Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4849)

EPSS 0% CVSS 6.5
MEDIUM POC This Week

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an eval injection vulnerability via the eval() function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection A3002r Firmware TOTOLINK
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 7.3
HIGH This Month

The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.6.7. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.6.0. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

RCE Apple Code Injection +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.09.02 only when the scrum plugin is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Code Injection Apache +1
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 8.6
HIGH This Month

HomeAssistant-Tapo-Control offers Control for Tapo cameras as a Home Assistant component. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL This Week

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Code Injection Secure Firewall Management Center
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce allows Remote Code Inclusion.9.3. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in imithemes Eventer allows Code Injection.9.9.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 7.8
HIGH This Month

NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/ arguments.py component where an attacker could cause a code injection issue by providing a malicious input. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Megatron-LM for all platforms contains a vulnerability in the tools component, where an attacker may exploit a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Nvidia Code Injection +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Apex for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue by providing a malicious file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Nvidia RCE +3
NVD
EPSS 1% CVSS 9.8
CRITICAL This Week

An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL This Week

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL This Week

SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SAP Code Injection
NVD
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

Cherry Studio is a desktop client that supports for multiple LLM providers. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Cherry Studio
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Craft is a platform for creating digital experiences. Rated medium severity (CVSS 5.2), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Craft Cms
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM Monitor

An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection +1
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

FoxCMS <=v1.2.5 is vulnerable to Code Execution in admin/template_file/editFile.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Foxcms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Month

: External Control of File Name or Path vulnerability in TAGFREE X-Free Uploader XFU allows : Parameter Injection.0.1.0084 before 1.0.1.0085, from 2.0.1.0034 before 2.0.1.0035. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A vulnerability was found in Keycloak-services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Keycloak Red Hat
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

A flaw was found in CIRCL's implementation of the FourQ elliptic curve. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Microsoft Code Injection
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

The Request a Quote Form plugin for WordPress is vulnerable to Remote Code Execution in version less than, or equal to, 2.5.2 via the emd_form_builder_lite_pagenum function. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress RCE Code Injection
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

Unexpected injection event vulnerability in the multimodalinput module. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Harmonyos
NVD
EPSS 0% CVSS 9.1
CRITICAL This Week

react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Node.js
NVD GitHub
EPSS 59% 5.3 CVSS 10.0
CRITICAL POC THREAT Emergency

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 58.8%.

PHP Code Injection RCE
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Thinkphp
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Node.js +1
NVD GitHub
EPSS 7% 4.8 CVSS 8.0
HIGH POC KEV THREAT Act Now

DELMIA Apriso from Release 2020 through 2025 contains a code injection vulnerability allowing attackers to execute arbitrary code on the manufacturing execution system.

RCE Code Injection Delmia Apriso
NVD
EPSS 61% 4.8 CVSS 7.5
HIGH POC THREAT Act Now

A stack-based buffer overflow vulnerability exists in Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx), specifically the ConnectToSynactis method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 61.1%.

Buffer Overflow RCE Code Injection
NVD Exploit-DB
EPSS 76% 5.6 CVSS 9.3
CRITICAL POC THREAT Emergency

A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 75.8%.

PHP Code Injection RCE +1
NVD Exploit-DB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH This Week

A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault’s configuration. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Hashicorp Code Injection +3
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Month

FreshRSS is a free, self-hostable RSS aggregator. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Freshrss
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

CRLF Injection vulnerability in Limesurvey v2.65.1+170522. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Code Injection Limesurvey
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

In Sipwise rtpengine before 13.4.1.1, an origin-validation error in the endpoint-learning logic of the media-relay core allows remote attackers to inject or intercept RTP/SRTP media streams via RTP. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

HTTP Request Splitting in DECE Software Geodi before GEODI Setup 9.0.146 allows remote unauthenticated attackers to inject CRLF sequences into HTTP requests, enabling cache poisoning, response splitting, and cross-site scripting against downstream consumers. The flaw is network-reachable with low attack complexity and no authentication, and Turkey's national CERT (USOM) issued advisory TR-25-0182 covering the issue. No public exploit identified at time of analysis and EPSS probability is low at 0.22% (45th percentile).

Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GNOME GLib on Windows platforms occurs when an application uses GLib's process-spawning functions with excessively long command lines, causing the spawn operation to fail or crash the host process and disrupt availability. The flaw affects the GLib library's Windows command-line handling and impacts any Windows application that links GLib and passes attacker-influenced long argument strings to a child process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; despite Red Hat tags mentioning RCE/Code Injection, the CVSS impact metrics confirm availability-only impact (C:N/I:N/A:H).

Code Injection Denial Of Service Microsoft +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Firefox and Thunderbird's 'Copy as cURL' feature improperly escapes shell metacharacters, allowing remote attackers to trick users into executing arbitrary commands when pasting copied network requests into a terminal. Affects Firefox <141, Firefox ESR <128.13/140.1, and Thunderbird <141, <128.13/140.1. Vendor-released patches available across all affected branches. CVSS 8.1 with network attack vector requiring user interaction; no public exploit identified at time of analysis. EPSS data not provided but social engineering dependency limits automated exploitation risk.

Mozilla RCE Code Injection +3
NVD
EPSS 1% CVSS 6.0
MEDIUM PATCH This Month

SMTP injection in Eclipse Jakarta Mail (and its Angus Mail implementation) prior to version 2.0.2 allows a low-privileged attacker to inject arbitrary SMTP protocol commands by embedding raw carriage return (\r) and line feed (\n) UTF-8 characters into email fields processed by the library. The library fails to sanitize these input terminators before passing data to the SMTP command stream, enabling an attacker with control over email content to inject additional SMTP commands, forge headers, or deliver unsolicited messages through a trusted mail relay. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Code Injection Jakarta Mail Angus Mail +2
NVD VulDB
EPSS 16% 5.4 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Laravel Livewire v3 through v3.6.3 contains a critical remote code execution vulnerability (CVE-2025-54068, CVSS 9.8) that allows unauthenticated attackers to execute commands through improper hydration of component property updates. KEV-listed with EPSS 16%, this vulnerability affects one of the most popular PHP frameworks, potentially compromising thousands of Laravel applications using Livewire for reactive server-side rendering.

Laravel PHP RCE +2
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in Island Lake Consulting's WebBatch prior to version 2025C allows remote attackers to run arbitrary code by supplying a crafted URL. Rated CVSS 9.8 with an unauthenticated network vector (PR:N/UI:N), the flaw stems from code injection (CWE-94) in the product's URL handling, giving full confidentiality, integrity, and availability compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-interaction profile makes it a high-priority patch candidate.

Code Injection RCE
NVD
EPSS 17% 4.0 CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

LaRecipe versions prior to 2.8.1 contain a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote Code Execution (RCE) in vulnerable configurations. The vulnerability allows unauthenticated network attackers to execute arbitrary commands on the server, access sensitive environment variables, and escalate privileges without requiring user interaction or special access. With a perfect CVSS 3.1 score of 10.0 and network-based attack vector, this represents a critical threat to all unpatched LaRecipe installations.

RCE Laravel PHP +2
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC PATCH This Week

CVE-2024-58258 is a Server-Side Request Forgery (SSRF) vulnerability in SugarCRM's API module that exploits limited code injection capabilities to allow unauthenticated remote attackers to make arbitrary requests from the affected server. SugarCRM versions before 13.0.4 and 14.x before 14.0.1 are affected, potentially enabling attackers to access internal resources, cloud metadata endpoints, or perform lateral movement. The vulnerability has a CVSS 3.1 score of 7.2 (High) with network-based attack vector and no authentication required, though it does not enable direct code execution or availability impact.

Code Injection SSRF Salesforce
NVD Exploit-DB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.

Deserialization PHP WordPress +3
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

CVE-2025-53641 is a Server-Side Request Forgery (SSRF) vulnerability in Postiz versions 1.45.1 through 1.62.2 that allows unauthenticated network attackers to inject arbitrary HTTP headers into the middleware pipeline, enabling unauthorized outbound requests from the affected server. With a CVSS score of 8.2 and network-accessible attack surface (AV:N/PR:N), this vulnerability poses significant risk to confidentiality of internal services and resources accessible from the server. The vulnerability is patched in version 1.62.3, and exploitation requires no user interaction or authentication, making it a high-priority remediation target.

