.0, and earlier allows remote attackers to insert and execute arbitrary PHP code via "complex curly syntax" in the char_...Show more The proc_deutf function in includes/functions_vbseocp_abstract.php in vBSEO 3.5.0, 3.5.1, 3.5.2, 3.6.0, and earlier allows remote attackers to insert and execute arbitrary PHP code via "complex curly syntax" in the char_repl parameter, which is inserted into a regular expression that is processed by the preg_replace function with the eval switch.Show less
CVE-2012-4427 1Gnome 1Gnome Shell Apr 29, 2026 Oct 1, 2012 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force the download and installation of arbitrary extensions from extensions.gnome.org via a crafted web page.
CVE-2012-4017 1Jb+ 1Jigbrowser+ Apr 29, 2026 Sep 28, 2012 N/A· v4 N/A· v3 4.3 MEDIUM· v2 The jigbrowser+ application before 1.5.0 for Android does not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted application.
CVE-2012-5159 1Phpmyadmin 1Phpmyadmin Apr 29, 2026 Sep 25, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers t...Show more phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack.Show less
CVE-2012-0209 1Horde 2Groupware Horde Apr 29, 2026 Sep 25, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/...Show more Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code.Show less
CVE-2012-1625 1Wizonesolutions 1Fillpdf Apr 29, 2026 Sep 20, 2012 N/A· v4 N/A· v3 6.0 MEDIUM· v2 Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with adm...Show more Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via unspecified vectors. NOTE: Some of these details are obtained from third party information.Show less
CVE-2012-4869 1Sangoma 1Freepbx Apr 29, 2026 Sep 6, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.

Previous 1...240241242...323 Next