Skip to main content

Code Injection

4853 CVEs technique

Monthly

CVE-2025-56588 PHP HIGH PATCH This Week

Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.

RCE Code Injection Dolibarr Erp Crm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2022-50445 MEDIUM PATCH This Month

CVE-2022-50445 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Code Injection Ubuntu Debian Linux Kernel +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-39913 HIGH PATCH CISA This Week

CVE-2025-39913 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Linux Code Injection Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-11153 HIGH PATCH This Week

JIT miscompilation in the JavaScript Engine: JIT component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mozilla
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-10217 MEDIUM This Month

A vulnerability exists in Asset Suite for an authenticated user to manipulate the content of performance related log data or to inject crafted data in logfile for potentially carrying out further. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection
NVD
CVSS 4.0
6.0
EPSS
0.1%
CVE-2025-59954 CRITICAL POC PATCH Act Now

Knowage is an open source analytics and business intelligence suite. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Java Code Injection Apache Knowage
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-35033 MEDIUM This Month

Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Enterprise Health
NVD
CVSS 4.0
6.3
EPSS
0.0%
CVE-2025-3193 npm HIGH POC PATCH This Week

Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Code Injection Algoliasearch Helper Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60114 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in YayCommerce YayCurrency allows Code Injection.2. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-10993 MEDIUM This Month

A security flaw has been discovered in MuYuCMS up to 2.7. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Code Injection Muyucms
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-59823 Go CRITICAL PATCH This Week

Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Microsoft Code Injection Kubernetes Suse
NVD GitHub
CVSS 3.0
9.9
EPSS
0.1%
CVE-2025-20364 MEDIUM Monitor

A vulnerability in the Device Analytics action frame processing of Cisco Wireless Access Point (AP) Software could allow an unauthenticated, adjacent attacker to inject wireless 802.11 action frames. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Cisco Code Injection
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-48868 HIGH POC PATCH This Week

Horilla is a free and open source Human Resource Management System (HRMS). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python RCE Code Injection Horilla
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.2
EPSS
0.9%
CVE-2025-23354 HIGH This Month

NVIDIA Megatron-LM for all platforms contains a vulnerability in the ensemble_classifer script where malicious data created by an attacker may cause an injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23353 HIGH This Month

NVIDIA Megatron-LM for all platforms contains a vulnerability in the msdp preprocessing script where malicious data created by an attacker may cause an injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23349 HIGH This Week

NVIDIA Megatron-LM for all platforms contains a vulnerability in the tasks/orqa/unsupervised/nq.py component, where an attacker may cause a code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23348 HIGH This Month

NVIDIA Megatron-LM for all platforms contains a vulnerability in the pretrain_gpt script, where malicious data created by an attacker may cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Megatron Lm
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-6429 Maven MEDIUM PATCH Monitor

A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Api Manager Identity Server
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-5717 MEDIUM This Month

An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Java Api Control Plane Api Manager +2
NVD
CVSS 3.1
6.8
EPSS
0.3%
CVE-2025-9321 CRITICAL Act Now

The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-59528 npm CRITICAL POC PATCH THREAT Act Now

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig parameter is parsed unsafely, allowing attackers to inject arbitrary system commands through the MCP server configuration that are executed when Flowise spawns the MCP server process.

RCE Code Injection Node.js Flowise
NVD GitHub Exploit-DB
CVSS 3.1
10.0
EPSS
83.0%
Threat
6.0
CVE-2025-59433 npm MEDIUM PATCH This Month

Conventional Changelog generates changelogs and release notes from a project's commit messages and metadata. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-58673 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Tareq Hasan WP User Frontend allows Code Injection.1.11. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-57439 HIGH POC This Week

Creacast Creabox Manager 4.4.4 contains a critical Remote Code Execution vulnerability accessible via the edit.php endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection Creabox Manager
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-54815 HIGH POC This Week

Server-side template injection (SSTI) vulnerability in PPress 0.0.9 allows attackers to execute arbitrary code via crafted themes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Ppress
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-58766 CRITICAL This Week

Dyad is a local AI app builder. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker RCE Code Injection
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2025-35431 MEDIUM PATCH This Month

CISA Thorium does not escape user controlled strings used in LDAP queries. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity.

LDAP Code Injection Information Disclosure Thorium
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-10057 HIGH This Month

The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE PHP Code Injection
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-41243 Maven CRITICAL POC PATCH Act Now

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Java Spring
NVD
CVSS 3.1
10.0
EPSS
5.5%
CVE-2022-50282 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: chardev: fix error handling in cdev_device_add() While doing fault injection test, I got the following report: ------------[ cut. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Code Injection Linux Linux Kernel Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-9556 CRITICAL This Week

Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.5.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Langchain AI / ML
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-59053 CRITICAL Act Now

AIRI is a self-hosted, artificial intelligence based Grok Companion. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection XSS
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-8417 HIGH This Month

The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress RCE PHP Code Injection
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-59041 npm HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-58764 npm HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-59042 PyPI HIGH PATCH This Week

PyInstaller bundles a Python application and all its dependencies into a single package. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE Microsoft Python Privilege Escalation +2
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2025-58768 CRITICAL POC Act Now

DeepChat is a smart assistant uses artificial intelligence. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection XSS Deepchat
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-55728 CRITICAL PATCH This Week

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Atlassian RCE Code Injection Pro Macros
NVD GitHub
CVSS 3.1
10.0
EPSS
3.3%
CVE-2025-55727 CRITICAL POC PATCH Act Now

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Atlassian RCE Code Injection Pro Macros
NVD GitHub
CVSS 3.1
10.0
EPSS
6.9%
CVE-2025-48208 HIGH This Month

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat . Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LDAP Code Injection Apache Hertzbeat
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-24404 HIGH This Month

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Apache Hertzbeat
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-9539 HIGH This Month

The AutomatorWP - Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation WordPress RCE Code Injection PHP
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-9489 MEDIUM This Month

The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

WordPress RCE Code Injection PHP
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-42922 CRITICAL This Week

SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection Java
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-58745 CRITICAL POC Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Code Injection Wegia
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2025-58365 Maven HIGH PATCH This Month

The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2025-10097 npm MEDIUM POC This Month

A vulnerability was identified in SimStudioAI sim up to 1.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Sim
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-57141 CRITICAL POC Act Now

rsbi-os 4.7 is vulnerable to Remote Code Execution (RCE) in sqlite-jdbc. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Ruisibi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-7366 HIGH This Week

The The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 19.9.7. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection PHP
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2025-58372 HIGH PATCH This Month

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Roo Code
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58827 LOW Monitor

Improper Control of Generation of Code ('Code Injection') vulnerability in PickPlugins Job Board Manager allows Code Injection.1.61. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2025-55305 npm MEDIUM POC PATCH This Month

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Red Hat Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-58353 HIGH This Month

Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-6785 MEDIUM Monitor

Securing externally available CAN wires can easily allow physical access to the CAN bus, allowing possible injection of specially formed CAN messages to control remote start functions of the vehicle. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
CVSS 4.0
4.7
EPSS
0.0%
CVE-2025-9519 HIGH This Month

The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection PHP
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-9517 HIGH This Month

The atec Debug plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection PHP
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-9959 HIGH This Month

Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE Code Injection
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-47421 HIGH This Week

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.001.0031.001 through 3.001.0034.001. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-58176 HIGH POC PATCH This Week

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Dive
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-9375 MEDIUM PATCH This Month

XML Injection vulnerability in xmltodict allows Input Data Manipulation.14.2 before 0.15.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-58159 CRITICAL POC Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection Wegia
NVD GitHub
CVSS 3.1
9.9
EPSS
0.6%
CVE-2025-58160 Cargo LOW PATCH Monitor

tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
CVSS 4.0
2.3
EPSS
0.1%
CVE-2025-55173 npm MEDIUM PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Red Hat Next.js Vercel
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-39245 MEDIUM Monitor

There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2024-48908 MEDIUM This Month

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection Suse
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-54731 HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase allows Object Injection.5.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-48100 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator allows Remote Code Inclusion.12.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-5101 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated. Rated medium severity (CVSS 5.0). No vendor patch available.

RCE Gitlab Code Injection
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-52122 PHP CRITICAL POC PATCH Act Now

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Freeform
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-30057 CRITICAL This Week

In UHCRTFDoc, the filename parameter can be exploited to execute arbitrary code via command injection into the system() call in the ConvertToPDF function. Rated critical severity (CVSS 9.4), this vulnerability is low attack complexity. No vendor patch available.

RCE Command Injection Code Injection
NVD
CVSS 4.0
9.4
EPSS
0.3%
CVE-2025-30056 CRITICAL This Week

The RunCommand function accepts any parameter, which is then passed for execution in the shell. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 4.0
9.4
EPSS
0.0%
CVE-2025-30055 CRITICAL This Week

The "system" function receives untrusted input from the user. Rated critical severity (CVSS 9.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 4.0
9.0
EPSS
0.0%
CVE-2025-2313 CRITICAL This Week

In the Print.pl service, the "uhcPrintServerPrint" function allows execution of arbitrary code via the "CopyCounter" parameter. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 4.0
9.4
EPSS
0.0%
CVE-2025-23315 HIGH This Month

NVIDIA NeMo Framework for all platforms contains a vulnerability in the export and deploy component, where malicious data created by an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Nemo
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23314 HIGH This Month

NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Nemo
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23313 HIGH This Month

NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Nemo
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23312 HIGH This Month

NVIDIA NeMo Framework for all platforms contains a vulnerability in the retrieval services component, where malicious data created by an attacker could cause a code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Nemo
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-23307 HIGH This Month

NVIDIA NeMo Curator for all platforms contains a vulnerability where a malicious file created by an attacker could allow code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection Information Disclosure Nemo Curator
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-52218 HIGH This Month

SelectZero Data Observability Platform before 2025.5.2 is vulnerable to Content Spoofing / Text Injection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Selectzero
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-53419 HIGH This Month

Delta Electronics COMMGR has Code Injection vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-57773 HIGH POC PATCH This Week

DataEase is an open source business intelligence and data visualization tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Code Injection Dataease
NVD GitHub
CVSS 4.0
8.2
EPSS
0.4%
CVE-2025-57772 HIGH POC PATCH This Week

DataEase is an open source business intelligence and data visualization tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Dataease
NVD GitHub
CVSS 4.0
8.2
EPSS
0.2%
CVE-2022-31491 CRITICAL Act Now

Voltronic Power ViewPower through 1.04-24215, ViewPower Pro through 2.0-22165, and PowerShield Netguard before 1.04-23292 allows a remote attacker to run arbitrary code via an unspecified web. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2024-52786 CRITICAL This Week

An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE Code Injection
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2025-9162 Maven MEDIUM PATCH Monitor

A flaw was found in org.keycloak/keycloak-model-storage-service. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Red Hat
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-9241 LOW POC Monitor

A weakness has been identified in elunez eladmin up to 2.7. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-54019 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53577 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS allows Remote Code Inclusion.1.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-53194 HIGH This Week

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Crocoblock JetEngine allows Code Injection.7.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Ssti Code Injection
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-48169 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion.3.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.1%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.

RCE Code Injection Dolibarr Erp Crm
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

CVE-2022-50445 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Code Injection Ubuntu +4
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

CVE-2025-39913 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Linux Code Injection Google
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

JIT miscompilation in the JavaScript Engine: JIT component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mozilla
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

A vulnerability exists in Asset Suite for an authenticated user to manipulate the content of performance related log data or to inject crafted data in logfile for potentially carrying out further. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Knowage is an open source analytics and business intelligence suite. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Java Code Injection +2
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Medical Informatics Engineering Enterprise Health has a CSV injection vulnerability that allows a remote, authenticated attacker to inject macros in downloadable CSV files. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Enterprise Health
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Code Injection Algoliasearch Helper +1
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in YayCommerce YayCurrency allows Code Injection.2. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A security flaw has been discovered in MuYuCMS up to 2.7. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Code Injection Muyucms
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH This Week

Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Microsoft Code Injection +2
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM Monitor

A vulnerability in the Device Analytics action frame processing of Cisco Wireless Access Point (AP) Software could allow an unauthenticated, adjacent attacker to inject wireless 802.11 action frames. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Cisco Code Injection
NVD
EPSS 1% CVSS 7.2
HIGH POC PATCH This Week

Horilla is a free and open source Human Resource Management System (HRMS). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python RCE Code Injection +1
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA Megatron-LM for all platforms contains a vulnerability in the ensemble_classifer script where malicious data created by an attacker may cause an injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA Megatron-LM for all platforms contains a vulnerability in the msdp preprocessing script where malicious data created by an attacker may cause an injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Megatron-LM for all platforms contains a vulnerability in the tasks/orqa/unsupervised/nq.py component, where an attacker may cause a code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA Megatron-LM for all platforms contains a vulnerability in the pretrain_gpt script, where malicious data created by an attacker may cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Api Manager Identity Server
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Java +4
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 83% 6.0 CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig parameter is parsed unsafely, allowing attackers to inject arbitrary system commands through the MCP server configuration that are executed when Flowise spawns the MCP server process.

RCE Code Injection Node.js +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Conventional Changelog generates changelogs and release notes from a project's commit messages and metadata. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Tareq Hasan WP User Frontend allows Code Injection.1.11. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

Creacast Creabox Manager 4.4.4 contains a critical Remote Code Execution vulnerability accessible via the edit.php endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Server-side template injection (SSTI) vulnerability in PPress 0.0.9 allows attackers to execute arbitrary code via crafted themes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Ppress
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL This Week

Dyad is a local AI app builder. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker RCE Code Injection
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

CISA Thorium does not escape user controlled strings used in LDAP queries. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity.

LDAP Code Injection Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Month

The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE PHP +1
NVD
EPSS 5% CVSS 10.0
CRITICAL POC PATCH Act Now

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Java +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: chardev: fix error handling in cdev_device_add() While doing fault injection test, I got the following report: ------------[ cut. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Code Injection Linux Linux Kernel +2
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.5.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Langchain AI / ML
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL Act Now

AIRI is a self-hosted, artificial intelligence based Grok Companion. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection XSS
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Month

The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress RCE PHP +1
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

PyInstaller bundles a Python application and all its dependencies into a single package. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE Microsoft +4
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

DeepChat is a smart assistant uses artificial intelligence. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection XSS +1
NVD GitHub
EPSS 3% CVSS 10.0
CRITICAL PATCH This Week

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Atlassian RCE Code Injection +1
NVD GitHub
EPSS 7% CVSS 10.0
CRITICAL POC PATCH Act Now

XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Atlassian RCE Code Injection +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Month

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat . Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

LDAP Code Injection Apache +1
NVD
EPSS 0% CVSS 8.8
HIGH This Month

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Apache Hertzbeat
NVD
EPSS 0% CVSS 8.0
HIGH This Month

The AutomatorWP - Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation WordPress RCE +2
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 9.9
CRITICAL This Week

SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection +1
NVD
EPSS 0% CVSS 9.9
CRITICAL POC Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +2
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Month

The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was identified in SimStudioAI sim up to 1.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Sim
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

rsbi-os 4.7 is vulnerable to Remote Code Execution (RCE) in sqlite-jdbc. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Ruisibi
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

The The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 19.9.7. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Month

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Roo Code
NVD GitHub
EPSS 0% CVSS 3.8
LOW Monitor

Improper Control of Generation of Code ('Code Injection') vulnerability in PickPlugins Job Board Manager allows Code Injection.1.61. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Red Hat +1
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Month

Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM Monitor

Securing externally available CAN wires can easily allow physical access to the CAN bus, allowing possible injection of specially formed CAN messages to control remote start functions of the vehicle. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 7.2
HIGH This Month

The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 7.2
HIGH This Month

The atec Debug plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 7.6
HIGH This Month

Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE Code Injection
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.001.0031.001 through 3.001.0034.001. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Dive
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

XML Injection vulnerability in xmltodict allows Input Data Manipulation.14.2 before 0.15.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL POC Act Now

WeGIA is a Web manager for charitable institutions. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Red Hat Next.js +1
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM Monitor

There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection Suse
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase allows Object Injection.5.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator allows Remote Code Inclusion.12.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated. Rated medium severity (CVSS 5.0). No vendor patch available.

RCE Gitlab Code Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Freeform
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL This Week

In UHCRTFDoc, the filename parameter can be exploited to execute arbitrary code via command injection into the system() call in the ConvertToPDF function. Rated critical severity (CVSS 9.4), this vulnerability is low attack complexity. No vendor patch available.

RCE Command Injection Code Injection
NVD
EPSS 0% CVSS 9.4
CRITICAL This Week

The RunCommand function accepts any parameter, which is then passed for execution in the shell. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 9.0
CRITICAL This Week

The "system" function receives untrusted input from the user. Rated critical severity (CVSS 9.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 9.4
CRITICAL This Week

In the Print.pl service, the "uhcPrintServerPrint" function allows execution of arbitrary code via the "CopyCounter" parameter. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA NeMo Framework for all platforms contains a vulnerability in the export and deploy component, where malicious data created by an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA NeMo Framework for all platforms contains a vulnerability in the retrieval services component, where malicious data created by an attacker could cause a code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA NeMo Curator for all platforms contains a vulnerability where a malicious file created by an attacker could allow code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.5
HIGH This Month

SelectZero Data Observability Platform before 2025.5.2 is vulnerable to Content Spoofing / Text Injection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Selectzero
NVD
EPSS 0% CVSS 7.8
HIGH This Month

Delta Electronics COMMGR has Code Injection vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

DataEase is an open source business intelligence and data visualization tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Deserialization Code Injection +1
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

DataEase is an open source business intelligence and data visualization tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Dataease
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Voltronic Power ViewPower through 1.04-24215, ViewPower Pro through 2.0-22165, and PowerShield Netguard before 1.04-23292 allows a remote attacker to run arbitrary code via an unspecified web. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 1% CVSS 9.8
CRITICAL This Week

An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE Code Injection
NVD
EPSS 0% CVSS 4.9
MEDIUM PATCH Monitor

A flaw was found in org.keycloak/keycloak-model-storage-service. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Red Hat
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A weakness has been identified in elunez eladmin up to 2.7. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS allows Remote Code Inclusion.1.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Crocoblock JetEngine allows Code Injection.7.0. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Ssti Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion.3.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
Prev Page 14 of 54 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy