Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,414)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2009-1128 1Microsoft 1Office Powerpoint Apr 23, 2026 May 12, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 95 native file format, leading to memory corruption,...Show more Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 95 native file format, leading to memory corruption, aka "PP7 Memory Corruption Vulnerability," a different vulnerability than CVE-2009-1129.Show less
CVE-2009-0225 1Microsoft 1Office Powerpoint Apr 23, 2026 May 12, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Office PowerPoint 2002 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 95 native file format, leading to improper "array indexing" and memory corrup...Show more Microsoft Office PowerPoint 2002 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 95 native file format, leading to improper "array indexing" and memory corruption, aka "PP7 Memory Corruption Vulnerability."Show less
CVE-2009-0224 1Microsoft 7Compatibility Pack Word Excel Powerpoint Office Compatibility Pack For Word Excel Ppt 2007Office Powerpoint+4 more Apr 23, 2026 May 12, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; PowerPoint Viewer 2003 and 2007 SP1 and SP2; PowerPoint in Microsoft Office 2004 for Mac and 2008 for Mac; Open XML File Format Converter fo...Show more Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; PowerPoint Viewer 2003 and 2007 SP1 and SP2; PowerPoint in Microsoft Office 2004 for Mac and 2008 for Mac; Open XML File Format Converter for Mac; Microsoft Works 8.5 and 9.0; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 do not properly validate PowerPoint files, which allows remote attackers to execute arbitrary code via multiple crafted BuildList records that include ChartBuild containers, which triggers memory corruption, aka "Memory Corruption Vulnerability."Show less
CVE-2009-0223 1Microsoft 1Office Powerpoint Apr 23, 2026 May 12, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 4.0 native file format, leading to memory corruption,...Show more Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 4.0 native file format, leading to memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0222, CVE-2009-0226, CVE-2009-0227, and CVE-2009-1137.Show less
CVE-2009-0222 1Microsoft 1Office Powerpoint Apr 23, 2026 May 12, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 4.0 native file format, leading to a "pointer overwri...Show more Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 4.0 native file format, leading to a "pointer overwrite" and memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0223, CVE-2009-0226, CVE-2009-0227, and CVE-2009-1137.Show less
CVE-2008-6807 1Ibiblio 1Osprey Apr 23, 2026 May 12, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in ListRecords.php in osprey 1.0a4.1 allows remote attackers to execute arbitrary PHP code via a URL in the xml_dir parameter. NOTE: the provenance of this information is unknown;...Show more PHP remote file inclusion vulnerability in ListRecords.php in osprey 1.0a4.1 allows remote attackers to execute arbitrary PHP code via a URL in the xml_dir parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the lib_dir vector is already covered by CVE-2006-6630.Show less
CVE-2009-1551 1Qt Cute 1Quickteam Apr 23, 2026 May 6, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple PHP remote file inclusion vulnerabilities in Qt quickteam 2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) qte_web_path parameter to qte_web.php and the (2) qte_root parameter to bin/q...Show more Multiple PHP remote file inclusion vulnerabilities in Qt quickteam 2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) qte_web_path parameter to qte_web.php and the (2) qte_root parameter to bin/qte_init.php.Show less
CVE-2009-1469 1Icewarp 2Email Server Webmail Server Apr 23, 2026 May 5, 2009 N/A· v4 N/A· v3 4.3 MEDIUM· v2 CRLF injection vulnerability in the Forgot Password implementation in server/webmail.php in IceWarp eMail Server and WebMail Server before 9.4.2 makes it easier for remote attackers to trick a user into disclosing creden...Show more CRLF injection vulnerability in the Forgot Password implementation in server/webmail.php in IceWarp eMail Server and WebMail Server before 9.4.2 makes it easier for remote attackers to trick a user into disclosing credentials via CRLF sequences preceding a Reply-To header in the subject element of an XML document, as demonstrated by triggering an e-mail message from the server that contains a user's correct credentials, and requests that the user compose a reply that includes this message.Show less
CVE-2009-0720 1Hp 1Openview Network Node Manager Apr 23, 2026 May 5, 2009 N/A· v4 N/A· v3 10.0 HIGH· v2 Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via unknown vectors.
CVE-2009-1512 1Keir Davis 1X Forum Apr 23, 2026 May 1, 2009 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Static code injection vulnerability in X-Forum 0.6.2 allows remote authenticated administrators to inject arbitrary PHP code into Config.php via the adminEMail parameter to SaveConfig.php.
CVE-2008-6785 1Galaxyscripts 1Mini File Host Apr 23, 2026 May 1, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Unrestricted file upload vulnerability in Mini File Host 1.5 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an un...Show more Unrestricted file upload vulnerability in Mini File Host 1.5 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, as demonstrated by creating a name.php file.Show less
CVE-2008-6773 1Peterselie 1Yourplace Apr 23, 2026 Apr 29, 2009 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Static code injection vulnerability in user/internettoolbar/edit.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary PHP code into user/internettoolbar/index.php via the (1) fav1_url...Show more Static code injection vulnerability in user/internettoolbar/edit.php in YourPlace 1.0.2 and earlier allows remote authenticated users to execute arbitrary PHP code into user/internettoolbar/index.php via the (1) fav1_url, (2) fav1_name, (3) fav2_url, (4) fav2_name, (5) fav3_url, (6) fav3_name, (7) fav4_url, (8) fav4_name, (9) fav5_url, or (10) fav5_name parameters.Show less
CVE-2009-1429 1Symantec 5Antivirus Antivirus Central Quarantine ServerClient Security+2 more Apr 23, 2026 Apr 29, 2009 N/A· v4 N/A· v3 10.0 HIGH· v2 The Intel LANDesk Common Base Agent (CBA) in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus...Show more The Intel LANDesk Common Base Agent (CBA) in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1 before 10.1 MR8, and 10.2 before 10.2 MR2; Symantec Client Security (SCS) 2 before 2.0 MR7 and 3 before 3.1 MR8; and Symantec Endpoint Protection (SEP) before 11.0 MR3, allows remote attackers to execute arbitrary commands via a crafted packet whose contents are interpreted as a command to be launched in a new process by the CreateProcessA function.Show less
CVE-2009-1463 1Razorcms 1Razorcms Apr 23, 2026 Apr 28, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 Static code injection vulnerability in razorCMS before 0.4 allows remote attackers to inject arbitrary PHP code into any page by saving content as a .php file.
CVE-2009-1452 1Bluevirus Design 1Sma Db Apr 23, 2026 Apr 28, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple PHP remote file inclusion vulnerabilities in theme/format.php in SMA-DB 0.3.13 allow remote attackers to execute arbitrary PHP code via a URL in the (1) _page_css and (2) _page_javascript parameters. NOTE: the _...Show more Multiple PHP remote file inclusion vulnerabilities in theme/format.php in SMA-DB 0.3.13 allow remote attackers to execute arbitrary PHP code via a URL in the (1) _page_css and (2) _page_javascript parameters. NOTE: the _page_content vector is already is covered by CVE-2009-1450.Show less
CVE-2008-6761 1China On Site 1Flexcustomer0.0.6 Apr 23, 2026 Apr 28, 2009 N/A· v4 N/A· v3 10.0 HIGH· v2 Static code injection vulnerability in admin/install.php in Flexcustomer 0.0.6 might allow remote attackers to inject arbitrary PHP code into const.inc.php via the installdbname parameter (aka the Database Name field)....Show more Static code injection vulnerability in admin/install.php in Flexcustomer 0.0.6 might allow remote attackers to inject arbitrary PHP code into const.inc.php via the installdbname parameter (aka the Database Name field). NOTE: the installation instructions specify deleting admin/install.php.Show less
CVE-2009-1450 1Bluevirus Design 1Sma Db Apr 23, 2026 Apr 28, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in format.php in SMA-DB 0.3.12 allows remote attackers to execute arbitrary PHP code via a URL in the _page_content parameter.
CVE-2009-1444 1Webportal 1Webportal Cms Apr 23, 2026 Apr 27, 2009 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in indexk.php in WebPortal CMS 0.8-beta allows remote attackers to execute arbitrary PHP code via a URL in the lib_path parameter.
CVE-2008-6748 1Megacubo 1Megacubo Apr 23, 2026 Apr 24, 2009 N/A· v4 N/A· v3 9.3 HIGH· v2 Eval injection vulnerability in Megacubo 5.0.7 allows remote attackers to inject and execute arbitrary PHP code via the play action in a mega:// URI.
CVE-2008-6740 1Homap 1Homap Apr 23, 2026 Apr 21, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 PHP remote file inclusion vulnerability in html/admin/modules/plugin_admin.php in HoMaP-CMS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the _settings[pluginpath] parameter.

Previous 1...271272273...321 Next