Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4846)

EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Unauthenticated remote code execution in Zai Shell prior to 9.0.3 via the unprotected P2P terminal sharing feature on port 5757, where attackers can inject arbitrary system commands that execute with user privileges if approved. Public exploit code exists for this vulnerability, and affected systems running --no-ai mode completely bypass safety checks during command execution. Update to version 9.0.3 to remediate.

RCE Code Injection Zai Shell
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Remote code execution in the jsonpath npm package (versions <1.2.0) allows unauthenticated attackers to execute arbitrary JavaScript code by injecting malicious JSON Path expressions. The vulnerability stems from unsafe evaluation through the static-eval module, which processes user-supplied JSON Path input without proper sanitization. All query methods (.query, .nodes, .paths, .value, .parent, .apply) are affected. While EPSS scoring indicates relatively low widespread exploitation probability (0.09%, 26th percentile), multiple vendor patches from Red Hat and SUSE confirm the severity, and publicly available exploit code exists (CVSS E:P). This represents critical risk for Node.js applications processing untrusted JSON Path expressions, with potential for both server-side RCE and browser-based XSS depending on execution context.

Node.js RCE XSS +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and DN construction during login by supplying crafted usernames that are embedded into queries without escaping. Because the malicious input reaches the authentication path directly (CVSS 4.0 AV:N/PR:N/UI:N, base score 8.7), an attacker can tamper with the authentication logic to enumerate directory data or subvert the intended search filter. No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.05%), but a vendor patch (commit 0b0e16c) is available.

LDAP Wekan Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper credential domain validation in n8n's HTTP Request node prior to version 1.121.0 enables authenticated attackers to redirect requests containing credentials to unintended domains, risking credential theft for users with wildcard domain patterns in their allowed domains configuration. The vulnerability requires valid authentication and has a low exploitation probability, with no public exploit currently available.

Code Injection N8n
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

SandboxJS has a fourth CVSS 10.0 sandbox escape through Map's safe prototype being used as a gateway to inject arbitrary code.

Code Injection RCE Sandboxjs
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code execution outside the intended sandbox boundary.

Privilege Escalation Code Injection RCE +4
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Claude Code versions prior to 2.0.55 insufficiently validate piped sed commands, permitting authenticated users to circumvent file write protections and deposit files in restricted directories including .claude folders and locations outside project scope. An attacker with access to the "accept edits" feature can exploit this to write malicious content to sensitive areas of the system. A patch is available in version 2.0.55 and later.

Code Injection AI / ML Claude Code
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to inject commands through tool responses.

Code Injection AI / ML Claude Code
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

JumpStart 0.6.0.0 contains an unquoted service path vulnerability in the jswpbapi service running with LocalSystem privileges. Attackers can exploit the unquoted path containing spaces to inject and execute malicious code with elevated system permissions. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 2.1
LOW POC Monitor

Code injection in Fermat's eqn_chart function allows authenticated remote attackers to execute arbitrary code by manipulating equation arguments. Public exploit code exists for this vulnerability, and the developers have not yet released a patch despite early notification. The attack requires valid credentials but no user interaction, affecting all versions up to the latest rolling release commit.

Code Injection Fermat
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH POC This Week

An issue in ChestnutCMS v.1.5.8 and before allows a remote attacker to execute arbitrary code via the template creation function [CVSS 7.2 HIGH]

RCE Code Injection Chestnutcms
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. [CVSS 5.6 MEDIUM]

TP-Link Information Disclosure Code Injection
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. [CVSS 8.6 HIGH]

Go Code Injection RCE
NVD VulDB
EPSS 0% CVSS 7.8
HIGH POC This Week

WCAssistantService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

FactoryTalk Activation Service contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

Langroid LLM framework prior to 0.5 has a code injection vulnerability (CVSS 9.6) allowing attackers to execute arbitrary code through the AI agent system.

Code Injection AI / ML Langroid
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.

RCE Command Injection Code Injection +3
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Malformed data processed by the affected product can be embedded in exported CSV files, which execute arbitrary code when opened by users due to improper input validation. Movable Type 7 and 8.4 series (both EOL) along with current versions are vulnerable to this code injection attack through user-initiated file downloads. An authenticated attacker can craft malicious input to compromise any user who downloads and opens the resulting CSV file.

Code Injection
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local code injection in NVIDIA Megatron-LM allows authenticated users to achieve arbitrary code execution and privilege escalation through malicious input to vulnerable scripts. An attacker with local access can craft specially designed data to trigger unsafe code evaluation, enabling complete system compromise including data theft and modification. No patch is currently available for this vulnerability affecting all supported platforms.

Privilege Escalation Code Injection Information Disclosure +1
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

VPN Unlimited 6.1 contains an unquoted service path vulnerability that allows local attackers to inject malicious executables into the service binary path. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 9.8
CRITICAL Act Now

ASUSTOR ADM has an input validation vulnerability when joining AD Domain that allows unauthenticated attackers to compromise the NAS device.

Code Injection Data Master
NVD
EPSS 0%
Monitor

Vulnerability in Wikimedia Foundation DiscussionTools.This issue affects DiscussionTools: from * before 1.43.4, 1.44.1.

Code Injection
NVD
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

PDF generation in jsPDF prior to version 4.1.0 allows injection of arbitrary PDF objects through unsanitized input passed to AcroForm module methods, enabling attackers to embed malicious JavaScript actions executed when victims open the generated documents. Public exploit code exists for this vulnerability affecting applications using vulnerable versions of the library. Upgrade to jsPDF 4.1.0 or later to remediate the issue.

Jspdf Code Injection
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Jspdf versions up to 4.1.0 contains a vulnerability that allows attackers to inject arbitrary XML (CVSS 5.4).

Code Injection Jspdf Red Hat
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

SoupServer's improper handling of HTTP requests combining Transfer-Encoding: chunked and Connection: keep-alive headers enables remote attackers to smuggle malicious requests over persistent connections without authentication. This HTTP request smuggling vulnerability can cause denial-of-service conditions and unintended request processing by exploiting the server's failure to properly close connections per RFC 9112. No patch is currently available.

Denial Of Service Code Injection Red Hat +1
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

Avast SecureLine 5.5.522.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary Python code execution in Backstage's @backstage/plugin-techdocs-node (versions < 1.13.11 and = 1.14.0) lets a contributor who can add or edit a repository's mkdocs.yml inject a malicious MkDocs `hooks` directive that runs on the TechDocs build server whenever TechDocs is configured with `runIn: local`. The flaw also affects documentation built in CI/CD via @techdocs/cli, which bundles the same package. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 8.8 reflects full host compromise of the build environment.

Python Node.js Docker +3
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Code injection in Orval TypeScript API client generator versions 7.19.0 to before 7.22.0. Generated client code may be vulnerable to injection through crafted OpenAPI specifications.

Code Injection Orval
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

PolarLearn versions prior to 0-PRERELEASE-15 fail to validate the `direction` parameter in the forum vote API endpoint, allowing authenticated attackers to submit arbitrary values that bypass business logic and corrupt vote data. Public exploit code exists for this vulnerability. The issue affects authenticated users who can manipulate voting behavior through improper input validation.

Code Injection Polarlearn
NVD GitHub
EPSS 0%
Monitor

pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`.

Code Injection
NVD GitHub
EPSS 51% 6.5 CVSS 9.8
CRITICAL POC KEV EUVD KEV THREAT Emergency

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to achieve remote code execution on the mobile device management server. Compromising the MDM server provides access to all managed mobile device configurations, policies, and potentially the ability to push malicious profiles to enrolled devices.

Ivanti RCE Code Injection
NVD VulDB
EPSS 65% 6.9 CVSS 9.8
CRITICAL POC KEV EUVD KEV PATCH THREAT Act Now

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that allows unauthenticated remote attackers to execute arbitrary code. With EPSS 64.8% and KEV listing, this vulnerability in the mobile device management platform threatens the security of every managed mobile device in the organization, as EPMM has the ability to push configurations, certificates, and apps to enrolled devices.

Ivanti RCE Code Injection +1
NVD VulDB
EPSS 43% 4.5 CVSS 8.8
HIGH POC THREAT Act Now

A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. [CVSS 8.8 HIGH]

Code Injection Tactical Rmm
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC This Month

The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. [CVSS 6.8 MEDIUM]

Code Injection Archer Re605x Firmware
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

BarcodeOCR 19.3.6 contains an unquoted service path vulnerability that allows local attackers to execute code with elevated privileges during system startup. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Maker.js versions up to 0.19.1 improperly validate object properties in the `extendObject` function, allowing inherited and malicious properties to be copied to target objects without filtering. Applications using the library are vulnerable to property injection attacks, and public exploit code exists for this vulnerability. A patch is available in version 0.19.2.

Code Injection Maker.Js
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Arbitrary code execution in iccDEV versions before 2.3.1.2 occurs when malformed ICC color profiles containing NaN floating-point values are parsed, causing undefined behavior during type conversion that corrupts memory structures. Local attackers can exploit this by crafting malicious ICC profiles that applications process, and public exploit code exists for this vulnerability. The issue affects any system using the iccDEV library to handle ICC profile data, with a patch available in version 2.3.1.2.

RCE Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM POC PATCH This Month

Prototype pollution in NocoDB's connection test endpoint allows authenticated org-level creators to disrupt all database write operations application-wide until server restart, with public exploit code available. Although the vulnerability can bypass SUPER_ADMIN authorization checks, the resulting denial of service prevents actual exploitation of elevated privileges. The issue affects versions prior to 0.301.0 with no patch currently available.

Code Injection Nocodb
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Tendenci 12.3.1 has a CSV formula injection in the contact form message field enabling code execution when administrators export and open data in spreadsheet applications.

Code Injection Tendenci
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.8
MEDIUM POC PATCH This Month

HTTP header injection in libsoup through CRLF sequences in the Content-Disposition header allows unauthenticated remote attackers to inject arbitrary headers or split responses without user interaction. Public exploit code exists for this vulnerability. The flaw affects any application using vulnerable versions of libsoup to process untrusted HTTP headers, with no patch currently available.

Code Injection Red Hat Suse
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/newagent/ endpoint. The agent_id parameter accepts up to 255 characters and is improperly sanitized using DOMPurify.sanitize() with the html: true option enabled, which fails to adequately filter HTML input. The injected HTML is rendered in the Tactical RMM management panel when an administrator att...

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. [CVSS 7.8 HIGH]

Node.js Command Injection Browserstack Local +2
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH POC This Week

PACService.exe contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

SENADB service contains a vulnerability that allows attackers to execute code with elevated system privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH This Week

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. [CVSS 7.5 HIGH]

Denial Of Service Code Injection Syncbreeze +1
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

Python Pytorch Checkpoint +2
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Denial Of Service Privilege Escalation Code Injection +2
NVD
EPSS 0%
This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in pilgrimage233 Minecraft-Rcon-Manage.This issue affects Minecraft-Rcon-Manage: before 3.0.

Code Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Dirsearch 0.4.1 has CSV injection in scan reports.

Code Injection
NVD GitHub Exploit-DB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Knockpy 4.1.1 has CSV injection in subdomain scan exports.

Code Injection Knockpy
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Ezcast Pro Dongle Ii Firmware versions up to 1.17478.146 is affected by improper input validation (CVSS 5.3).

Code Injection Ezcast Pro Dongle Ii Firmware
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

ROOT data analysis framework has an input validation vulnerability in zlib modules enabling code execution through crafted data files.

Code Injection Root
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java.

Apache Java Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH POC This Week

PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
EPSS 0%
Monitor

Illegal HTTP request traffic vulnerability (CL.0) in Altitude Communication Server, caused by inconsistent analysis of multiple HTTP requests over a single Keep-Alive connection using Content-Length headers.

Code Injection
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

HTC IPTInstaller 4.0.9 contains an unquoted service path vulnerability in the PassThru Service configuration. Attackers can exploit the unquoted binary path to inject and execute malicious code with elevated LocalSystem privileges. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

iccDEV versions 2.3.1.1 and earlier contain unsafe handling of user-supplied input in the CIccTagXmlSegmentedCurve::ToXml() function, enabling remote attackers to trigger undefined behavior in ICC profile parsing. Public exploit code exists for this vulnerability, which can lead to denial of service, data manipulation, or arbitrary code execution. Upgrade to version 2.3.1.2 to remediate.

Denial Of Service RCE Code Injection +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

iccDEV versions 2.3.1.1 and earlier allow remote attackers to trigger undefined behavior in the icSigCalcOp() function through malicious ICC color profiles, enabling denial of service, data manipulation, or potential code execution. The vulnerability stems from unsafe handling of user-controllable input in binary profile data, and public exploit code exists. Affected organizations should upgrade to version 2.3.1.2 or later.

Denial Of Service RCE Code Injection +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Argument injection in Salesforce Marketing Cloud Engagement CloudPagesURL component. Second Salesforce Marketing Cloud CVE with same root cause.

Code Injection Marketing Cloud Engagement
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Argument injection in Salesforce Marketing Cloud Engagement MicrositeURL component allows command execution. First of four critical Salesforce Marketing Cloud CVEs.

Code Injection Marketing Cloud Engagement
NVD
EPSS 0%
This Week

Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 2.7
LOW POC PATCH Monitor

MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized propertie...

Code Injection Mytube
NVD GitHub
EPSS 0%
PATCH Monitor

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Langflow's PythonFunction component allows authenticated attackers with user interaction to inject and execute arbitrary Python code within application workflows, achieving remote code execution. The vulnerability affects Langflow deployments using Python-based AI/ML components, with exploitation feasibility depending on specific product configurations. No patch is currently available.

Python RCE Code Injection +2
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the visual AI workflow builder.

Python RCE Code Injection +2
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execute arbitrary code through crafted AI agent output processing.

Python RCE Code Injection +2
NVD
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Incus contains a vulnerability that allows attackers to adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command exec (CVSS 8.7).

Code Injection Incus Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection.This issue affects Beaver Builder: from n/a through <= 2.9.4.1. [CVSS 7.5 HIGH]

Code Injection
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection.This issue affects FluentForm: from n/a through <= 6.1.11. [CVSS 5.3 MEDIUM]

Code Injection
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

Event Tickets with Ticket Scanner WordPress plugin has a code injection vulnerability allowing remote code execution through the event management system.

Code Injection RCE
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Nelio AB Testing WordPress plugin has a code injection vulnerability allowing attackers to execute arbitrary code through the A/B testing functionality.

Code Injection RCE
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in vLLM 0.10.1 through 0.13.x lets an attacker who controls the model repository or path run arbitrary Python on the inference host: vLLM auto-loads Hugging Face `auto_map` dynamic modules during model resolution without honoring the `trust_remote_code` safety gate, so attacker-supplied code executes at server startup before any request is processed and without API access. The flaw carries a CVSS 9.8 and is fixed in 0.14.0, with Red Hat shipping multiple RHSA errata; however EPSS is only 0.06% (17th percentile) and there is no public exploit identified at time of analysis, so exploitation hinges on an attacker first influencing which model is loaded. This is a code-injection (CWE-94) trust-boundary bypass rather than a remotely reachable network service bug despite the AV:N rating.

Python Vllm Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH POC This Week

SbieSvc service contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

eBeam Stylus Driver service contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

eBeam Device Service contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

WPCommandFileService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

ScheduleService contains a vulnerability that allows attackers to potentially execute code with elevated system privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

GuardTourService contains a vulnerability that allows attackers to potentially execute code with elevated system privileges (CVSS 7.8).

WordPress Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
EPSS 1% CVSS 7.2
HIGH POC This Week

GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. [CVSS 7.2 HIGH]

PHP RCE Code Injection +1
NVD GitHub Exploit-DB
EPSS 0%
PATCH Monitor

User-controlled header names and values containing newlines can allow injecting HTTP headers.

Code Injection
NVD GitHub VulDB
EPSS 0%
PATCH Monitor

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Code Injection
NVD GitHub VulDB
EPSS 0%
PATCH Monitor

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

Code Injection
NVD GitHub VulDB
EPSS 0%
PATCH Monitor

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

An input validation issue in in Pithikos websocket-server v.0.6.4 allows a remote attacker to obtain sensitive information or cause unexpected server behavior via the websocket_server/websocket_server.py, WebSocketServer._message_received components. [CVSS 7.5 HIGH]

Code Injection Websocket Server
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unsafe code generation in binary-parser prior to version 2.3.0 allows remote code execution when processing untrusted input for parser field names or encoding parameters. Node.js applications using vulnerable versions of the library can be compromised to execute arbitrary JavaScript with process-level privileges. A patch is available and exploitation requires no authentication or user interaction.

Node.js Code Injection Binary Parser
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure +1
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Arbitrary code execution in Alchemy CMS before versions 7.4.12 and 8.0.3 stems from unsafe use of Ruby's eval() function on the resource_handler.engine_name parameter in the ResourcesHelper class. An authenticated administrator can manipulate module configurations to inject and execute arbitrary system commands with the privileges of the Ruby process. The vulnerability requires high privileges and careful setup to exploit, but completely bypasses the Ruby sandbox once successful.

Code Injection RCE Alchemy Cms
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Header injection in Mailpit's SMTP server prior to version 1.28.3 allows unauthenticated remote attackers to inject or modify email headers by embedding carriage return characters in sender and recipient addresses due to insufficient regex validation. Public exploit code exists for this vulnerability, which could enable attackers to manipulate email routing, spoofing, or phishing attacks against users of the email testing tool. The issue is resolved in version 1.28.3 and later.

Code Injection Mailpit Suse
NVD GitHub
EPSS 0% CVSS 2.6
LOW Monitor

Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. [CVSS 2.6 LOW]

Code Injection
NVD
Prev Page 11 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4846

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy