Skip to main content

Code Injection

4843 CVEs technique

Monthly

CVE-2026-26194 Go HIGH POC PATCH This Week

Gogs prior to version 0.14.2 contains a command injection vulnerability in release deletion functionality where improper handling of user-controlled tag names allows git options to be injected into git commands. An authenticated attacker with UI interaction can exploit this to achieve integrity and availability impacts. Public exploit code exists for this vulnerability.

Code Injection Gogs Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-11143 Maven LOW PATCH Monitor

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. [CVSS 3.7 LOW]

Code Injection Jetty
NVD GitHub HeroDevs VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-28134 HIGH This Week

Remote code execution in Crocoblock JetEngine versions 3.7.2 and earlier allows authenticated attackers to execute arbitrary code through improper handling of code generation. An attacker with valid credentials can leverage this code injection vulnerability to achieve remote code inclusion and gain full control over affected WordPress installations. No patch is currently available, leaving all users of vulnerable JetEngine versions at risk.

Code Injection RCE
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2026-27984 CRITICAL Act Now

Code injection in Widget Options WordPress plugin.

Code Injection RCE
NVD
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-22390 CRITICAL Act Now

Builderall Builderall Builder for WordPress builderall-cheetah-for-wp is affected by code injection (CVSS 9.9).

WordPress Code Injection RCE
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-2835 Cargo CRITICAL PATCH Act Now

HTTP request smuggling in Pingora HTTP/1.0 Transfer-Encoding handling.

Code Injection Pingora Cloudflare
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-2833 Cargo CRITICAL PATCH Act Now

HTTP request smuggling in Cloudflare Pingora HTTP/1.1 upgrade handling.

Code Injection Pingora Cloudflare
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-29086 npm MEDIUM PATCH This Month

Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional cookie attributes if untrusted input was passed into the (CVSS 5.4).

Code Injection Hono
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-29085 npm MEDIUM PATCH This Month

Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional SSE fields within the same event frame if untrusted inpu (CVSS 6.5).

Code Injection Hono
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-41257 MEDIUM This Month

Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account access and potential system compromise. [CVSS 4.8 MEDIUM]

Code Injection
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-23810 MEDIUM This Month

Arubaos contains a vulnerability that allows attackers to redirect intercepted traffic to facilitate machine-in-the-middle (MitM) attacks (CVSS 4.3).

Code Injection Arubaos
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23808 MEDIUM This Month

Malicious actors can install unauthorized Group Temporal Keys on ArubaOS wireless clients through a standardized roaming protocol vulnerability, enabling frame injection and network segmentation bypass. An attacker positioned on the local network could leverage this to intercept traffic, bypass client isolation, and compromise network integrity and confidentiality. No patch is currently available.

RCE Code Injection Arubaos
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27443 HIGH This Week

SEPPmail Secure Email Gateway versions before 15.0.1 fail to properly validate S/MIME message headers, enabling attackers to forge or manipulate email headers and bypass trust mechanisms without authentication. This allows adversaries to spoof trusted senders or inject malicious headers into encrypted messages, potentially facilitating phishing and social engineering attacks. No patch is currently available for affected installations.

Code Injection Seppmail
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3204 CRITICAL Act Now

Input validation flaw in Devolutions Server error message page enables remote spoofing attacks.

Code Injection Devolutions Server
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2023-31044 LOW Monitor

An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. [CVSS 2.0 LOW]

RCE Code Injection Impact Mobile
NVD
CVSS 3.1
2.0
EPSS
0.0%
CVE-2026-21853 HIGH This Week

Remote code execution in AFFiNE workspace application (versions prior to 0.25.4) allows unauthenticated attackers to execute arbitrary code via malicious affine: URL handlers. Exploitation requires one user click on a crafted link or visiting a malicious website that auto-redirects to the malicious URL. The browser's custom protocol handler automatically launches AFFiNE and processes the payload without further user interaction, achieving RCE. EPSS score of 0.17% (38th percentile) suggests low observed exploitation activity. GitHub security advisory GHSA-67vm-2mcj-8965 confirms the vulnerability with upstream fix available in commit c9a4129a via PR #13864.

RCE Code Injection Affine
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-3132 HIGH This Week

Master Addons for Elementor Premium (WordPress plugin) versions up to 2.1.3 is affected by code injection (CVSS 8.8).

WordPress RCE Code Injection
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-26720 CRITICAL POC Act Now

Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.

RCE Code Injection Twenty
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-3409 MEDIUM This Month

Remote code injection in eosphoros-ai db-gpt 0.7.5 allows unauthenticated attackers to execute arbitrary code through malicious file uploads to the Flow Import endpoint. The vulnerability exploits unsafe module loading in the file import functionality and has public exploit code available. No patch is currently available from the vendor.

Code Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-3395 MEDIUM PATCH This Month

Maxsite Cms versions up to 109.1. contains a vulnerability that allows attackers to code injection (CVSS 7.3).

PHP Code Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-28425 PHP HIGH PATCH This Week

Remote code execution in Statmatic CMS versions prior to 5.73.11 and 6.4.0 allows authenticated users with control panel access and permission to modify Antlers-enabled fields to execute arbitrary code in the application context. An attacker exploiting this vulnerability can fully compromise the application, including stealing sensitive configuration data, modifying or exfiltrating user data, and disrupting availability. A patch is available and exploitation requires authenticated access with specific field configuration permissions.

RCE Code Injection Statamic
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-28421 MEDIUM POC PATCH This Month

Vim versions before 9.2.0077 contain heap buffer overflow and segmentation fault vulnerabilities in swap file recovery that can be triggered by opening a specially crafted swap file, affecting users who recover sessions from untrusted sources. An attacker could exploit this to cause application crashes or potentially achieve code execution through memory corruption. A patch is available in version 9.2.0077 and later.

Code Injection Vim Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2018-25160 MEDIUM This Month

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. [CVSS 6.5 MEDIUM]

Code Injection Http
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27810 MEDIUM POC This Month

HTTP response header injection in Calibre Content Server prior to version 9.4.0 permits authenticated users to inject arbitrary headers through an unsanitized query parameter, potentially enabling cache poisoning, session fixation, or credential theft attacks. Any authenticated user can exploit this vulnerability directly or via social engineering, affecting all instances with authentication enabled. Public exploit code exists and no patch is currently available.

