Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4849)

EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Arbitrary code execution in Alchemy CMS before versions 7.4.12 and 8.0.3 stems from unsafe use of Ruby's eval() function on the resource_handler.engine_name parameter in the ResourcesHelper class. An authenticated administrator can manipulate module configurations to inject and execute arbitrary system commands with the privileges of the Ruby process. The vulnerability requires high privileges and careful setup to exploit, but completely bypasses the Ruby sandbox once successful.

Code Injection RCE Alchemy Cms
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Header injection in Mailpit's SMTP server prior to version 1.28.3 allows unauthenticated remote attackers to inject or modify email headers by embedding carriage return characters in sender and recipient addresses due to insufficient regex validation. Public exploit code exists for this vulnerability, which could enable attackers to manipulate email routing, spoofing, or phishing attacks against users of the email testing tool. The issue is resolved in version 1.28.3 and later.

Code Injection Mailpit Suse
NVD GitHub
EPSS 0% CVSS 2.6
LOW Monitor

Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. [CVSS 2.6 LOW]

Code Injection
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

its WifiHotSpotService.exe contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

its service configuration contains a vulnerability that allows attackers to execute code with elevated privileges (CVSS 7.8).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

Acer Updater Service 1.2.3500.0 contains an unquoted service path vulnerability that allows local users to execute code with elevated system privileges. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 7.8
HIGH POC This Week

Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. [CVSS 7.8 HIGH]

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

Dive, an MCP Host Desktop Application for LLM integration, allows code injection prior to version 0.13.0 through malicious tool responses, enabling attackers to execute arbitrary code on the user's machine.

RCE Code Injection AI / ML +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

The vulnerability, if exploited, could allow an authenticated miscreant (OS standard user) to tamper with TCL Macro scripts and escalate privileges to OS system, potentially resulting in complete compromise of the model application server. [CVSS 8.8 HIGH]

RCE Code Injection Process Optimization
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Brother\BRAgent\ to inject and execute malicious code with elevated system permissions. [CVSS 7.8 HIGH]

Code Injection Bragent
NVD Exploit-DB
EPSS 0% CVSS 3.7
LOW Monitor

A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. [CVSS 3.7 LOW]

Code Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execute without appearing in the allowlist, enabling environment poisoning and arbitrary command execution.

Code Injection AI / ML Cursor
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: mptcp: avoid deadlock on fallback while reinjecting Jakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted -------------------------------------------- mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280 but task is already holding lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&msk->fallback_lock); lock(&msk->fallback_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by mptcp_connect/20858: #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0 #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0 #2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 stack backtrace: CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full) Hardware name: Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_deadlock_bug.cold+0xc0/0xcd validate_chain+0x2ff/0x5f0 __lock_acquire+0x34c/0x740 lock_acquire.part.0+0xbc/0x260 _raw_spin_lock_bh+0x38/0x50 __mptcp_try_fallback+0xd8/0x280 mptcp_sendmsg_frag+0x16c2/0x3050 __mptcp_retrans+0x421/0xaa0 mptcp_release_cb+0x5aa/0xa70 release_sock+0xab/0x1d0 mptcp_sendmsg+0xd5b/0x1bc0 sock_write_iter+0x281/0x4d0 new_sync_write+0x3c5/0x6f0 vfs_write+0x65e/0xbb0 ksys_write+0x17e/0x200 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fa5627cbc5e Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005 RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920 R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c The packet scheduler could attempt a reinjection after receiving an MP_FAIL and before the infinite map has been transmitted, causing a deadlock since MPTCP needs to do the reinjection atomically from WRT fallback.

Linux Code Injection Linux Kernel +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 6.1 MEDIUM]

Code Injection Emui Harmonyos
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

Data verification vulnerability in the HiView module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.2 MEDIUM]

Code Injection Harmonyos
NVD
EPSS 0% CVSS 8.4
HIGH POC This Week

servermedicontservice contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 8.4).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 8.4
HIGH POC This Week

TrapiServer service contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 8.4).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 8.4
HIGH POC This Week

EaseUS Data Recovery 15.1.0.0 contains an unquoted service path vulnerability in the EaseUS UPDATE SERVICE executable. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. [CVSS 8.4 HIGH]

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Beehive Forum 1.5.2 has host header injection in the forgot password function that allows intercepting password reset tokens. PoC available.

Code Injection Beehive Forum
NVD Exploit-DB
EPSS 0% CVSS 8.4
HIGH POC This Week

FSService contains a vulnerability that allows attackers to potentially execute code with elevated privileges (CVSS 8.4).

Code Injection
NVD Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM This Month

Kibana's Email Connector fails to properly validate email address parameters, allowing authenticated users with view-level privileges to trigger excessive resource allocation and crash the service. An attacker can exploit this input validation flaw by submitting a specially crafted email address to cause complete denial of service, requiring manual service restart to restore availability for all users. No patch is currently available.

Code Injection Kibana Red Hat
NVD
EPSS 0%
PATCH Monitor

@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. ...

Code Injection
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. [CVSS 7.2 HIGH]

Code Injection Arubaos
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Dreamweaver Desktop versions 21.6 and earlier suffer from improper input validation that enables arbitrary file writes when a user opens a malicious file. An attacker can exploit this to manipulate or inject malicious content into the victim's file system with broad impact across confidentiality, integrity, and availability. No patch is currently available.

Code Injection Dreamweaver
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Arbitrary code execution in Adobe Dreamweaver versions 21.6 and earlier allows local attackers to execute commands with user privileges by delivering malicious files that bypass input validation. Successful exploitation requires social engineering to convince a user to open a crafted file, with impact extending beyond the application context. No patch is currently available for this high-severity vulnerability.

RCE Code Injection Dreamweaver
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Improper input validation in Adobe Dreamweaver 21.6 and earlier allows arbitrary code execution with user privileges through a malicious file. An attacker can exploit this vulnerability by tricking a user into opening a crafted file, with no special privileges required. A patch is currently unavailable, making this a significant risk for affected Dreamweaver users.

RCE Code Injection Dreamweaver
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node’s IP whitelist validation performed partial string matching instead of exact IP comparison. [CVSS 5.3 MEDIUM]

Code Injection N8n
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. [CVSS 8.8 HIGH]

Code Injection
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Credential theft via Lua script execution in Envoy Gateway versions before 1.5.7 and 1.6.2 allows authenticated attackers to extract proxy credentials and subsequently access the control plane and all associated secrets including TLS private keys. Public exploit code exists for this vulnerability. Affected organizations running vulnerable Envoy Gateway instances should immediately upgrade as no patch is currently available for intermediate versions.

Kubernetes Gateway Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Comfyui-Manager versions up to 3.39.2 contains a vulnerability that allows attackers to security setting tampering or modification of application behavior (CVSS 7.5).

Code Injection Comfyui Manager
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

RustCrypto Elliptic Curves versions 0.14.0-pre.0 and 0.14.0-rc.0 are vulnerable to denial-of-service when decrypting SM2 public key encryption, as invalid curve points with syntactically valid coordinates cause an unhandled panic during point validation. Public exploit code exists for this vulnerability, affecting applications that use the SM2 implementation. A remote attacker can crash the cryptographic service by sending specially crafted ciphertext with malformed elliptic curve points.

Code Injection Sm2 Elliptic Curve
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Salesforce Uni2TS time series forecasting library (through 1.2.0) has a code injection vulnerability that allows leveraging executable code in non-executable files across all platforms.

Linux Windows macOS +2
NVD
EPSS 0% CVSS 9.4
CRITICAL POC Act Now

RuoYi-Vue-Plus (through 5.5.1) allows arbitrary file read/write through QLExpress expression evaluation in the snailjob workflow node checker. Attackers can use the File class to access any file on the server. PoC available.

RCE Code Injection Ruoyi Vue Plus
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

Print Shop Pro WebDesk 18.34 allows purchasing items with negative quantities, creating financial discrepancies. Attackers can generate credits or manipulate pricing through the GetUnitPrice endpoint. PoC available, fixed in 19.69.

Code Injection Print Shop Pro Webdesk
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color profiles, affecting applications using the iccDEV library to handle color management data. Public exploit code exists for this vulnerability, and no patches are currently available. An attacker can trigger memory corruption through a crafted ICC profile to achieve arbitrary code execution without user interaction beyond opening the malicious file.

Code Injection Iccdev
NVD GitHub
EPSS 0%
Monitor

An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability allows local users ton perform arbitrary unmounts via smb4k mount helper

Code Injection
NVD
EPSS 12% CVSS 9.9
CRITICAL POC PATCH THREAT Act Now

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with scope change enabling full compromise of both self-hosted and cloud instances. EPSS 12.5% indicates high exploitation activity. Patch available.

RCE Code Injection Node.js +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Titra time tracking software versions 0.99.49 and below contain a mass assignment vulnerability in their API that allows authenticated users to inject arbitrary fields into time entries through an unvalidated customfields parameter, enabling attackers to overwrite protected data such as user IDs, hours, and entry states. Public exploit code exists for this vulnerability which affects the integrity of tracked time data. The issue is resolved in version 0.99.50.

Code Injection Titra
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color profiles, affecting applications that use the iccDEV library to manage color data. Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. Update to version 2.3.1.2 or later to remediate.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color profiles through the ParseBasic() function. An attacker can exploit this vulnerability by crafting a specially formatted ICC profile file that triggers memory corruption with high impact on confidentiality, integrity, and availability. Users of the iccDEV library should upgrade to version 2.3.1.2 immediately, as no workarounds are available.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Type confusion in iccDEV versions before 2.3.1.2 allows attackers to corrupt memory and achieve high-impact outcomes including code execution, data theft, and denial of service when processing malicious ICC color profiles. The vulnerability exists in the CIccSegmentedCurveXml::ToXml() function and affects any application using the iccDEV library to handle color management data. Public exploit code exists for this vulnerability, though a patch is available in version 2.3.1.2 and later.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Type confusion in iccDEV versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code execution through malicious ICC color profiles processed by the ToXmlCurve() function. Public exploit code exists for this vulnerability, affecting any application or system using the vulnerable iccDEV library to parse color management profiles. A patch is available in version 2.3.1.2 and should be applied immediately.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

iccDEV versions prior to 2.3.1.2 contain a type confusion vulnerability in the CIccTag::IsTypeCompressed() function that allows unauthenticated attackers to cause integrity violations or service disruption by crafting malicious ICC color profiles. The vulnerability requires user interaction to exploit and affects applications using the iccDEV library to process color management profiles. Public exploit code exists, and a patch is available in version 2.3.1.2.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

iccDEV before version 2.3.1.2 contains a type confusion vulnerability in the XML tag processing function that allows attackers to trigger information disclosure, data modification, or denial of service when processing specially crafted ICC color profiles. Public exploit code exists for this vulnerability, affecting users who process untrusted color profile files with the iccDEV library. A patch is available in version 2.3.1.2 and should be applied immediately.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Denial of service in iccDEV versions before 2.3.1.2 allows unauthenticated attackers to crash applications processing ICC color profiles through a type confusion vulnerability in the XML profile parser. Public exploit code exists for this vulnerability. Users of the iccDEV library should upgrade to version 2.3.1.2 to remediate the issue.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Type confusion in iccDEV library versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code execution with user interaction by crafting malicious ICC color profiles. Public exploit code exists for this vulnerability affecting organizations that process color management profiles through the iccDEV libraries. A patch is available in version 2.3.1.2 with no known workarounds prior to upgrading.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

iccDEV versions before 2.3.1.2 contain undefined behavior in the CIccTagCurve constructor that allows attackers to cause denial of service or data integrity issues when processing malicious ICC color profiles. The vulnerability requires user interaction to trigger and affects anyone using the library to handle color management profiles, with public exploit code already available. Administrators should upgrade to version 2.3.1.2 immediately as no workarounds exist.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Undefined behavior in iccDEV's ICC color profile validation function (versions before 2.3.1.2) allows attackers to cause denial of service or integrity violations when processing specially crafted color profiles. The vulnerability requires user interaction to trigger and affects any application using the iccDEV library to handle ICC profiles. Public exploit code exists for this vulnerability; patched version 2.3.1.2 is available.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

iccDEV versions before 2.3.1.2 contain undefined behavior in the CIccTagLut16::Read() function that allows attackers to cause denial of service or data corruption when processing specially crafted ICC color profiles. The vulnerability requires user interaction to exploit and affects applications using the iccDEV library to handle color management profiles. Public exploit code exists for this issue, though a patch is available in version 2.3.1.2.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Undefined behavior in iccDEV versions before 2.3.1.2 allows remote attackers to cause denial of service or data corruption through maliciously crafted ICC color profiles processed by the library. The vulnerability requires user interaction to open a malicious profile and public exploit code exists. Organizations using iccDEV should upgrade to version 2.3.1.2 or later.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Type confusion in iccDEV versions before 2.3.1.2 allows remote attackers to execute arbitrary code by crafting malicious ICC color profiles that trigger improper type handling in the profile evaluation function. This vulnerability affects any application or user processing ICC profiles through the iccDEV library and requires minimal user interaction to exploit. A patch is available in version 2.3.1.2.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color profiles, affecting applications that use the library to handle color management data. An attacker can trigger the vulnerability through a crafted profile file requiring only user interaction to open, potentially achieving complete system compromise. Public exploit code exists and no patch is currently available.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

iccDEV versions before 2.3.1.2 contain an undefined behavior runtime error in ICC color profile processing that allows remote attackers to cause denial of service or data corruption via malformed profile files, requiring only user interaction to trigger. The vulnerability affects all users processing ICC color profiles through the iccDEV library with no available workarounds currently available.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Heap buffer overflow in iccDEV versions prior to 2.3.1.2 allows remote attackers to execute arbitrary code through the CIccLocalizedUnicode::GetText() function with minimal attack complexity. The vulnerability affects users of the ICC color profile manipulation library and has public exploit code available. Organizations using vulnerable versions should upgrade to 2.3.1.2 or later immediately.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Heap buffer overflow in iccDEV versions prior to 2.3.1.2 allows local attackers with user interaction to achieve arbitrary code execution through malicious ICC color profile manipulation in the IccTagXml() function. Public exploit code exists for this vulnerability, which affects all users of the vulnerable iccDEV libraries and tools. A patch is available in version 2.3.1.2.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

iccDEV versions prior to 2.3.1.2 suffer from denial of service due to undefined behavior triggered by invalid enum values in ICC color profile processing. A local attacker with user interaction can crash the application or cause system instability, and public exploit code exists. The vulnerability affects users of the iccDEV library on affected systems, with patches available in version 2.3.1.2 and later.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

iccDEV versions prior to 2.3.1.2 are susceptible to a division by zero error in the TIFF Image Reader component, which can be triggered by a local user with minimal privileges through interaction with a malicious TIFF file. Successful exploitation results in denial of service by crashing the application. A patch is available in version 2.3.1.2 and later.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

OpenAirInterface CN5G AMF<=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized remote attackers can send malicious JSON data to AMF's SBI interface to launch a denial-of-service attack. [CVSS 7.5 HIGH]

Code Injection Oai Cn5g Amf
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

iccDEV color management library versions 2.3.1 and earlier contain undefined behavior in the CLUT initialization function that can be exploited remotely without authentication to achieve code execution, information disclosure, or denial of service. Public exploit code exists for this vulnerability which affects all users of the vulnerable library versions. A patch is available in version 2.3.1.1 and should be applied immediately.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

iccDEV versions 2.3.1.1 and below allow local attackers to cause a denial of service or leak sensitive memory through improper input validation in the CIccProfile::LoadTag function, which fails to properly validate ICC profile data before processing. Public exploit code exists for this vulnerability, and a patch is available in version 2.3.1.2.

Buffer Overflow Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

iccDEV ICC color profile libraries versions 2.3.1.1 and earlier suffer from undefined behavior and out-of-memory errors that can be exploited remotely without authentication to achieve code execution or denial of service. Public exploit code exists for this vulnerability, affecting users who have not upgraded to version 2.3.1.2 or later. An attacker can trigger memory corruption through specially crafted ICC profile inputs with user interaction.

Code Injection Iccdev
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

QNAP Malware Remover before 6.6.8.20251023 has a code generation vulnerability that allows remote attackers to bypass the protection mechanism. An ironic vulnerability in a security tool that is supposed to protect QNAP NAS devices.

RCE Code Injection Malware Remover
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

Code injection in iCMS up to version 8.0.0 allows remote attackers with high privileges to inject arbitrary code via the config POST parameter in the ConfigAdmincp.php component. The vulnerability affects the Save function's parameter handling and has publicly available exploit code, though the extremely low CVSS score (2.0) reflects the requirement for high-privileged authenticated access, limiting real-world risk despite public exploit availability.