SSRF Code Injection
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

CVE-2025-50123 is a code injection vulnerability (CWE-94) in an unspecified server product that allows remote command execution when accessed via console by a privileged account through malicious hostname input. The vulnerability has a CVSS 4.0 score of 7.2 and requires physical access and high privileges, significantly limiting real-world exploitability despite the high impact potential. KEV status and EPSS scoring data are unavailable in provided intelligence, but the physical attack vector and high privilege requirement suggest this poses limited risk in typical network environments.

RCE Code Injection Privilege Escalation +1
NVD
EPSS 0% CVSS 7.6
HIGH PATCH This Week

CVE-2025-48891 is a SQL injection vulnerability in Advantech iView's CUtils.checkSQLInjection() function that fails to properly sanitize user input, allowing authenticated attackers with user-level privileges to execute arbitrary SQL queries. This can lead to unauthorized information disclosure or denial-of-service conditions. The vulnerability requires network access and user authentication but has no UI interaction requirement, making it a significant risk for organizations using iView in multi-user environments.

Code Injection Iview
NVD
EPSS 0% CVSS 8.0
HIGH POC This Week

CVE-2025-28243 is a Stored/Reflected HTML Injection vulnerability in Alteryx Server 2023.1.1.460 affecting the pages component, enabling unauthenticated attackers to inject malicious scripts that execute in victims' browsers with user interaction. This vulnerability carries a CVSS 8.0 score with high confidentiality and integrity impact; while no KEV or confirmed EPSS data is provided in the source material, the network-accessible attack vector and relatively high CVSS indicate moderate-to-significant real-world risk depending on deployment scope and user exposure.

Code Injection Alteryx Server
NVD GitHub
EPSS 93% 7.8 CVSS 10.0
CRITICAL POC KEV PATCH THREAT Act Now

Wing FTP Server before 7.4.4 contains a critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) through null byte injection in user/admin web interfaces that enables arbitrary Lua code execution in session files. With EPSS 92.7% and KEV listing, this vulnerability guarantees unauthenticated root/SYSTEM code execution on affected servers, as the FTP service runs with maximum privileges by default.

RCE Code Injection Ftp +2
NVD Exploit-DB
EPSS 0% CVSS 6.3
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Directory Services allows Remote Code Inclusion. The vulnerability could allow access to the system via script injection.This issue affects Directory Services: 23.4.

RCE Code Injection
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

CVE-2025-6948 is a Stored Cross-Site Scripting (XSS) vulnerability in GitLab CE/EE that allows authenticated attackers to execute actions on behalf of other users through malicious content injection. Affected versions include 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. An attacker with valid credentials can manipulate the UI context (via user interaction) to perform unauthorized actions with high confidentiality and integrity impact across the GitLab instance.

Gitlab Code Injection
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

CVE-2025-38280 is a security vulnerability (CVSS 7.8). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Linux Code Injection
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.

Code Injection Jenkins Git Parameter
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

CVE-2025-38264 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Code Injection Ubuntu +4
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

A security vulnerability in An improper Input Validation vulnerability (CVSS 6.0) that allows injecting arbitrary values of the nas configuration file. Remediation should follow standard vulnerability management procedures.

Code Injection
NVD
EPSS 72% 5.7 CVSS 10.0
CRITICAL POC THREAT Emergency

The Pie Register WordPress plugin versions up to 3.7.1.4 contain an authentication bypass that allows unauthenticated attackers to log in as any user including administrators. By submitting a crafted POST request with social_site=true and a target user_id_social_site value, attackers generate valid WordPress sessions for arbitrary accounts.

PHP Authentication Bypass RCE +2
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.

RCE Code Injection Kubernetes +4
NVD GitHub
EPSS 64% 8.7 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Microsoft Office SharePoint contains a code injection vulnerability (CVE-2025-49704, CVSS 8.8) enabling authenticated attackers to execute arbitrary code over the network. KEV-listed with EPSS 63.8%, this vulnerability requires only basic SharePoint authentication and enables server-level code execution, threatening the documents, workflows, and data stored across the organization's SharePoint infrastructure.

Microsoft RCE Code Injection +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper control of generation of code ('code injection') in Azure Monitor Agent allows an unauthorized attacker to execute code over an adjacent network.

Microsoft RCE Code Injection +1
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

A security vulnerability in Ivanti Connect Secure (CVSS 6.6) that allows a remote authenticated attacker with admin rights. Remediation should follow standard vulnerability management procedures.