Code Injection Calibre Suse
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-21658 CRITICAL Act Now

Unauthenticated remote code execution via code injection in Johnson Controls Frick Controls Quantum HD. Fourth critical vulnerability — this one explicitly noted as unauthenticated RCE.

RCE Code Injection Frick Controls Quantum Hd Firmware
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-21657 CRITICAL Act Now

Second code injection vulnerability in Johnson Controls Frick Controls Quantum HD. Separate attack vector from CVE-2026-21656, same critical impact on industrial refrigeration control.

Code Injection Frick Controls Quantum Hd Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-21656 CRITICAL Act Now

Code injection in Johnson Controls Frick Controls Quantum HD allows unauthenticated remote code execution on industrial refrigeration systems. Second critical vulnerability in the Quantum HD product line.

Code Injection Frick Controls Quantum Hd Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28370 PyPI CRITICAL POC PATCH Act Now

Code injection in OpenStack Vitrage query parser allows authenticated users to execute arbitrary Python code through crafted queries. Affects versions before 12.0.1, 13.0.0, 14.0.0, and 15.0.0. PoC available.

RCE Code Injection Authentication Bypass Vitrage
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28219 MEDIUM This Month

Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an authorization bypass that allows authenticated users to escalate ordinary topics to site-wide notices or banners by manipulating request parameters, circumventing administrative controls. This vulnerability affects any Discourse instance where regular users should not have the ability to create global announcements. No patch is currently available, and administrators should review recent banner and notice changes for unauthorized modifications until updating.

Code Injection Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-26938 HIGH This Week

Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana server filesystem, and perform Server-Side (CVSS 8.6).

SSRF Code Injection Kibana
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-1698 MEDIUM This Month

PcVue versions 15.0.0 through 16.3.3 are vulnerable to HTTP Host header injection in the WebClient and WebScheduler authentication endpoints, allowing unauthenticated remote attackers to manipulate server behavior and potentially conduct phishing or cache poisoning attacks. The vulnerability affects the /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, and /Authentication/Logout endpoints, with the ability to inject malicious payloads that could lead to information disclosure or data modification. Currently no patch is available for this medium-severity issue.

Code Injection Pcvue
NVD
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-27961 PyPI HIGH PATCH This Week

Authenticated attackers can execute arbitrary code on Agenta API servers through server-side template injection in the evaluator template rendering functionality, affecting self-hosted and managed platform deployments prior to version 0.86.8. The vulnerability requires valid credentials but allows complete compromise of the affected server with high confidentiality, integrity, and availability impact. Organizations running Agenta should upgrade to version 0.86.8 or later immediately.

Code Injection AI / ML Agenta
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-27959 npm HIGH POC PATCH This Week

Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.

Node.js Koa Code Injection
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27837 npm MEDIUM POC PATCH This Month

Dottie versions 2.0.4 through 2.0.6 suffer from an incomplete prototype pollution fix that allows attackers to bypass validation by placing `__proto__` in non-first positions within dot-separated paths, affecting both `dottie.set()` and `dottie.transform()` functions. An attacker can exploit this to pollute object prototypes and achieve limited confidentiality, integrity, and availability impacts. Public exploit code exists and a patch is available in version 2.0.7.

Code Injection Dottie Red Hat
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-27830 Maven HIGH PATCH This Week

Remote code execution in c3p0 (a Java JDBC connection-pooling library) before v0.12.0 allows an attacker who can set the `userOverridesAsString` property of a `ConnectionPoolDataSource` - or inject a crafted serialized object or `javax.naming.Reference` - to load and run arbitrary code on the application's CLASSPATH. The flaw stems from storing this writable Java-Bean property as a hex-encoded Java-serialized object, and is amplified by its dependency mchange-commons-java, which mirrored legacy JNDI behavior with ungated support for remote `factoryClassLocation` values, enabling download and execution of attacker-hosted classes. EPSS is low (0.15%) and there is no public exploit identified at time of analysis, though deserialization/JNDI gadget techniques against this library are publicly documented.

Java Deserialization Code Injection RCE
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-27577 npm CRITICAL PATCH Act Now

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.

RCE Code Injection Command Injection Node.js N8n
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-27495 npm CRITICAL PATCH Act Now

Code injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22 allows authenticated users to execute arbitrary code by creating or editing workflows with malicious expressions. Third n8n RCE CVE in this release.

Code Injection RCE AI / ML N8n
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-27607 Cargo HIGH PATCH This Week

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to circumvent presigned POST upload policy restrictions, bypassing content-length-range, starts-with, and Content-Type controls. An attacker can exploit this to upload oversized files, write to arbitrary object keys, and spoof file types, resulting in storage exhaustion and potential unauthorized data access.

Code Injection Rustfs
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-27642 HIGH POC PATCH This Week

Remote attackers can inject control characters into the SUPI parameter of free5GC UDM versions up to 1.4.1, causing URL parsing failures that leak sensitive system error details and enable service fingerprinting. Public exploit code exists for this vulnerability affecting the Nudm_UEAU service across all vulnerable deployments. A patch is available and should be applied immediately, as no application-level workaround exists.

Code Injection Udm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25797 NuGet MEDIUM PATCH This Month

Arbitrary code injection in ImageMagick's PostScript and HTML encoders allows attackers to inject malicious code that executes when files are processed by downstream applications like Ghostscript or web viewers. The vulnerability affects versions prior to 7.1.2-15 and 6.9.13-40 due to insufficient input sanitization in the ps and html coders. Users processing untrusted image files are at risk of code execution, though no patch is currently available.

RCE Code Injection Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-21864 MEDIUM PATCH This Month

Denial of service in Valkey-Bloom module allows authenticated attackers to crash the Valkey server by sending a specially crafted RESTORE command that triggers an unhandled assertion. The vulnerability exists because the module failed to set the IO_ERRORS flag during RDB parsing, causing the server to shut down instead of gracefully handling the malformed input. A security patch is available, and administrators can mitigate the issue by disabling the RESTORE command if not required.

Code Injection Valkey Bloom
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-9120 This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Carbonite Safe Server Backup allows Code Injection. The vulnerability could be exploited through an open port, potentially allowing unauthorized access.

Code Injection
NVD
EPSS
0.0%
CVE-2025-69251 MEDIUM POC PATCH This Month

free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. [CVSS 5.3 MEDIUM]

Code Injection Udm
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-69250 HIGH POC PATCH This Week

free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. [CVSS 7.5 HIGH]

Code Injection Udm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22568 MEDIUM This Month

Zscaler Internet Access Admin Portal contains an input validation flaw that enables authenticated administrators to retrieve sensitive internal information through specially crafted requests in specific configurations. The vulnerability requires high-level admin privileges and does not impact confidentiality or availability broadly, though it poses a risk in multi-tenant environments where privilege boundaries matter. Currently, no patch is available.

Code Injection Zscaler Internet Access Admin Portal
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-22567 HIGH This Week

Zscaler Internet Access Admin Portal allows authenticated administrators to execute arbitrary backend functions through insufficient input validation in the web UI. This high-severity vulnerability requires administrative privileges and currently lacks a patch, limiting exposure but leaving affected organizations vulnerable until remediation is available. An attacker with admin credentials could bypass intended restrictions to perform unauthorized backend operations with cross-system impact.

Code Injection Zscaler Internet Access Admin Portal
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-26365 MEDIUM This Month

HTTP request smuggling in Akamai Ghost CDN edge servers before 2026-02-06 allows remote attackers to craft malicious requests with conflicting hop-by-hop headers that cause improper message framing when forwarded to origin servers. An attacker can exploit this to inject unauthorized requests or bypass security controls by manipulating how the origin server interprets the request body. No patch is currently available.

Code Injection
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-2964 LOW Monitor

Prototype pollution in Webaudiorecorder.js versions 0.1 and 0.1.1 allows authenticated remote attackers to modify object properties through the extend function in Dynamic Config Handling, potentially leading to information disclosure or data manipulation. Public exploit code exists for this vulnerability, though exploitation requires high complexity and specific preconditions. The vendor has not released a patch and did not respond to disclosure attempts.

RCE Code Injection Webaudiorecorder Js
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-2954 LOW Monitor

SQL/code injection in Dromara UJCMS 10.0.2 allows authenticated remote attackers to manipulate database driver parameters (driverClassName/url) through the ImportDataController's import-channel endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. Successful exploitation could result in unauthorized data access, modification, or system availability impacts.

Code Injection Ujcms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-27170 HIGH This Week

OpenSift versions 1.1.2-alpha and below allow authenticated attackers to abuse the URL ingest feature's overly permissive server-side request functionality to probe or access private and local network resources from the OpenSift host. The vulnerability requires valid credentials but no user interaction, enabling attackers to enumerate or interact with internal infrastructure not otherwise accessible. No patch is currently available, though version 1.1.3-alpha contains a fix.

Code Injection AI / ML Opensift
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-27125 npm MEDIUM PATCH This Month

Svelte versions prior to 5.51.5 improperly enumerate prototype chain properties during server-side rendering attribute spreading, allowing polluted Object.prototype properties to inject unexpected attributes into SSR output or cause rendering errors. This vulnerability affects applications using SSR where the prototype chain has been previously manipulated, though client-side rendering is unaffected. The issue requires prototype pollution as a precondition but can lead to information disclosure or denial of service in vulnerable SSR environments.

Code Injection Svelte Red Hat
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-67979 CRITICAL Act Now

Code injection in WPForms Google Sheet Connector (gsheetconnector-wpforms) WordPress plugin allows arbitrary code execution.

Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-52744 HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in inpersttion Inpersttion For Theme err-our-team allows Code Injection.This issue affects Inpersttion For Theme: from n/a through <= 1.0. [CVSS 7.6 HIGH]

Code Injection RCE
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-1658 MEDIUM This Month

Directory Services versions up to 25.2. is affected by user interface (ui) misrepresentation of critical information (CVSS 5.3).

Code Injection Directory Services
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-26063 npm PATCH Monitor

CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed in version 1.2.3. If upgrading is not immediately possible, restrict API access to trusted networks or IP ranges; enforce strict input validation at the application layer; and/or monitor transaction logs for anomalies or suspicious activity. These mitigations reduce exposure but do not fully elim...

Code Injection
NVD GitHub
EPSS
0.1%
CVE-2026-25940 npm HIGH PATCH This Week

jsPDF versions prior to 4.2.0 allow attackers to inject arbitrary PDF objects including malicious JavaScript through unsanitized input to the Acroform module, which executes when users interact with form elements. An attacker who can control input passed to vulnerable API members can achieve code execution on the victim's system. The vulnerability is fixed in jsPDF 4.2.0 and can be mitigated by sanitizing all user input before passing it to affected Acroform properties and methods.

Jspdf Code Injection
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-25755 npm HIGH POC PATCH This Week

PDF object injection in the jsPDF JavaScript library (npm package 'jspdf', versions prior to 4.2.0) lets an attacker who controls the string passed to the addJS method break out of the PDF JavaScript string delimiter and inject arbitrary PDF dictionary objects, including auto-executing Additional Actions (/AA). Any user who later opens the generated PDF in a JavaScript-capable viewer executes the injected actions, affecting confidentiality, integrity and availability of their document session. Publicly available exploit code exists (a documented payload is published in the GitHub advisory), but EPSS is very low (0.04%, 10th percentile) and the issue is not in CISA KEV.

RCE Code Injection Jspdf
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-22422 MEDIUM This Month

Everest Forms through version 3.4.1 fails to properly sanitize HTML script tags, enabling unauthenticated attackers to inject malicious code and compromise site integrity. The vulnerability allows attackers to perform code injection attacks without authentication or user interaction, potentially leading to data theft or malware distribution. No patch is currently available for this vulnerability.

Code Injection
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-24764 npm LOW POC PATCH Monitor

OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. [CVSS 3.7 LOW]

Code Injection Openclaw
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-12811 Monitor

Improper Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Delinea Inc. Cloud Suite and Privileged Access Service.

Code Injection
NVD
EPSS
0.0%
CVE-2025-14009 PyPI HIGH POC PATCH GHSA This Week

Arbitrary code execution in the NLTK (Natural Language Toolkit) Python library affects all versions through its data downloader: the _unzip_iter function in nltk/downloader.py calls zipfile.extractall() with no path validation, so a malicious data package can drop attacker-controlled Python files (e.g. __init__.py) that execute automatically on import. Any application that downloads NLTK data from an attacker-influenced source is exposed to full remote code execution. Publicly available exploit code exists (huntr.com bounty), EPSS is modest at 0.57% (68th percentile), and there is no public exploit identified as actively exploited in CISA KEV.

Python RCE Nltk Code Injection
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-23219 MEDIUM PATCH This Month

Memory allocation profiling in the Linux kernel fails to properly clear allocation tags during abort operations when CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, allowing a local privileged user to trigger a denial of service through kernel warnings and potential system instability. The vulnerability affects the slab memory allocator's interaction with memcg abort handling and requires local access with elevated privileges to exploit. No patch is currently available for this medium-severity issue.

Linux Code Injection Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-61982 HIGH This Week

An arbitrary code execution vulnerability exists in the Code Stream directive functionality of OpenCFD OpenFOAM 2506. A specially crafted OpenFOAM simulation file can lead to arbitrary code execution. [CVSS 7.8 HIGH]

RCE Code Injection
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33249 HIGH This Week

NVIDIA NeMo Framework for all platforms contains a vulnerability in a voice-preprocessing script, where malicious input created by an attacker could cause a code injection. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure AI / ML Nemo
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33240 HIGH This Week

NVIDIA Megatron Bridge contains a vulnerability in a data shuffling tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Code Injection Information Disclosure Megatron Bridge Nvidia RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33239 HIGH This Week

NVIDIA Megatron Bridge contains a vulnerability in a data merging tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Code Injection Information Disclosure Megatron Bridge Nvidia RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33236 HIGH This Week

NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure AI / ML Nemo
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-2296 HIGH This Week

Arbitrary PHP code execution in Product Addons for WooCommerce plugin (versions up to 3.1.0) through unsafe use of eval() on unsanitized conditional logic operators allows Shop Manager-level and higher-privileged WordPress users to execute malicious code on affected servers. The vulnerability stems from insufficient input validation in the evalConditions() function where user-supplied operator parameters are passed directly to PHP's eval() without sanitization. No patch is currently available.

WordPress PHP Code Injection
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2019 HIGH This Week

Cart All In One For WooCommerce (WordPress plugin) versions up to 1.1.21. contains a security vulnerability (CVSS 7.2).

WordPress PHP Code Injection
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-70830 CRITICAL Act Now

Server-Side Template Injection (SSTI) in Datart v1.0.0-rc.3 via Freemarker template engine allows authenticated users to execute arbitrary code on the server.

Code Injection RCE
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2025-65716 HIGH POC This Week

An issue in Visual Studio Code Extensions Markdown Preview Enhanced v0.8.18 allows attackers to execute arbitrary code via uploading a crafted .Md file. [CVSS 8.8 HIGH]

RCE Code Injection Markdown Preview Enhanced
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-65715 HIGH POC This Week

An issue in the code-runner.executorMap setting of Visual Studio Code Extensions Code Runner v0.12.2 allows attackers to execute arbitrary code when opening a crafted workspace. [CVSS 7.8 HIGH]

RCE Code Injection Coderunner
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-2469 PHP MEDIUM PATCH This Month

Versions of the package directorytree/imapengine versions up to 1.22.3 contains a vulnerability that allows attackers to read or delete victim's emails, terminate the victim's session or execute any va (CVSS 7.6).

PHP Code Injection
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2025-33042 LIB HIGH PATCH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. [CVSS 7.3 HIGH]

Apache Java Code Injection Avro Red Hat
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-26056 Go HIGH PATCH This Week

Arbitrary code execution in Yoke's Air Traffic Controller component allows authenticated users with CustomResource create/update permissions to execute malicious WebAssembly modules by injecting crafted URLs into the overrides.yoke.cd/flight annotation, potentially enabling cluster-admin privilege escalation. The vulnerability affects Yoke 0.19.0 and earlier, with no patch currently available and an 8.8 CVSS severity rating.

Kubernetes RCE Code Injection Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25996 Go CRITICAL POC PATCH GHSA Act Now

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter injection. PoC and patch available.

Kubernetes Code Injection Inspektor Gadget Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25227 CRITICAL PATCH Act Now

Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions can inject code. Patch available.

RCE Code Injection Authentik
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-63421 HIGH This Week

An issue in filosoft Comerc.32 Commercial Invoicing v.16.0.0.3 allows a local attacker to execute arbitrary code via the comeinst.exe file [CVSS 7.8 HIGH]

RCE Code Injection
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26216 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in Crawl4AI Docker API before 0.8.0 via hooks parameter. The /crawl endpoint accepts Python code in hooks that executes on the server. EPSS 0.28%.

Python Docker RCE Crawl4ai Code Injection +1
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-26234 HIGH POC This Week

Smart Visu Server Firmware contains a vulnerability that allows attackers to override request URLs by injecting arbitrary values in the X-Forwarded-Host head (CVSS 8.8).

Code Injection Smart Visu Server Firmware
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-0969 npm HIGH PATCH This Week

Authenticated attackers can execute arbitrary code through next-mdx-remote's MDX compiler due to inadequate input validation in the serialization function, affecting applications processing untrusted MDX content. An authenticated user with access to compile MDX can inject and execute malicious code with full system privileges. No patch is currently available, leaving all versions vulnerable to this critical code execution risk.

RCE Code Injection
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69872 PyPI CRITICAL PATCH Act Now

Unsafe deserialization in DiskCache Python library through 5.6.3. Uses pickle by default, allowing attackers with cache directory write access to execute arbitrary code.

Python RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-57707 HIGH This Week

An improper neutralization of directives in statically saved code ('Static Code Injection') vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to access restricted data / files. [CVSS 8.8 HIGH]

Code Injection File Station
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-30269 HIGH This Week

A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data or modify memory. [CVSS 8.1 HIGH]

Code Injection Qsync Central
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-21537 HIGH PATCH This Week

Microsoft Defender for Endpoint on Linux contains a code injection vulnerability that enables adjacent network attackers to execute arbitrary code without authentication. The flaw affects multiple platforms and carries high severity (CVSS 8.8) with no patch currently available. An attacker on the local network could achieve complete system compromise through this unauthenticated attack vector.

Microsoft Linux Code Injection Defender For Endpoint
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-21229 HIGH PATCH This Week

Improper input validation in Power BI allows an authorized attacker to execute code over a network. [CVSS 8.0 HIGH]

Code Injection Power Bi Report Server
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-13064 MEDIUM This Month

A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with. [CVSS 4.5 MEDIUM]

Code Injection Camera Station Pro
NVD
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-25807 HIGH POC PATCH This Week

Unauthenticated remote code execution in Zai Shell prior to 9.0.3 via the unprotected P2P terminal sharing feature on port 5757, where attackers can inject arbitrary system commands that execute with user privileges if approved. Public exploit code exists for this vulnerability, and affected systems running --no-ai mode completely bypass safety checks during command execution. Update to version 9.0.3 to remediate.

RCE Code Injection Zai Shell
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1615 npm HIGH PATCH This Week

Remote code execution in the jsonpath npm package (versions <1.2.0) allows unauthenticated attackers to execute arbitrary JavaScript code by injecting malicious JSON Path expressions. The vulnerability stems from unsafe evaluation through the static-eval module, which processes user-supplied JSON Path input without proper sanitization. All query methods (.query, .nodes, .paths, .value, .parent, .apply) are affected. While EPSS scoring indicates relatively low widespread exploitation probability (0.09%, 26th percentile), multiple vendor patches from Red Hat and SUSE confirm the severity, and publicly available exploit code exists (CVSS E:P). This represents critical risk for Node.js applications processing untrusted JSON Path expressions, with potential for both server-side RCE and browser-based XSS depending on execution context.

Node.js RCE XSS Code Injection
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-25560 HIGH PATCH This Week

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and DN construction during login by supplying crafted usernames that are embedded into queries without escaping. Because the malicious input reaches the authentication path directly (CVSS 4.0 AV:N/PR:N/UI:N, base score 8.7), an attacker can tamper with the authentication logic to enumerate directory data or subvert the intended search filter. No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.05%), but a vendor patch (commit 0b0e16c) is available.

LDAP Wekan Code Injection
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Gogs prior to version 0.14.2 contains a command injection vulnerability in release deletion functionality where improper handling of user-controlled tag names allows git options to be injected into git commands. An authenticated attacker with UI interaction can exploit this to achieve integrity and availability impacts. Public exploit code exists for this vulnerability.

Code Injection Gogs Suse
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. [CVSS 3.7 LOW]

Code Injection Jetty
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Remote code execution in Crocoblock JetEngine versions 3.7.2 and earlier allows authenticated attackers to execute arbitrary code through improper handling of code generation. An attacker with valid credentials can leverage this code injection vulnerability to achieve remote code inclusion and gain full control over affected WordPress installations. No patch is currently available, leaving all users of vulnerable JetEngine versions at risk.

Code Injection RCE
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

Code injection in Widget Options WordPress plugin.

Code Injection RCE
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Builderall Builderall Builder for WordPress builderall-cheetah-for-wp is affected by code injection (CVSS 9.9).

WordPress Code Injection RCE
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

HTTP request smuggling in Pingora HTTP/1.0 Transfer-Encoding handling.

Code Injection Pingora Cloudflare
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

HTTP request smuggling in Cloudflare Pingora HTTP/1.1 upgrade handling.

Code Injection Pingora Cloudflare
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional cookie attributes if untrusted input was passed into the (CVSS 5.4).

Code Injection Hono
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Hono versions up to 4.12.4 contains a vulnerability that allows attackers to injection of additional SSE fields within the same event frame if untrusted inpu (CVSS 6.5).

Code Injection Hono
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account access and potential system compromise. [CVSS 4.8 MEDIUM]

Code Injection
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Arubaos contains a vulnerability that allows attackers to redirect intercepted traffic to facilitate machine-in-the-middle (MitM) attacks (CVSS 4.3).

Code Injection Arubaos
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Malicious actors can install unauthorized Group Temporal Keys on ArubaOS wireless clients through a standardized roaming protocol vulnerability, enabling frame injection and network segmentation bypass. An attacker positioned on the local network could leverage this to intercept traffic, bypass client isolation, and compromise network integrity and confidentiality. No patch is currently available.

RCE Code Injection Arubaos
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SEPPmail Secure Email Gateway versions before 15.0.1 fail to properly validate S/MIME message headers, enabling attackers to forge or manipulate email headers and bypass trust mechanisms without authentication. This allows adversaries to spoof trusted senders or inject malicious headers into encrypted messages, potentially facilitating phishing and social engineering attacks. No patch is currently available for affected installations.

Code Injection Seppmail
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Input validation flaw in Devolutions Server error message page enables remote spoofing attacks.

Code Injection Devolutions Server
NVD
EPSS 0% CVSS 2.0
LOW Monitor

An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. [CVSS 2.0 LOW]

RCE Code Injection Impact Mobile
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in AFFiNE workspace application (versions prior to 0.25.4) allows unauthenticated attackers to execute arbitrary code via malicious affine: URL handlers. Exploitation requires one user click on a crafted link or visiting a malicious website that auto-redirects to the malicious URL. The browser's custom protocol handler automatically launches AFFiNE and processes the payload without further user interaction, achieving RCE. EPSS score of 0.17% (38th percentile) suggests low observed exploitation activity. GitHub security advisory GHSA-67vm-2mcj-8965 confirms the vulnerability with upstream fix available in commit c9a4129a via PR #13864.

RCE Code Injection Affine
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Master Addons for Elementor Premium (WordPress plugin) versions up to 2.1.3 is affected by code injection (CVSS 8.8).

WordPress RCE Code Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.

RCE Code Injection Twenty
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Remote code injection in eosphoros-ai db-gpt 0.7.5 allows unauthenticated attackers to execute arbitrary code through malicious file uploads to the Flow Import endpoint. The vulnerability exploits unsafe module loading in the file import functionality and has public exploit code available. No patch is currently available from the vendor.

Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Maxsite Cms versions up to 109.1. contains a vulnerability that allows attackers to code injection (CVSS 7.3).

PHP Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Remote code execution in Statmatic CMS versions prior to 5.73.11 and 6.4.0 allows authenticated users with control panel access and permission to modify Antlers-enabled fields to execute arbitrary code in the application context. An attacker exploiting this vulnerability can fully compromise the application, including stealing sensitive configuration data, modifying or exfiltrating user data, and disrupting availability. A patch is available and exploitation requires authenticated access with specific field configuration permissions.

RCE Code Injection Statamic
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Vim versions before 9.2.0077 contain heap buffer overflow and segmentation fault vulnerabilities in swap file recovery that can be triggered by opening a specially crafted swap file, affecting users who recover sessions from untrusted sources. An attacker could exploit this to cause application crashes or potentially achieve code execution through memory corruption. A patch is available in version 9.2.0077 and later.

Code Injection Vim Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. [CVSS 6.5 MEDIUM]

Code Injection Http
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM POC This Month

HTTP response header injection in Calibre Content Server prior to version 9.4.0 permits authenticated users to inject arbitrary headers through an unsanitized query parameter, potentially enabling cache poisoning, session fixation, or credential theft attacks. Any authenticated user can exploit this vulnerability directly or via social engineering, affecting all instances with authentication enabled. Public exploit code exists and no patch is currently available.

Code Injection Calibre Suse
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution via code injection in Johnson Controls Frick Controls Quantum HD. Fourth critical vulnerability — this one explicitly noted as unauthenticated RCE.

RCE Code Injection Frick Controls Quantum Hd Firmware
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Second code injection vulnerability in Johnson Controls Frick Controls Quantum HD. Separate attack vector from CVE-2026-21656, same critical impact on industrial refrigeration control.

Code Injection Frick Controls Quantum Hd Firmware
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Code injection in Johnson Controls Frick Controls Quantum HD allows unauthenticated remote code execution on industrial refrigeration systems. Second critical vulnerability in the Quantum HD product line.

Code Injection Frick Controls Quantum Hd Firmware
NVD
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Code injection in OpenStack Vitrage query parser allows authenticated users to execute arbitrary Python code through crafted queries. Affects versions before 12.0.1, 13.0.0, 14.0.0, and 15.0.0. PoC available.

RCE Code Injection Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an authorization bypass that allows authenticated users to escalate ordinary topics to site-wide notices or banners by manipulating request parameters, circumventing administrative controls. This vulnerability affects any Discourse instance where regular users should not have the ability to create global announcements. No patch is currently available, and administrators should review recent banner and notice changes for unauthorized modifications until updating.

Code Injection Discourse
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana server filesystem, and perform Server-Side (CVSS 8.6).

SSRF Code Injection Kibana
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

PcVue versions 15.0.0 through 16.3.3 are vulnerable to HTTP Host header injection in the WebClient and WebScheduler authentication endpoints, allowing unauthenticated remote attackers to manipulate server behavior and potentially conduct phishing or cache poisoning attacks. The vulnerability affects the /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, and /Authentication/Logout endpoints, with the ability to inject malicious payloads that could lead to information disclosure or data modification. Currently no patch is available for this medium-severity issue.

Code Injection Pcvue
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authenticated attackers can execute arbitrary code on Agenta API servers through server-side template injection in the evaluator template rendering functionality, affecting self-hosted and managed platform deployments prior to version 0.86.8. The vulnerability requires valid credentials but allows complete compromise of the affected server with high confidentiality, integrity, and availability impact. Organizations running Agenta should upgrade to version 0.86.8 or later immediately.

Code Injection AI / ML Agenta
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.

Node.js Koa Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

Dottie versions 2.0.4 through 2.0.6 suffer from an incomplete prototype pollution fix that allows attackers to bypass validation by placing `__proto__` in non-first positions within dot-separated paths, affecting both `dottie.set()` and `dottie.transform()` functions. An attacker can exploit this to pollute object prototypes and achieve limited confidentiality, integrity, and availability impacts. Public exploit code exists and a patch is available in version 2.0.7.

Code Injection Dottie Red Hat
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in c3p0 (a Java JDBC connection-pooling library) before v0.12.0 allows an attacker who can set the `userOverridesAsString` property of a `ConnectionPoolDataSource` - or inject a crafted serialized object or `javax.naming.Reference` - to load and run arbitrary code on the application's CLASSPATH. The flaw stems from storing this writable Java-Bean property as a hex-encoded Java-serialized object, and is amplified by its dependency mchange-commons-java, which mirrored legacy JNDI behavior with ungated support for remote `factoryClassLocation` values, enabling download and execution of attacker-hosted classes. EPSS is low (0.15%) and there is no public exploit identified at time of analysis, though deserialization/JNDI gadget techniques against this library are publicly documented.

Java Deserialization Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.

RCE Code Injection Command Injection +2
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Code injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22 allows authenticated users to execute arbitrary code by creating or editing workflows with malicious expressions. Third n8n RCE CVE in this release.

Code Injection RCE AI / ML +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to circumvent presigned POST upload policy restrictions, bypassing content-length-range, starts-with, and Content-Type controls. An attacker can exploit this to upload oversized files, write to arbitrary object keys, and spoof file types, resulting in storage exhaustion and potential unauthorized data access.

Code Injection Rustfs
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Remote attackers can inject control characters into the SUPI parameter of free5GC UDM versions up to 1.4.1, causing URL parsing failures that leak sensitive system error details and enable service fingerprinting. Public exploit code exists for this vulnerability affecting the Nudm_UEAU service across all vulnerable deployments. A patch is available and should be applied immediately, as no application-level workaround exists.

Code Injection Udm
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Arbitrary code injection in ImageMagick's PostScript and HTML encoders allows attackers to inject malicious code that executes when files are processed by downstream applications like Ghostscript or web viewers. The vulnerability affects versions prior to 7.1.2-15 and 6.9.13-40 due to insufficient input sanitization in the ps and html coders. Users processing untrusted image files are at risk of code execution, though no patch is currently available.

RCE Code Injection Imagemagick +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial of service in Valkey-Bloom module allows authenticated attackers to crash the Valkey server by sending a specially crafted RESTORE command that triggers an unhandled assertion. The vulnerability exists because the module failed to set the IO_ERRORS flag during RDB parsing, causing the server to shut down instead of gracefully handling the malformed input. A security patch is available, and administrators can mitigate the issue by disabling the RESTORE command if not required.

Code Injection Valkey Bloom
NVD GitHub
EPSS 0%
This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Carbonite Safe Server Backup allows Code Injection. The vulnerability could be exploited through an open port, potentially allowing unauthorized access.

Code Injection
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. [CVSS 5.3 MEDIUM]

Code Injection Udm
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. [CVSS 7.5 HIGH]

Code Injection Udm
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Zscaler Internet Access Admin Portal contains an input validation flaw that enables authenticated administrators to retrieve sensitive internal information through specially crafted requests in specific configurations. The vulnerability requires high-level admin privileges and does not impact confidentiality or availability broadly, though it poses a risk in multi-tenant environments where privilege boundaries matter. Currently, no patch is available.

Code Injection Zscaler Internet Access Admin Portal
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Zscaler Internet Access Admin Portal allows authenticated administrators to execute arbitrary backend functions through insufficient input validation in the web UI. This high-severity vulnerability requires administrative privileges and currently lacks a patch, limiting exposure but leaving affected organizations vulnerable until remediation is available. An attacker with admin credentials could bypass intended restrictions to perform unauthorized backend operations with cross-system impact.

Code Injection Zscaler Internet Access Admin Portal
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

HTTP request smuggling in Akamai Ghost CDN edge servers before 2026-02-06 allows remote attackers to craft malicious requests with conflicting hop-by-hop headers that cause improper message framing when forwarded to origin servers. An attacker can exploit this to inject unauthorized requests or bypass security controls by manipulating how the origin server interprets the request body. No patch is currently available.

Code Injection
NVD
EPSS 0% CVSS 1.3
LOW Monitor

Prototype pollution in Webaudiorecorder.js versions 0.1 and 0.1.1 allows authenticated remote attackers to modify object properties through the extend function in Dynamic Config Handling, potentially leading to information disclosure or data manipulation. Public exploit code exists for this vulnerability, though exploitation requires high complexity and specific preconditions. The vendor has not released a patch and did not respond to disclosure attempts.

RCE Code Injection Webaudiorecorder Js
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL/code injection in Dromara UJCMS 10.0.2 allows authenticated remote attackers to manipulate database driver parameters (driverClassName/url) through the ImportDataController's import-channel endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. Successful exploitation could result in unauthorized data access, modification, or system availability impacts.

Code Injection Ujcms
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

OpenSift versions 1.1.2-alpha and below allow authenticated attackers to abuse the URL ingest feature's overly permissive server-side request functionality to probe or access private and local network resources from the OpenSift host. The vulnerability requires valid credentials but no user interaction, enabling attackers to enumerate or interact with internal infrastructure not otherwise accessible. No patch is currently available, though version 1.1.3-alpha contains a fix.

Code Injection AI / ML Opensift
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Svelte versions prior to 5.51.5 improperly enumerate prototype chain properties during server-side rendering attribute spreading, allowing polluted Object.prototype properties to inject unexpected attributes into SSR output or cause rendering errors. This vulnerability affects applications using SSR where the prototype chain has been previously manipulated, though client-side rendering is unaffected. The issue requires prototype pollution as a precondition but can lead to information disclosure or denial of service in vulnerable SSR environments.

Code Injection Svelte Red Hat
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

Code injection in WPForms Google Sheet Connector (gsheetconnector-wpforms) WordPress plugin allows arbitrary code execution.

Code Injection
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in inpersttion Inpersttion For Theme err-our-team allows Code Injection.This issue affects Inpersttion For Theme: from n/a through <= 1.0. [CVSS 7.6 HIGH]

Code Injection RCE
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Directory Services versions up to 25.2. is affected by user interface (ui) misrepresentation of critical information (CVSS 5.3).

Code Injection Directory Services
NVD
EPSS 0%
PATCH Monitor

CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed in version 1.2.3. If upgrading is not immediately possible, restrict API access to trusted networks or IP ranges; enforce strict input validation at the application layer; and/or monitor transaction logs for anomalies or suspicious activity. These mitigations reduce exposure but do not fully elim...

Code Injection
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

jsPDF versions prior to 4.2.0 allow attackers to inject arbitrary PDF objects including malicious JavaScript through unsanitized input to the Acroform module, which executes when users interact with form elements. An attacker who can control input passed to vulnerable API members can achieve code execution on the victim's system. The vulnerability is fixed in jsPDF 4.2.0 and can be mitigated by sanitizing all user input before passing it to affected Acroform properties and methods.

Jspdf Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

PDF object injection in the jsPDF JavaScript library (npm package 'jspdf', versions prior to 4.2.0) lets an attacker who controls the string passed to the addJS method break out of the PDF JavaScript string delimiter and inject arbitrary PDF dictionary objects, including auto-executing Additional Actions (/AA). Any user who later opens the generated PDF in a JavaScript-capable viewer executes the injected actions, affecting confidentiality, integrity and availability of their document session. Publicly available exploit code exists (a documented payload is published in the GitHub advisory), but EPSS is very low (0.04%, 10th percentile) and the issue is not in CISA KEV.

RCE Code Injection Jspdf
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Everest Forms through version 3.4.1 fails to properly sanitize HTML script tags, enabling unauthenticated attackers to inject malicious code and compromise site integrity. The vulnerability allows attackers to perform code injection attacks without authentication or user interaction, potentially leading to data theft or malware distribution. No patch is currently available for this vulnerability.

Code Injection
NVD
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. [CVSS 3.7 LOW]

Code Injection Openclaw
NVD GitHub
EPSS 0%
Monitor

Improper Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Delinea Inc. Cloud Suite and Privileged Access Service.

Code Injection
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Arbitrary code execution in the NLTK (Natural Language Toolkit) Python library affects all versions through its data downloader: the _unzip_iter function in nltk/downloader.py calls zipfile.extractall() with no path validation, so a malicious data package can drop attacker-controlled Python files (e.g. __init__.py) that execute automatically on import. Any application that downloads NLTK data from an attacker-influenced source is exposed to full remote code execution. Publicly available exploit code exists (huntr.com bounty), EPSS is modest at 0.57% (68th percentile), and there is no public exploit identified as actively exploited in CISA KEV.

Python RCE Nltk +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Memory allocation profiling in the Linux kernel fails to properly clear allocation tags during abort operations when CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, allowing a local privileged user to trigger a denial of service through kernel warnings and potential system instability. The vulnerability affects the slab memory allocator's interaction with memcg abort handling and requires local access with elevated privileges to exploit. No patch is currently available for this medium-severity issue.

Linux Code Injection Linux Kernel +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

An arbitrary code execution vulnerability exists in the Code Stream directive functionality of OpenCFD OpenFOAM 2506. A specially crafted OpenFOAM simulation file can lead to arbitrary code execution. [CVSS 7.8 HIGH]

RCE Code Injection
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA NeMo Framework for all platforms contains a vulnerability in a voice-preprocessing script, where malicious input created by an attacker could cause a code injection. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Megatron Bridge contains a vulnerability in a data shuffling tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Code Injection Information Disclosure Megatron Bridge +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Megatron Bridge contains a vulnerability in a data merging tutorial, where malicious input could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Code Injection Information Disclosure Megatron Bridge +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure +2
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary PHP code execution in Product Addons for WooCommerce plugin (versions up to 3.1.0) through unsafe use of eval() on unsanitized conditional logic operators allows Shop Manager-level and higher-privileged WordPress users to execute malicious code on affected servers. The vulnerability stems from insufficient input validation in the evalConditions() function where user-supplied operator parameters are passed directly to PHP's eval() without sanitization. No patch is currently available.

WordPress PHP Code Injection
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Cart All In One For WooCommerce (WordPress plugin) versions up to 1.1.21. contains a security vulnerability (CVSS 7.2).

WordPress PHP Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Server-Side Template Injection (SSTI) in Datart v1.0.0-rc.3 via Freemarker template engine allows authenticated users to execute arbitrary code on the server.

Code Injection RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

An issue in Visual Studio Code Extensions Markdown Preview Enhanced v0.8.18 allows attackers to execute arbitrary code via uploading a crafted .Md file. [CVSS 8.8 HIGH]

RCE Code Injection Markdown Preview Enhanced
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

An issue in the code-runner.executorMap setting of Visual Studio Code Extensions Code Runner v0.12.2 allows attackers to execute arbitrary code when opening a crafted workspace. [CVSS 7.8 HIGH]

RCE Code Injection Coderunner
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Versions of the package directorytree/imapengine versions up to 1.22.3 contains a vulnerability that allows attackers to read or delete victim's emails, terminate the victim's session or execute any va (CVSS 7.6).

PHP Code Injection
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. [CVSS 7.3 HIGH]

Apache Java Code Injection +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Yoke's Air Traffic Controller component allows authenticated users with CustomResource create/update permissions to execute malicious WebAssembly modules by injecting crafted URLs into the overrides.yoke.cd/flight annotation, potentially enabling cluster-admin privilege escalation. The vulnerability affects Yoke 0.19.0 and earlier, with no patch currently available and an 8.8 CVSS severity rating.

Kubernetes RCE Code Injection +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter injection. PoC and patch available.

Kubernetes Code Injection Inspektor Gadget +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Code injection in authentik identity provider from 2021.3.1 through multiple versions. Users with delegated permissions can inject code. Patch available.

RCE Code Injection Authentik
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

An issue in filosoft Comerc.32 Commercial Invoicing v.16.0.0.3 allows a local attacker to execute arbitrary code via the comeinst.exe file [CVSS 7.8 HIGH]

RCE Code Injection
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in Crawl4AI Docker API before 0.8.0 via hooks parameter. The /crawl endpoint accepts Python code in hooks that executes on the server. EPSS 0.28%.

Python Docker RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Smart Visu Server Firmware contains a vulnerability that allows attackers to override request URLs by injecting arbitrary values in the X-Forwarded-Host head (CVSS 8.8).

Code Injection Smart Visu Server Firmware
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authenticated attackers can execute arbitrary code through next-mdx-remote's MDX compiler due to inadequate input validation in the serialization function, affecting applications processing untrusted MDX content. An authenticated user with access to compile MDX can inject and execute malicious code with full system privileges. No patch is currently available, leaving all versions vulnerable to this critical code execution risk.

RCE Code Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unsafe deserialization in DiskCache Python library through 5.6.3. Uses pickle by default, allowing attackers with cache directory write access to execute arbitrary code.

Python RCE Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

An improper neutralization of directives in statically saved code ('Static Code Injection') vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to access restricted data / files. [CVSS 8.8 HIGH]

Code Injection File Station
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data or modify memory. [CVSS 8.1 HIGH]

Code Injection Qsync Central
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Microsoft Defender for Endpoint on Linux contains a code injection vulnerability that enables adjacent network attackers to execute arbitrary code without authentication. The flaw affects multiple platforms and carries high severity (CVSS 8.8) with no patch currently available. An attacker on the local network could achieve complete system compromise through this unauthenticated attack vector.

Microsoft Linux Code Injection +1
NVD
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Improper input validation in Power BI allows an authorized attacker to execute code over a network. [CVSS 8.0 HIGH]

Code Injection Power Bi Report Server
NVD
EPSS 0% CVSS 4.5
MEDIUM This Month

A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with. [CVSS 4.5 MEDIUM]

Code Injection Camera Station Pro
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Unauthenticated remote code execution in Zai Shell prior to 9.0.3 via the unprotected P2P terminal sharing feature on port 5757, where attackers can inject arbitrary system commands that execute with user privileges if approved. Public exploit code exists for this vulnerability, and affected systems running --no-ai mode completely bypass safety checks during command execution. Update to version 9.0.3 to remediate.

RCE Code Injection Zai Shell
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Remote code execution in the jsonpath npm package (versions <1.2.0) allows unauthenticated attackers to execute arbitrary JavaScript code by injecting malicious JSON Path expressions. The vulnerability stems from unsafe evaluation through the static-eval module, which processes user-supplied JSON Path input without proper sanitization. All query methods (.query, .nodes, .paths, .value, .parent, .apply) are affected. While EPSS scoring indicates relatively low widespread exploitation probability (0.09%, 26th percentile), multiple vendor patches from Red Hat and SUSE confirm the severity, and publicly available exploit code exists (CVSS E:P). This represents critical risk for Node.js applications processing untrusted JSON Path expressions, with potential for both server-side RCE and browser-based XSS depending on execution context.

Node.js RCE XSS +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and DN construction during login by supplying crafted usernames that are embedded into queries without escaping. Because the malicious input reaches the authentication path directly (CVSS 4.0 AV:N/PR:N/UI:N, base score 8.7), an attacker can tamper with the authentication logic to enumerate directory data or subvert the intended search filter. No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.05%), but a vendor patch (commit 0b0e16c) is available.

LDAP Wekan Code Injection
NVD GitHub VulDB
Prev Page 10 of 54 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy