Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,455)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2009-3114 1Ibm 1Lotus Notes Apr 23, 2026 Sep 9, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 The RSS reader widget in IBM Lotus Notes 8.0 and 8.5 saves items from an RSS feed as local HTML documents, which allows remote attackers to execute arbitrary script in Internet Explorer's Local Machine Zone via a crafted...Show more The RSS reader widget in IBM Lotus Notes 8.0 and 8.5 saves items from an RSS feed as local HTML documents, which allows remote attackers to execute arbitrary script in Internet Explorer's Local Machine Zone via a crafted feed, aka SPR RGAU7RDJ9K.Show less
CVE-2008-7183 1Evacms 1Eva Cms Apr 23, 2026 Sep 8, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 PHP remote file inclusion vulnerability in eva/index.php in EVA CMS 2.3.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the eva[caminho] parameter to index.php.
CVE-2009-2628 1Vmware 4Ace Movie DecoderPlayer+1 more Apr 23, 2026 Sep 8, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 The VMnc media codec in vmnc.dll in VMware Movie Decoder before 6.5.3 build 185404, VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, and VMware ACE 2.5.x before 2.5.3 bui...Show more The VMnc media codec in vmnc.dll in VMware Movie Decoder before 6.5.3 build 185404, VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, and VMware ACE 2.5.x before 2.5.3 build 185404 on Windows does not properly handle certain small heights in video content, which might allow remote attackers to execute arbitrary code via a crafted AVI file that triggers heap memory corruption.Show less
CVE-2009-2519 1Microsoft 3Windows 2000 Windows Server 2003Windows Xp Apr 23, 2026 Sep 8, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 The DHTML Editing Component ActiveX control in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly format HTML markup, which allows remote attackers to execute arbitrary code via a crafted w...Show more The DHTML Editing Component ActiveX control in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly format HTML markup, which allows remote attackers to execute arbitrary code via a crafted web site that triggers "system state" corruption, aka "DHTML Editing Component ActiveX Control Vulnerability."Show less
CVE-2009-2499 1Microsoft 8Windows 2000 Windows Media Format RuntimeWindows Media Foundation+5 more Apr 23, 2026 Sep 8, 2009 N/A· v4 N/A· v3 8.5 HIGH· v2 Microsoft Windows Media Format Runtime 9.0, 9.5, and 11; and Microsoft Media Foundation on Windows Vista Gold, SP1, and SP2 and Server 2008; allows remote attackers to execute arbitrary code via an MP3 file with crafted...Show more Microsoft Windows Media Format Runtime 9.0, 9.5, and 11; and Microsoft Media Foundation on Windows Vista Gold, SP1, and SP2 and Server 2008; allows remote attackers to execute arbitrary code via an MP3 file with crafted metadata that triggers memory corruption, aka "Windows Media Playback Memory Corruption Vulnerability."Show less
CVE-2009-2498 1Microsoft 8Media Foundation Sdk Windows 2000Windows Media Format Runtime+5 more Apr 23, 2026 Sep 8, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Windows Media Format Runtime 9.0, 9.5, and 11 and Windows Media Services 9.1 and 2008 do not properly parse malformed headers in Advanced Systems Format (ASF) files, which allows remote attackers to execute arb...Show more Microsoft Windows Media Format Runtime 9.0, 9.5, and 11 and Windows Media Services 9.1 and 2008 do not properly parse malformed headers in Advanced Systems Format (ASF) files, which allows remote attackers to execute arbitrary code via a crafted (1) .asf, (2) .wmv, or (3) .wma file, aka "Windows Media Header Parsing Invalid Free Vulnerability."Show less
CVE-2009-1925 1Microsoft 4Windows 2000 Windows Server 2003Windows Server 2008+1 more Apr 23, 2026 Sep 8, 2009 N/A· v4 N/A· v3 10.0 HIGH· v2 The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 does not properly manage state information, which allows remote attackers to execute arbitrary code by sending packets...Show more The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 does not properly manage state information, which allows remote attackers to execute arbitrary code by sending packets to a listening service, and thereby triggering misinterpretation of an unspecified field as a function pointer, aka "TCP/IP Timestamps Code Execution Vulnerability."Show less
CVE-2009-1920 1Microsoft 5Windows 2000 Windows Server 2003Windows Server 2008+2 more Apr 23, 2026 Sep 8, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 The JScript scripting engine 5.1, 5.6, 5.7, and 5.8 in JScript.dll in Microsoft Windows, as used in Internet Explorer, does not properly load decoded scripts into memory before execution, which allows remote attackers to...Show more The JScript scripting engine 5.1, 5.6, 5.7, and 5.8 in JScript.dll in Microsoft Windows, as used in Internet Explorer, does not properly load decoded scripts into memory before execution, which allows remote attackers to execute arbitrary code via a crafted web site that triggers memory corruption, aka "JScript Remote Code Execution Vulnerability."Show less
CVE-2009-3065 1Rein Velt 1Vedit Apr 23, 2026 Sep 3, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in editor/edit_htmlarea.php in Ve-EDIT 0.1.4 allows remote attackers to execute arbitrary PHP code via a URL in the highlighter parameter.
CVE-2009-3056 1Bas Bloemsaat 1Kingcms Apr 23, 2026 Sep 3, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in include/engine/content/elements/menu.php in KingCMS 0.6.0 allows remote attackers to execute arbitrary PHP code via a URL in the CONFIG[AdminPath] parameter.
CVE-2009-3055 1Dlecms 1Dle Apr 23, 2026 Sep 3, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in engine/api/api.class.php in DataLife Engine (DLE) 8.2 allows remote attackers to execute arbitrary PHP code via a URL in the dle_config_api parameter.
CVE-2008-7152 1Simon Rycroft 1Sid Apr 23, 2026 Sep 1, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Multiple PHP remote file inclusion vulnerabilities in Specimen Image Database (SID), when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the dir parameter to (1) client.php...Show more Multiple PHP remote file inclusion vulnerabilities in Specimen Image Database (SID), when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the dir parameter to (1) client.php or (2) taxonservice.php.Show less
CVE-2009-3019 1Microsoft 1Internet Explorer Apr 23, 2026 Aug 31, 2009 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Microsoft Internet Explorer 6 on Windows XP SP2 and SP3, and Internet Explorer 7 on Vista, allows remote attackers to cause a denial of service (application crash) via JavaScript code that calls createElement to create a...Show more Microsoft Internet Explorer 6 on Windows XP SP2 and SP3, and Internet Explorer 7 on Vista, allows remote attackers to cause a denial of service (application crash) via JavaScript code that calls createElement to create an instance of the LI element, and then calls setAttribute to set the value attribute.Show less
CVE-2008-7123 1Zkup 1Zkup Apr 23, 2026 Aug 31, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Static code injection vulnerability in admin/configuration/modifier.php in zKup CMS 2.0 through 2.3 allows remote attackers to inject arbitrary PHP code into fichiers/config.php via a null byte (%00) in the login paramet...Show more Static code injection vulnerability in admin/configuration/modifier.php in zKup CMS 2.0 through 2.3 allows remote attackers to inject arbitrary PHP code into fichiers/config.php via a null byte (%00) in the login parameter in an ajout action, which bypasses the regular expression check.Show less
CVE-2008-7087 1Openpro 1Openpro Apr 23, 2026 Aug 26, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in search_wA.php in OpenPro 1.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the LIBPATH parameter.
CVE-2008-7073 2Ekkaia Rssmodule 2Pie Web Rss Module Apr 23, 2026 Aug 25, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 PHP remote file inclusion vulnerability in lib/action/rss.php in RSS module 0.1 for Pie Web M{a,e}sher, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the lib paramet...Show more PHP remote file inclusion vulnerability in lib/action/rss.php in RSS module 0.1 for Pie Web M{a,e}sher, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the lib parameter.Show less
CVE-2008-7070 1Kvirc 1Kvirc Apr 23, 2026 Aug 25, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 Argument injection vulnerability in the URI handler in KVIrc 3.4.2 Shiny allows remote attackers to execute arbitrary commands via a " (quote) followed by command line switches in a (1) irc:///, (2) irc6:///, (3) ircs://...Show more Argument injection vulnerability in the URI handler in KVIrc 3.4.2 Shiny allows remote attackers to execute arbitrary commands via a " (quote) followed by command line switches in a (1) irc:///, (2) irc6:///, (3) ircs:///, or (4) and ircs6:/// URI. NOTE: this might be due to an incomplete fix for CVE-2007-2951.Show less
CVE-2008-7067 1Pagetreecms 1Page Tree Cms Apr 23, 2026 Aug 25, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in admin/plugins/Online_Users/main.php in PageTree CMS 0.0.2 BETA 0001 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[PT_Config][dir][data] paramete...Show more PHP remote file inclusion vulnerability in admin/plugins/Online_Users/main.php in PageTree CMS 0.0.2 BETA 0001 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[PT_Config][dir][data] parameter.Show less
CVE-2008-7042 1Freshscripts 1Fresh Email Script Apr 23, 2026 Aug 24, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in url.php in FreshScripts Fresh Email Script 1.0 through 1.11 allows remote attackers to execute arbitrary PHP code via a URL in the tmp_sid parameter.
CVE-2008-7034 1Tigran Abrahamyan 1Phpecho Cms Apr 23, 2026 Aug 24, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in kernel/smarty/Smarty.class.php in PHPEcho CMS 2.0 rc3 allows remote attackers to execute arbitrary PHP code via a URL in unspecified vectors that modify the _smarty_compile_path...Show more PHP remote file inclusion vulnerability in kernel/smarty/Smarty.class.php in PHPEcho CMS 2.0 rc3 allows remote attackers to execute arbitrary PHP code via a URL in unspecified vectors that modify the _smarty_compile_path variable in the fetch function.Show less

Previous 1...268269270...323 Next