PHP Code Injection Icms
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote command execution in JD Cloud NAS-series routers (AX1800, AX3000, AX6600, BE6500, ER1 and ER2 firmware) allows unauthenticated network attackers to inject and run arbitrary OS commands on the device. The flaw is rated CVSS 9.8 with an unauthenticated network vector, and while no public exploit has been identified, its EPSS of 1.01% (59th percentile) reflects moderate near-term exploitation likelihood. Successful abuse yields full control of the router, making it a pivot point into the internal network.

Code Injection RCE Ax1800 Firmware +5
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote code injection in IF AS Shortcode WordPress plugin versions up to 1.2 allows attackers to execute arbitrary code through improper handling of shortcode parameters. The vulnerability stems from CWE-94 (Improper Control of Code Generation) and affects WordPress installations using this plugin. Patchstack reported the vulnerability; however, no CVSS vector is provided and EPSS probability is low at 0.07%, suggesting limited real-world exploit activity at the time of analysis.

Code Injection RCE
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing a manipulation of the argument content/tempdata can lead to code injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

PHP Code Injection Cmseasy
NVD VulDB
EPSS 0%
Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix invalid prog->stats access when update_effective_progs fails Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog ---softirq start--- __do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) ---softirq end--- static_branch_dec(&cgroup_bpf_enabled_key[atype]) The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access. To fix it, skip updating stats when stats is NULL.

Code Injection Linux
NVD
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Remote code execution in TinaCMS affects versions prior to 3.1.1, @tinacms/cli before 2.0.4, and @tinacms/graphql before 2.0.3. Authenticated attackers with content control over markdown files can execute arbitrary code through insecure gray-matter package usage. The vulnerability requires low-privilege authentication (PR:L) and user interaction (UI:P), enabling full compromise of confidentiality, integrity, and availability in the vulnerable context. Publicly available exploit code exists, significantly increasing deployment risk for unpatched installations managing user-contributed markdown content.

RCE Code Injection Tinacms +2
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through <= 5.2.3.

Code Injection RCE
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in The4 Molla molla allows Code Injection.This issue affects Molla: from n/a through <= 1.5.13.

RCE Code Injection
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in javothemes Javo Core javo-core allows Code Injection.This issue affects Javo Core: from n/a through <= 3.0.0.266.

RCE Code Injection
NVD
EPSS 0% CVSS 2.0
LOW POC Monitor

Code injection in CTCMS up to version 2.1.2 allows high-privilege authenticated remote attackers to inject arbitrary code via manipulation of the Cj_Add or Cj_Edit arguments in the Backend System Configuration Module (/ctcms/libs/Ct_Config.php). Public exploit code is available, but exploitation requires administrative credentials and produces only low confidentiality impact without scope expansion. EPSS score of 0.07% indicates minimal real-world exploitation probability despite public POC availability.

PHP Code Injection Ctcms
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Code injection in CTCMS up to version 2.1.2 allows high-privileged remote attackers to inject arbitrary code via the CT_App_Paytype parameter in the Backend App Configuration Module's Save function. The vulnerability has a low CVSS score (2.0) due to requiring high administrative privileges (PR:H), but publicly available exploit code exists. Real-world risk is limited to authenticated administrators with backend access.

PHP Code Injection Ctcms
NVD VulDB
EPSS 1% CVSS 8.6
HIGH POC This Week

Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary command execution in MineAdmin v3.x arises from insecure permissions on its scheduled-tasks (cron) feature, letting attackers inject and run OS-level commands (CWE-94) and pivot to full account takeover. Any deployment of the MineAdmin 3.x backend administration framework is affected. The referenced GitHub Gist appears to document the technique; no CISA KEV listing exists, and EPSS is low at 0.47% (37th percentile), indicating no confirmed widespread exploitation yet.

Code Injection RCE Mineadmin
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary root file overwrite in CloudLinux ai-bolit before v32.7.4 occurs when the scanner's malware de-obfuscation routines evaluate attacker-controlled content, enabling code injection that runs with the scanner's root privileges. A crafted file placed where ai-bolit will scan it triggers the flaw, letting an attacker overwrite arbitrary files as root and effectively take over the host. There is no public exploit identified at time of analysis, EPSS risk is modest (0.29%, 21st percentile), and it is not listed in CISA KEV.

Code Injection Ai Bolit
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

CRLF injection in code-projects Rental Management System 2.0 allows authenticated remote attackers to manipulate log entries via the Log Handler component in Transaction.java, enabling log tampering with minimal real-world impact. The vulnerability requires prior authentication (PR:L), has low integrity impact, and carries a very low EPSS score (0.07%) despite public exploit availability, suggesting exploitation is limited to specific threat scenarios.

Java Code Injection Rental Management System
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1.

RCE Code Injection
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper HTML tag neutralization in sevenspark Contact Form 7 - Dynamic Text Extension through version 5.0.5 allows unauthenticated remote attackers to inject malicious scripts via a network-based attack with no user interaction required, resulting in confidentiality compromise through information disclosure. The vulnerability is classified as cross-site scripting (XSS) with low exploitability probability (EPSS 0.06%, percentile 18%), suggesting limited real-world attack incentive despite the network-accessible attack vector.

WordPress PHP XSS +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

JIT compiler miscompilation in Mozilla's JavaScript engine allows remote code execution without authentication in Firefox (versions <146, <115.31 ESR, <140.6 ESR) and Thunderbird (versions <146, <140.6 ESR). The CVSS 9.8 critical score reflects network-based exploitation requiring no user interaction. EPSS score of 0.10% (27th percentile) suggests low predicted exploitation probability despite severity. No public exploit identified at time of analysis, and vendor-released patches are available across all affected product lines per Mozilla security advisories MFSA2025-92 through MFSA2025-96.

Mozilla RCE Code Injection +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7.

Privilege Escalation Code Injection RCE +1
NVD GitHub
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: serial: amba-pl011: avoid SBSA UART accessing DMACR register Chapter "B Generic UART" in "ARM Server Base System Architecture" [1] documentation describes a generic UART interface. Such generic UART does not support DMA. In current code, sbsa_uart_pops and amba_pl011_pops share the same stop_rx operation, which will invoke pl011_dma_rx_stop, leading to an access of the DMACR register. This commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the access to DMACR register for SBSA UARTs which does not support DMA. When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux SBSA PL011 driver will access PL011 DMACR register in some functions. For most real SBSA Pl011 hardware implementations, the DMACR write behaviour will be ignored. So these DMACR operations will not cause obvious problems. But for some virtual SBSA PL011 hardware, like Xen virtual SBSA PL011 (vpl011) device, the behaviour might be different. Xen vpl011 emulation will inject a data abort to guest, when guest is accessing an unimplemented UART register. As Xen VPL011 is SBSA compatible, it will not implement DMACR register. So when Linux SBSA PL011 driver access DMACR register, it will get an unhandled data abort fault and the application will get a segmentation fault: Unhandled fault at 0xffffffc00944d048 Mem abort info: ESR = 0x96000000 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x00: ttbr address size fault Data abort info: ISV = 0, ISS = 0x00000000 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000 [ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13 Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP ... Call trace: pl011_stop_rx+0x70/0x80 tty_port_shutdown+0x7c/0xb4 tty_port_close+0x60/0xcc uart_close+0x34/0x8c tty_release+0x144/0x4c0 __fput+0x78/0x220 ____fput+0x1c/0x30 task_work_run+0x88/0xc0 do_notify_resume+0x8d0/0x123c el0_svc+0xa8/0xc0 el0t_64_sync_handler+0xa4/0x130 el0t_64_sync+0x1a0/0x1a4 Code: b9000083 b901f001 794038a0 8b000042 (b9000041) ---[ end trace 83dd93df15c3216f ]--- note: bootlogd[132] exited with preempt_count 1 /etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon This has been discussed in the Xen community, and we think it should fix this in Linux. See [2] for more information. [1] https://developer.arm.com/documentation/den0094/c/?lang=en [2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html

Code Injection Linux Linux Kernel
NVD
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10:<ffffffff8372f8bc> {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue.

Code Injection Linux Ubuntu +2
NVD
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.

Code Injection XSS RCE +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.

Code Injection RCE Masacms
NVD GitHub
EPSS 75% 5.7 CVSS 9.8
CRITICAL POC THREAT Emergency

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.

WordPress Code Injection RCE +1
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.

RCE Code Injection
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A security vulnerability in Samsung Internet (CVSS 5.5) that allows local attackers. Remediation should follow standard vulnerability management procedures.

Samsung Code Injection Internet
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.

RCE Python Code Injection +3
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27.

RCE Code Injection Grav
NVD GitHub
Prev Page 12 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4849

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy