Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4849)

EPSS 38% 4.4 CVSS 8.8
HIGH POC PATCH THREAT Act Now

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27.

RCE Code Injection Grav
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

The service wmp-agent of KerOS prior 5.12 does not properly validate so-called ‘magic URLs’ allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall.

RCE Code Injection Keros
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An issue in Technitium through v13.2.2 enables attackers to conduct a DNS cache poisoning attack and inject fake responses by reviving the birthday attack.

Code Injection Dnsserver
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

A security flaw has been discovered in Qualitor up to 8.20.104/8.24.97. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Code Injection
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A vulnerability was detected in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL Act Now

OrangeHRM is a comprehensive human resource management (HRM) system. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Orangehrm
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

CSV formula injection vulnerability in HCL Technologies Ltd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Unica
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Java Code Injection
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache Code Injection +1
NVD
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Ray is an AI compute engine. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple RCE Code Injection +4
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Caido is a web security auditing toolkit. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Contao is an Open Source CMS. Rated low severity (CVSS 3.3), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection Contao
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP and LLM components, where malicious data created by an attacker could cause code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure RCE Nvidia +2
NVD
EPSS 1% CVSS 7.2
HIGH POC PATCH This Week

A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Code Injection +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Fluent Bit
NVD
EPSS 1% CVSS 10.0
CRITICAL PATCH This Week

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Google RCE +2
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Month

LangChain is a framework for building agents and LLM-powered applications. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Python Ssti +3
NVD GitHub
EPSS 0% CVSS 8.9
HIGH POC PATCH This Week

Dataease is an open source data visualization analysis tool. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Dataease
NVD GitHub
EPSS 0% CVSS 7.3
HIGH POC PATCH This Month

Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available.

RCE Code Injection Lite Xl +1
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Claude Code
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

esm.sh is a nobuild content delivery network(CDN) for modern web development. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection XSS +2
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Oracle Apache +7
NVD
EPSS 0% CVSS 8.6
HIGH This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Oracle Apache +6
NVD
EPSS 0% CVSS 8.0
HIGH This Month

The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. No vendor patch available.

WordPress PHP RCE +1
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Dzzoffice
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM This Month

A command injection vulnerability exists in the AOS-CX Operating System. Rated medium severity (CVSS 6.7), this vulnerability is no authentication required. No vendor patch available.

Command Injection RCE Code Injection +1
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Fortinet Code Injection Fortimail
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure RCE Nvidia +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure RCE Nvidia +2
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection Drupal
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 8.8
HIGH This Month

An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 2.1
LOW Monitor

A flaw has been found in Dromara dataCompare up to 1.0.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Month

pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LDAP Code Injection Pgadmin 4 +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH This Week

pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Pgadmin 4 +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Month

The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.9.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP RCE +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Dell SmartFabric OS10 Software, versions prior to 10.6.1.0, contain an Improper Control of Generation of Code ('Code Injection') vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Dell RCE Code Injection +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Month

Open Access Management (OpenAM) is an access management solution. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA NeMo Framework for all platforms contains a vulnerability in the bert services component where malicious data created by an attacker may cause a code injection. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure RCE Nvidia +2
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA NeMo Framework for all platforms contains a vulnerability in a script, where malicious input created by an attacker may cause improper control of code generation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure RCE Nvidia +3
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure RCE Nvidia +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection
NVD
EPSS 1% CVSS 8.8
HIGH This Month

The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Elastic RCE +2
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Due to insufficient validation of connection property values, the SAP HANA JDBC Client allows a high-privilege locally authenticated user to supply crafted parameters that lead to unauthorized code. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

SAP RCE Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL This Week

Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SAP RCE Code Injection
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Nosql Injection Code Injection
NVD
EPSS 0% CVSS 8.8
HIGH This Month

The Better Find and Replace - AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 7.3
HIGH POC PATCH This Month

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Open Webui
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL POC Act Now

Various Ruijie Gateway EG and NBR models firmware versions 11.1(6)B9P1 < 11.9(4)B12P1 contain a code execution vulnerability in the EWEB management system that can be abused via front-end. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 10.0
CRITICAL This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.0.7. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.5.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.0.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 8.4
HIGH This Month

An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Api Control Plane +5
NVD
EPSS 0% CVSS 9.8
CRITICAL POC PATCH This Week

The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Javascript Expression Evaluator +1
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Month

Xibo is an open source digital signage platform with a web content management system (CMS). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Xibo
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.3.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Agentforce Vibes
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.2.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Agentforce Vibes
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.12.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mulesoft Anypoint Code Builder
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Code Injection.11.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mulesoft Anypoint Code Builder
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PostgreSQL Code Injection +1
NVD
EPSS 1% CVSS 8.8
HIGH This Month

The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 7.3
HIGH This Month

The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.12 via the select_one() function. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure RCE +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in alexusmai laravel-file-manager (versions 3.3.1 and earlier) lets an authenticated user with file-manager access run arbitrary PHP on the server by uploading a PHP payload disguised with a .png extension, then abusing the rename API to give it a .php extension so it executes when requested via a public URL. The flaw stems from client-side-only upload validation combined with an unrestricted rename operation and web-accessible storage. No CISA KEV listing; EPSS is a modest 0.55% (42nd percentile), but a dedicated GitHub repository referencing this CVE indicates public proof-of-concept material likely exists.

Code Injection PHP File Upload +1
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

ANSI escape sequence injection in Apache Tomcat log messages enables console manipulation and social engineering attacks against administrators on Windows systems. Attackers can craft malicious URLs that inject escape sequences into Tomcat logs, potentially manipulating console output and clipboard contents to trick administrators into executing attacker-controlled commands. This affects Tomcat 9.0.40-9.0.108, 10.1.0-M1-10.1.44, and 11.0.0-M1-11.0.10, with highest risk when Tomcat runs in ANSI-capable Windows consoles. Despite the 9.6 CVSS score, real-world risk is lower as exploitation requires user interaction (administrator viewing logs in console), scope change indicating console compromise beyond Tomcat process, and specific Windows deployment configuration. No active exploitation confirmed (not in CISA KEV), and EPSS data not available at time of analysis.

Microsoft Apache Tomcat +3
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Code injection in Zytec Dalian Zhuoyun Technology Central Authentication Service up to version 20251009 allows authenticated remote attackers to inject arbitrary code via manipulation of the get.layer, get.widget, and get.action parameters in the /index.php/auth/widget endpoint. Public exploit code is available, but real-world exploitation risk is low given the low CVSS score (2.1), requirement for prior authentication, and extremely low EPSS score (0.04%), suggesting limited practical exploitability despite proof-of-concept availability.

PHP Code Injection
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

CSV injection in Axosoft Scrum and Bug Tracking 22.1.1.11545 allows authenticated remote attackers to inject malicious CSV formulas via the Title argument on the Edit Ticket Page, potentially enabling formula execution or data exfiltration when exported. Public exploit code exists and the vendor has not responded to disclosure notifications despite early contact.

Code Injection
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in the VideoWhisper Paid Videochat Turnkey Site WordPress plugin (versions up to 7.3.23) allows authenticated administrators to inject and execute arbitrary code through code injection vulnerabilities. The CVSS 9.1 severity reflects scope change and high impact across confidentiality, integrity, and availability. EPSS exploitation probability is low at 0.04% (13th percentile), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring privileged access rather than an imminent mass-exploitation threat.

WordPress PHP Code Injection +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

CRLF injection in KeeneticOS before version 4.3 enables full device takeover by exploiting the /auth API endpoint to inject crafted HTTP headers that create additional administrator-level user accounts. The attack requires social engineering the device owner into visiting a malicious page, after which the injected CRLF sequences manipulate the API response to silently add a full-permission user the attacker controls. No public exploit has been identified at time of analysis, though a detailed writeup is publicly available on GitHub, which significantly lowers the barrier to weaponization.

Code Injection Keeneticos
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905.

Code Injection RCE
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.

WordPress Deserialization Code Injection
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Remote code execution in Beplusthemes Alone WordPress theme through version 7.8.3 allows unauthenticated attackers to inject and execute arbitrary code via a code injection vulnerability. With a critical CVSS score of 10.0 and network-based exploitation requiring no privileges or user interaction, this vulnerability enables complete system compromise. EPSS exploitation probability is low (0.06%, 17th percentile), and no public exploit or CISA KEV listing identified at time of analysis.

WordPress PHP Code Injection
NVD
EPSS 0% CVSS 7.4
HIGH This Week

Code injection in WP Last Modified Info plugin versions ≤1.9.4 allows authenticated attackers with low-level privileges to execute arbitrary code remotely via vulnerable code generation controls. The CVSS 7.4 rating reflects network accessibility, low attack complexity, and scope change enabling cross-boundary impact. EPSS probability is minimal (0.05%, 15th percentile), no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, suggesting limited real-world exploitation activity despite the critical vulnerability class.

WordPress PHP Code Injection +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Laborator Kalium kalium allows Code Injection.This issue affects Kalium: from n/a through <= 3.25.

Code Injection RCE
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Authenticated remote code execution in the PluXml flat-file CMS lets an administrator abuse the built-in theme editor to overwrite /themes/defaut/css/minify.php with arbitrary PHP, turning legitimate admin file-editing into full server command execution. The flaw (CWE-94 code injection) requires high privileges (admin) but no user interaction, and its CVSS 3.1 score of 9.1 reflects a scope change from the web application to the underlying OS. No public exploit code is confirmed beyond a vulnerability-disclosure PDF, and EPSS is low (0.90%), consistent with an admin-only prerequisite.

Code Injection PHP RCE
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Code injection in ChanCMS up to version 3.3.2 via the getArticle function in app/modules/cms/controller/gather.js allows authenticated remote attackers to inject and execute arbitrary code with low impact on confidentiality, integrity, and availability. The exploit is publicly available on GitHub but exploitation probability remains low (EPSS 0.04%) due to authentication requirements and limited impact scope. The vendor did not respond to early disclosure notification.

Code Injection Chancms
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Code injection in the ClineProvider prompt handler of Kilo Code up to version 4.86.0 allows remote attackers with user interaction to manipulate input prompts and inject arbitrary code. The vulnerability affects the prompt processing component through insufficient input validation in src/core/webview/ClineProvider.ts. Public exploit code is available, and a patch has been released by the vendor, though the low CVSS score (2.1) and minimal EPSS percentile (12%) suggest limited real-world exploitation risk despite public availability.

Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW Monitor

CSV injection in Axosoft Scrum and Bug Tracking 22.1.1.11545 via the Title parameter on the Add Work Item Page allows authenticated users with UI interaction to inject malicious CSV formulas, resulting in low-impact data manipulation. The vulnerability requires user login and deliberate user interaction to exploit, limiting real-world risk despite public exploit availability and vendor non-responsiveness.

Code Injection
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Eidos is an extensible framework for Personal Data Management. Versions 0.21.0 and below contain a one-click remote code execution vulnerability. An attacker can exploit this vulnerability by embedding a specially crafted eidos: URL on any website, including a malicious one they control. When a victim visits such a site or clicks on the link, the browser triggers the app’s custom URL handler (eidos:), causing the Eidos application to launch and process the URL, leading to remote code execution on the victim’s machine. This issue does not have a fix as of October 3, 2025

RCE Code Injection Eidos
NVD GitHub
EPSS 3% 4.8 CVSS 6.0
MEDIUM POC PATCH This Month

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. The problem exists in all versions of Redis with LUA scripting. This issue is fixed in version 8.2.2. A workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing LUA scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.

RCE Redis Code Injection +4
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI Agent protects its sensitive files (i.e. */.cursor/cli.json) allows attackers to modify the content of the files through prompt injection, thus achieving remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive filesystems. This issue is fixed in a commit, 25b418f, but has yet to be released as of October 3, 2025.

RCE Code Injection Cursor
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (RCE) attacks through Visual Studio Code Workspaces. Workspaces allow users to open more than a single folder and save specific settings (pretty similar to .vscode/settings.json) for the folders / project. An untitled workspace is automatically created by VS Code (untitled.code-workspace), which contains all the folders and workspace settings from the user's current session, opening up an entire new attack vector if the user has a .code-workspace file in path (either untitled created automatically or a saved one). If an attacker is able to hijack the chat context of the victim (such as via a compromised MCP server), they can use prompt injection to make the Cursor Agent write into this file and modify the workspace. This leads to a bypass of CVE-2025-54130 which can lead to RCE by writing to the settings section. This issue is fixed in version 1.7.

RCE Code Injection Cursor
NVD GitHub
EPSS 0% CVSS 7.4
HIGH POC PATCH This Week

CVE-2025-59489 is a security vulnerability (CVSS 7.4) that allows argument injection that can result. Risk factors: public PoC available.

Code Injection Editor Android +2
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.

RCE Code Injection Claude Code
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

A arbitrary file access vulnerability (CVSS 6.5) that allows an attacker with instance configuration permissions. Risk factors: public PoC available.

Code Injection Ubuntu Debian +2
NVD GitHub
EPSS 0%
PATCH This Week

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. In versions 2.0.2 and below of risc0-zkvm-platform, when the zkVM guest calls sys_read, the host is able to use a crafted response to write to an arbitrary memory location in the guest. This capability can be leveraged to execute arbitrary code within the guest. As sys_read is the mechanism by which input is requested by the guest, all guest programs built with the affected versions are vulnerable. This critically compromises the soundness guarantees of the guest program. Other affected packages include risc0-aggregation versions below 0.9, risc0-zkos-v1compat below 2.1.0, risc0-zkvm versions between 3.0.0-rc.1 and 3.0.1. This issue has been fixed in the following versions: risc0-zkvm-platform 2.1.0, risc0-zkos-v1compat 2.1.0, risc0-aggregation 0.9, and risc0-zkvm 2.3.2 and 3.0.3.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.

RCE Code Injection Dolibarr Erp Crm
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

CVE-2022-50445 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Code Injection Ubuntu +4
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

CVE-2025-39913 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Linux Code Injection Google
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

JIT miscompilation in the JavaScript Engine: JIT component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mozilla
NVD
Prev Page 13 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4849

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy