Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,413)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2008-5066 1Agaresmedia 1Themesitescript Apr 23, 2026 Nov 13, 2008 N/A· v4 N/A· v3 10.0 HIGH· v2 PHP remote file inclusion vulnerability in upload/admin/frontpage_right.php in Agares Media ThemeSiteScript 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the loadadminpage parameter.
CVE-2008-5063 1Otmanager 1Otmanager Apr 23, 2026 Nov 13, 2008 N/A· v4 N/A· v3 10.0 HIGH· v2 PHP remote file inclusion vulnerability in Admin/ADM_Pagina.php in OTManager 2.4 allows remote attackers to execute arbitrary PHP code via a URL in the Tipo parameter.
CVE-2008-5060 1Modernbill 1Modernbill Apr 23, 2026 Nov 13, 2008 N/A· v4 N/A· v3 10.0 HIGH· v2 Multiple PHP remote file inclusion vulnerabilities in ModernBill 4.4 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the DIR parameter to (1) export_batch.inc.php, (2) run_auto_suspend.cron....Show more Multiple PHP remote file inclusion vulnerabilities in ModernBill 4.4 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the DIR parameter to (1) export_batch.inc.php, (2) run_auto_suspend.cron.php, and (3) send_email_cache.php in include/scripts/; (4) include/misc/mod_2checkout/2checkout_return.inc.php; and (5) include/html/nettools.popup.php, different vectors than CVE-2006-4034 and CVE-2005-1054.Show less
CVE-2008-5053 1Joomla 1Com Rssreader Apr 23, 2026 Nov 13, 2008 N/A· v4 N/A· v3 10.0 HIGH· v2 PHP remote file inclusion vulnerability in admin.rssreader.php in the Simple RSS Reader (com_rssreader) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site...Show more PHP remote file inclusion vulnerability in admin.rssreader.php in the Simple RSS Reader (com_rssreader) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.Show less
CVE-2008-5015 1Mozilla 1Firefox Apr 23, 2026 Nov 13, 2008 N/A· v4 N/A· v3 5.1 MEDIUM· v2 Mozilla Firefox 3.x before 3.0.4 assigns chrome privileges to a file: URI when it is accessed in the same tab from a chrome or privileged about: page, which makes it easier for user-assisted attackers to execute arbitrar...Show more Mozilla Firefox 3.x before 3.0.4 assigns chrome privileges to a file: URI when it is accessed in the same tab from a chrome or privileged about: page, which makes it easier for user-assisted attackers to execute arbitrary JavaScript with chrome privileges via malicious code in a file that has already been saved on the local system.Show less
CVE-2008-4387 2Sap Simba Technologies 2Mdrmsap Activex Control Sapgui Apr 23, 2026 Nov 10, 2008 N/A· v4 N/A· v3 9.3 HIGH· v2 Unspecified vulnerability in the Simba MDrmSap ActiveX control in mdrmsap.dll in SAP SAPgui allows remote attackers to execute arbitrary code via unknown vectors involving instantiation by Internet Explorer.
CVE-2008-4911 1Chattaitaliano 1Istant Replay Apr 23, 2026 Nov 4, 2008 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in read.php in Chattaitaliano Istant-Replay allows remote attackers to execute arbitrary PHP code via a URL in the data parameter.
CVE-2008-4810 1Smarty 1Smarty Apr 23, 2026 Oct 31, 2008 N/A· v4 N/A· v3 7.5 HIGH· v2 The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka...Show more The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka "php executed in templates;" and (2) a double quoted literal string, aka a "function injection security hole." NOTE: each vector affects slightly different SVN revisions.Show less
CVE-2008-4798 1Webgui 1Webgui Apr 23, 2026 Oct 30, 2008 N/A· v4 N/A· v3 9.3 HIGH· v2 The loadModule function in lib/WebGUI/Asset.pm in WebGUI before 7.5.30 (stable) allows remote attackers to execute arbitrary code by uploading a Perl module and accessing it via a crafted URL.
CVE-2008-4735 1Coastal 1Coast Apr 23, 2026 Oct 24, 2008 N/A· v4 N/A· v3 8.5 HIGH· v2 PHP remote file inclusion vulnerability in header.php in Concord Asset, Software, and Ticket system (CoAST) 0.95 allows remote attackers to execute arbitrary PHP code via a URL in the sections_file parameter.
CVE-2008-4250 1Microsoft 5Windows 2000 Windows Server 2003Windows Server 2008+2 more May 21, 2026 Oct 23, 2008 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that...Show more The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."Show less
CVE-2008-4720 1Arzdev 1Gemini Portal Apr 23, 2026 Oct 23, 2008 N/A· v4 N/A· v3 9.3 HIGH· v2 Multiple PHP remote file inclusion vulnerabilities in The Gemini Portal 4.7 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) page/forums/bottom.php and (2) page/forums/category....Show more Multiple PHP remote file inclusion vulnerabilities in The Gemini Portal 4.7 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) page/forums/bottom.php and (2) page/forums/category.php.Show less
CVE-2008-4719 1Openengine 1Openengine Apr 23, 2026 Oct 23, 2008 N/A· v4 N/A· v3 9.3 HIGH· v2 PHP remote file inclusion vulnerability in cms/classes/openengine/filepool.php in openEngine 2.0 beta2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the oe_classpat...Show more PHP remote file inclusion vulnerability in cms/classes/openengine/filepool.php in openEngine 2.0 beta2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the oe_classpath parameter, a different vector than CVE-2008-4329.Show less
CVE-2008-4704 1Mitre 1Sezhoo Apr 23, 2026 Oct 23, 2008 N/A· v4 N/A· v3 10.0 HIGH· v2 PHP remote file inclusion vulnerability in SezHooTabsAndActions.php in SezHoo 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the IP parameter.
CVE-2008-4687 1Mantis 1Mantis Apr 23, 2026 Oct 22, 2008 N/A· v4 N/A· v3 9.0 HIGH· v2 manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function...Show more manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.Show less
CVE-2008-4673 1Webbiscuits 1Events Calendar Apr 23, 2026 Oct 22, 2008 N/A· v4 N/A· v3 10.0 HIGH· v2 PHP remote file inclusion vulnerability in panel/common/theme/default/header_setup.php in WebBiscuits Software Events Calendar 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the (1) path[docroot]...Show more PHP remote file inclusion vulnerability in panel/common/theme/default/header_setup.php in WebBiscuits Software Events Calendar 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the (1) path[docroot] and (2) component parameters.Show less
CVE-2008-4645 1Phpwebgallery 1Phpwebgallery Apr 23, 2026 Oct 22, 2008 N/A· v4 N/A· v3 9.0 HIGH· v2 plugins/event_tracer/event_list.php in PhpWebGallery 1.7.2 and earlier allows remote authenticated administrators to execute arbitrary PHP code via PHP sequences in the sort parameter, which is processed by create_functi...Show more plugins/event_tracer/event_list.php in PhpWebGallery 1.7.2 and earlier allows remote authenticated administrators to execute arbitrary PHP code via PHP sequences in the sort parameter, which is processed by create_function.Show less
CVE-2008-4624 1Ftrsoft 1Fast Click Sql Lite Apr 23, 2026 Oct 21, 2008 N/A· v4 N/A· v3 9.3 HIGH· v2 PHP remote file inclusion vulnerability in init.php in Fast Click SQL Lite 1.1.7, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the CFG[CDIR] parameter.
CVE-2008-4557 1Cutephp 1Cutenews Apr 23, 2026 Oct 14, 2008 N/A· v4 N/A· v3 10.0 HIGH· v2 plugins/wacko/highlight/html.php in Strawberry in CuteNews.ru 1.1.1 (aka Strawberry) allows remote attackers to execute arbitrary PHP code via the text parameter, which is inserted into an executable regular expression.
CVE-2008-4385 1Systemrequirementslab 1System Requirements Lab Apr 23, 2026 Oct 14, 2008 N/A· v4 N/A· v3 9.3 HIGH· v2 Husdawg, LLC Systems Requirements Lab 3, as used by Instant Expert Analysis, allows remote attackers to force the download and execution of arbitrary programs via by specifiying a malicious website argument to the Init m...Show more Husdawg, LLC Systems Requirements Lab 3, as used by Instant Expert Analysis, allows remote attackers to force the download and execution of arbitrary programs via by specifiying a malicious website argument to the Init method in (1) a certain ActiveX control (sysreqlab2.cab, sysreqlab.dll, sysreqlabsli.dll, or sysreqlab2.dll) and (2) a certain Java applet in RLApplet.class in sysreqlab2.jar or sysreqlab.jar.Show less

Previous 1...279280281...321 Next