Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,456)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2010-4879 1Digitaljunkies 1Dompdf Apr 29, 2026 Oct 7, 2011 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in dompdf.php in dompdf 0.6.0 beta1 allows remote attackers to execute arbitrary PHP code via a URL in the input_file parameter.
CVE-2010-4878 1Hinnendahl 1Kontakt Formular Apr 29, 2026 Oct 7, 2011 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in formmailer.php in Kontakt Formular 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the script_pfad parameter.
CVE-2011-3981 1Likno 1Allwebmenus Plugin Apr 29, 2026 Oct 4, 2011 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in actions.php in the Allwebmenus plugin 1.1.3 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.
CVE-2011-0554 1Symantec 1Im Manager Apr 29, 2026 Oct 2, 2011 N/A· v4 N/A· v3 7.5 HIGH· v2 The management console in Symantec IM Manager before 8.4.18 allows remote attackers to execute arbitrary code via unspecified vectors, related to a "code injection issue."
CVE-2011-3504 1Ffmpeg 1Ffmpeg Apr 29, 2026 Sep 29, 2011 N/A· v4 N/A· v3 9.3 HIGH· v2 The Matroska format decoder in FFmpeg before 0.8.3 does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted file.
CVE-2011-3232 1Mozilla 3Firefox SeamonkeyThunderbird Apr 29, 2026 Sep 29, 2011 N/A· v4 N/A· v3 9.3 HIGH· v2 YARR, as used in Mozilla Firefox before 7.0, Thunderbird before 7.0, and SeaMonkey before 2.4, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaS...Show more YARR, as used in Mozilla Firefox before 7.0, Thunderbird before 7.0, and SeaMonkey before 2.4, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted JavaScript.Show less
CVE-2011-3000 1Mozilla 3Firefox SeamonkeyThunderbird Apr 29, 2026 Sep 29, 2011 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, whic...Show more Mozilla Firefox before 3.6.23 and 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not properly handle HTTP responses that contain multiple Location, Content-Length, or Content-Disposition headers, which makes it easier for remote attackers to conduct HTTP response splitting attacks via crafted header values.Show less
CVE-2009-5097 1Hp 1Palm Pre Webos Apr 29, 2026 Sep 13, 2011 N/A· v4 N/A· v3 7.1 HIGH· v2 Palm Pre WebOS 1.1 and earlier processes JavaScript in email messages, which allows remote attackers to execute arbitrary JavaScript, as demonstrated by reading PalmDatabase.db3.
CVE-2009-5095 1Ea Style 1Gbook Apr 29, 2026 Sep 12, 2011 N/A· v4 N/A· v3 6.8 MEDIUM· v2 PHP remote file inclusion vulnerability in index_inc.php in ea gBook 0.1 and 0.1.4 allows remote attackers to execute arbitrary PHP code via a URL in the inc_ordner parameter.
CVE-2011-3186 1Rubyonrails 1Rails Apr 29, 2026 Aug 29, 2011 N/A· v4 N/A· v3 4.3 MEDIUM· v2 CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via t...Show more CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.Show less
CVE-2011-2984 1Mozilla 3Firefox SeamonkeyThunderbird Apr 29, 2026 Aug 18, 2011 N/A· v4 N/A· v3 10.0 HIGH· v2 Mozilla Firefox before 3.6.20, SeaMonkey 2.x, Thunderbird 3.x before 3.1.12, and possibly other products does not properly handle the dropping of a tab element, which allows remote attackers to execute arbitrary JavaScri...Show more Mozilla Firefox before 3.6.20, SeaMonkey 2.x, Thunderbird 3.x before 3.1.12, and possibly other products does not properly handle the dropping of a tab element, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by establishing a content area and registering for drop events.Show less
CVE-2011-2378 1Mozilla 3Firefox SeamonkeyThunderbird Apr 29, 2026 Aug 18, 2011 N/A· v4 N/A· v3 10.0 HIGH· v2 The appendChild function in Mozilla Firefox before 3.6.20, Thunderbird 3.x before 3.1.12, SeaMonkey 2.x, and possibly other products does not properly handle DOM objects, which allows remote attackers to execute arbitrar...Show more The appendChild function in Mozilla Firefox before 3.6.20, Thunderbird 3.x before 3.1.12, SeaMonkey 2.x, and possibly other products does not properly handle DOM objects, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to dereferencing of a "dangling pointer."Show less
CVE-2011-0084 1Mozilla 3Firefox SeamonkeyThunderbird Apr 29, 2026 Aug 18, 2011 N/A· v4 N/A· v3 10.0 HIGH· v2 The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox before 3.6.20, and 4.x through 5; Thunderbird 3.x before 3.1.12 and other versions before 6; SeaMonkey 2.x before 2.3; and possibly other products does...Show more The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox before 3.6.20, and 4.x through 5; Thunderbird 3.x before 3.1.12 and other versions before 6; SeaMonkey 2.x before 2.3; and possibly other products does not properly handle SVG text, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer."Show less
CVE-2011-2404 1Hp 1Easy Printer Care Software Apr 29, 2026 Aug 11, 2011 N/A· v4 N/A· v3 7.5 HIGH· v2 A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vect...Show more A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-4786 and CVE-2011-4787.Show less
CVE-2011-3007 1Mcafee 1Saas Endpoint Protection Apr 29, 2026 Aug 10, 2011 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The myCIOScn ActiveX control (myCIOScn.dll) in McAfee SaaS Endpoint Protection 5.2.1 and earlier allows remote attackers to write to arbitrary files by specifying an arbitrary filename in the MyCioScan.Scan.ReportFile pa...Show more The myCIOScn ActiveX control (myCIOScn.dll) in McAfee SaaS Endpoint Protection 5.2.1 and earlier allows remote attackers to write to arbitrary files by specifying an arbitrary filename in the MyCioScan.Scan.ReportFile parameter, as demonstrated by injecting script into a log file and executing arbitrary code using the MyCioScan.Scan.Start method.Show less
CVE-2011-2381 1Mozilla 1Bugzilla Apr 29, 2026 Aug 9, 2011 N/A· v4 N/A· v3 4.3 MEDIUM· v2 CRLF injection vulnerability in Bugzilla 2.17.1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to inject arb...Show more CRLF injection vulnerability in Bugzilla 2.17.1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to inject arbitrary e-mail headers via an attachment description in a flagmail notification.Show less
CVE-2011-2964 1Linuxfoundation 1Foomatic Apr 29, 2026 Jul 29, 2011 N/A· v4 N/A· v3 6.8 MEDIUM· v2 foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6 allows remote attackers to execute arbitrary code via a crafted FoomaticRIPCommandLine field in a .ppd file, a different vulnerability than CVE-2011-26...Show more foomaticrip.c in foomatic-rip in foomatic-filters in Foomatic 4.0.6 allows remote attackers to execute arbitrary code via a crafted FoomaticRIPCommandLine field in a .ppd file, a different vulnerability than CVE-2011-2697.Show less
CVE-2011-2747 1Google 1Picasa Apr 29, 2026 Jul 28, 2011 N/A· v4 N/A· v3 9.3 HIGH· v2 Google Picasa before 3.6 Build 105.67 does not properly handle invalid properties in JPEG images, which allows remote attackers to execute arbitrary code via a crafted image file.
CVE-2011-2752 1Squirrelmail 1Squirrelmail Apr 29, 2026 Jul 17, 2011 N/A· v4 N/A· v3 5.8 MEDIUM· v2 CRLF injection vulnerability in SquirrelMail 1.4.21 and earlier allows remote attackers to modify or add preference values via a \n (newline) character, a different vulnerability than CVE-2010-4555.
CVE-2011-2507 1Phpmyadmin 1Phpmyadmin Apr 29, 2026 Jul 14, 2011 N/A· v4 N/A· v3 6.5 MEDIUM· v2 libraries/server_synchronize.lib.php in the Synchronize implementation in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, which allows remote authenticated users to in...Show more libraries/server_synchronize.lib.php in the Synchronize implementation in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, which allows remote authenticated users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and consequently execute arbitrary PHP code, by leveraging the ability to modify the SESSION superglobal array.Show less

Previous 1...249250251...323 Next