Code Injection Ivanti Connect Secure +1
NVD
EPSS 0% CVSS 7.3
HIGH This Week

The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

WordPress RCE Code Injection +2
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

SAP RCE Code Injection
NVD
EPSS 0% CVSS 8.2
HIGH This Week

IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory.

RCE Code Injection IBM +1
NVD
EPSS 0% CVSS 8.9
HIGH PATCH This Week

A security vulnerability in Natours (CVSS 8.9). High severity vulnerability requiring prompt remediation.

Code Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Insufficient security mechanisms for created containers in educoder challenges v1.0 allow attackers to execute arbitrary code via injecting crafted content into a container.

RCE Code Injection Challenges
NVD GitHub
EPSS 1% CVSS 9.5
CRITICAL Act Now

Remote attackers can execute arbitrary code in the context of the vulnerable service process.

RCE Code Injection
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

CVE-2025-38194 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Linux Code Injection Ubuntu +5
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Remote Code Inclusion. This issue affects Alone: from n/a through 7.8.2.

RCE Code Injection
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe allows Remote Code Inclusion. This issue affects Easy Stripe: from n/a through 1.1.

RCE Code Injection
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A security vulnerability in autocomplete endpoint within the RestAPI of Checkmk (CVSS 8.8) that allows an authenticated user. High severity vulnerability requiring prompt remediation.

Code Injection Ubuntu Debian +1
NVD
EPSS 56% 5.1 CVSS 9.3
CRITICAL POC THREAT Emergency

An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. When the application is configured with authentication disabled (i.e., the "Allow unknown devices" option is enabled), the /api/executeScript endpoint is exposed without access control. This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of the Remote for Mac background process.

RCE Code Injection Apple +1
NVD
EPSS 51% 4.8 CVSS 8.8
HIGH POC THREAT Act Now

Pandora FMS monitoring platform version 7.0NG and earlier contains an authenticated command injection in the net_tools.php functionality. The select_ips parameter is passed to OS commands without sanitization when performing ping operations, allowing authenticated users to execute arbitrary commands on the monitoring server.

PHP RCE Code Injection +1
NVD GitHub Exploit-DB
EPSS 59% 5.1 CVSS 9.3
CRITICAL POC THREAT Emergency

PHPStudy development environment versions 2016 through 2018 contain an embedded backdoor that executes arbitrary PHP code from HTTP request headers. The backdoor listens for base64-encoded payloads in the Accept-Charset header, decodes and executes them without any authentication, providing complete remote code execution on any server running the compromised PHPStudy.

PHP RCE Code Injection
NVD
EPSS 0% CVSS 4.2
MEDIUM POC PATCH This Month

A security vulnerability in tarteaucitron.js (CVSS 4.2). Risk factors: public PoC available. Vendor patch is available.

Code Injection Tarteaucitronjs
NVD GitHub
EPSS 52% 4.6 CVSS 7.8
HIGH POC THREAT Act Now

An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise. This capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors.

RCE Code Injection
NVD Exploit-DB
EPSS 53% 5.0 CVSS 9.4
CRITICAL POC THREAT Emergency

An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.

RCE Code Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.

RCE Code Injection Insight Remote Support
NVD
EPSS 0% CVSS 9.1
CRITICAL POC Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0.

RCE Code Injection
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.

RCE Code Injection Red Hat
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A security vulnerability in A flaw (CVSS 8.8) that allows an authenticated attacker. High severity vulnerability requiring prompt remediation.

Code Injection Kubernetes Red Hat
NVD
EPSS 0% CVSS 2.3
LOW Monitor

Host Header Injection (HHI) vulnerability in the Hotspot Shield VPN client, which can induce unexpected behaviour when accessing third-party web applications through the VPN tunnel. Although such applications do not present this vulnerability per se, the use of the tunnel, together with a forged Host header, can cause the VPN client to redirect or forward HTTP requests to servers other than those originally intended, leading to consequences such as open redirects or delivery of traffic to infrastructure controlled by an attacker. This does not imply a flaw in the target applications, but in how the VPN client internally handles outgoing headers and requests.

Code Injection
NVD
EPSS 0% CVSS 8.7
HIGH This Week

A security vulnerability in versions (CVSS 8.7) that allows attackers. High severity vulnerability requiring prompt remediation.

Code Injection
NVD GitHub
Prev Page 15 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4849

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy