Code Injection
Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.
How It Works
Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.
Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.
The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.
Impact
- Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
- Operating system command execution — break out from language runtime to system shell via subprocess calls
- Data exfiltration — read database credentials, environment variables, source code, and business data
- Persistence establishment — modify application files, inject backdoors, create scheduled tasks
- Lateral movement — leverage server access to attack internal network resources and connected services
Real-World Examples
A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.
Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.
Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.
Mitigation
- Eliminate dynamic code execution — refactor to use data-driven approaches instead of
eval(),exec(),Function(), or similar constructs - Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
- Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
- Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
- Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
- Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation
Recent CVEs (4849)
Improper Control of Generation of Code ('Code Injection') vulnerability in Jose Content No Cache allows Code Injection. This issue affects Content No Cache: from n/a through 0.1.3.
CVE-2025-53007 is a security vulnerability (CVSS 8.9). High severity vulnerability requiring prompt remediation.
LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue.
CVE-2025-5826 is a security vulnerability (CVSS 6.3) that allows network-adjacent attackers. Remediation should follow standard vulnerability management procedures.
Registrator, a GitHub app automating Julia package registration, contains critical shell injection and argument injection vulnerabilities in versions prior to 1.9.5 that can be exploited through malicious or injected clone URLs returned by GitHub. An unauthenticated remote attacker can achieve arbitrary code execution on systems running vulnerable versions with no user interaction required. No public exploits are confirmed, but the vulnerability is trivial to exploit given the direct code paths involved.
CVE-2025-52479 is a CRLF injection vulnerability in URIs.jl (<1.6.0) and HTTP.jl (<1.10.17) that allows attackers to construct malicious URIs containing carriage return and line feed characters. If user input is not properly escaped, this can enable CRLF injection attacks to manipulate HTTP headers or protocol boundaries. The vulnerability has a CVSS score of 7.7 (high integrity impact) and affects Julia ecosystem users; patch versions are available and should be deployed immediately.
A security vulnerability in Successful exploitation of the vulnerability could allow an attacker that (CVSS 6.4) that allows an attacker that has physical access. Remediation should follow standard vulnerability management procedures.
CVE-2023-47295 is a critical CSV injection vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated remote attackers to execute arbitrary commands through crafted payloads injected into any text input field. The vulnerability has a CVSS 9.8 score indicating maximum severity due to network accessibility, no authentication requirements, and complete system compromise potential (confidentiality, integrity, and availability impact). This represents a direct remote code execution risk affecting payment terminal infrastructure.
CVE-2025-6512 is a critical privilege escalation vulnerability in BRAIN2 where unauthenticated attackers can inject malicious scripts into reports on non-admin client systems, which are then executed with administrator privileges on the BRAIN2 server. This represents a complete system compromise with CVSS 10.0 severity, affecting all users regardless of their local privilege level. No authentication is required to exploit this vulnerability, making it immediately exploitable in network environments.
A vulnerability allowing local system users to modify directory contents, allowing for arbitrary code execution on the local system with elevated permissions.
A remote code execution vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
CVE-2022-50089 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Kernel BUG in the Linux kernel's BPF cgroup subsystem that can be triggered via a memory allocation failure during BPF program detachment, causing a denial of service (kernel panic). Local unprivileged users with BPF capabilities can trigger this by exploiting a race condition between program attachment/detachment and memory pressure, resulting in high availability impact with potential information disclosure. The vulnerability affects Linux kernel versions before the fix was merged (approximately 5.19.0+).
CVE-2025-38016 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
CVE-2025-49155 is an uncontrolled search path vulnerability in Trend Micro Apex One's Data Loss Prevention (DLP) module that allows unauthenticated remote attackers to inject and execute arbitrary code. The vulnerability requires user interaction (CVSS UI:R) but poses critical risk to organizations deploying Apex One, as successful exploitation grants full system compromise with high confidentiality, integrity, and availability impact (CVSS 8.8). Exploitation likelihood should be assessed against current threat intelligence for active in-the-wild usage.
The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.8.9) contains an unrestricted file upload vulnerability allowing unauthenticated attackers to bypass file type blacklists and upload dangerous file extensions (.phar, etc.). On servers configured to execute .phar files as PHP (common in default Apache+mod_php setups), this enables remote code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). While KEV and EPSS data are not provided, the vulnerability is actively exploitable given its public disclosure and network-accessible attack vector.
Server-Side Template Injection (SSTI) vulnerability in the chat feature of Citrix Remote Support (RS) and Privileged Remote Access (PRA) that enables unauthenticated remote code execution with a critical CVSS score of 9.8. The vulnerability affects the chat messaging functionality across both products with no authentication or user interaction required, allowing attackers to execute arbitrary code on affected systems. This is a critical severity issue requiring immediate patching.
CVE-2025-24388 is a security vulnerability (CVSS 3.8) that allows parameter injection due. Remediation should follow standard vulnerability management procedures.
A vulnerability classified as critical has been found in letta-ai letta up to 0.4.1. Affected is the function function_message of the file letta/letta/interface.py. The manipulation of the argument function_name/function_args leads to improper neutralization of directives in dynamically evaluated code. The exploit has been disclosed to the public and may be used.
conda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is vulnerable due to the unsafe use of the eval function when parsing version information from a custom-formatted meta.yaml file. An attacker controlling meta.yaml can inject malicious code into the version assignment, which is executed during file processing, leading to arbitrary code execution. Exploitation requires an attacker to modify the recipe file by manipulating the RECIPE_DIR variable and introducing a malicious meta.yaml file. While this is more feasible in CI/CD pipelines, it is uncommon in typical environments, reducing overall risk. This vulnerability is fixed in 4.15.0.
A security vulnerability in versions (CVSS 8.0). Risk factors: public PoC available. Vendor patch is available.
CVE-2025-22239 is an arbitrary event injection vulnerability in SaltStack's master node that allows an authorized minion to inject malicious events onto the master's event bus via the '_minion_event' method. This affects Salt Master deployments where minions have event publishing capabilities, enabling authenticated attackers to manipulate internal event flows and potentially trigger unintended master behaviors. The CVSS 8.1 score reflects high confidentiality and integrity impact with local attack vector, though exploitation requires prior authentication as an authorized minion.
An improper access control vulnerability in the Endpoint Traffic Policy Enforcement https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement feature of the Palo Alto Networks GlobalProtect™ app allows certain packets to remain unencrypted instead of being properly secured within the tunnel. An attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute.
Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true: * The header is prepared with org.springframework.http.ContentDisposition. * The filename is set via ContentDisposition.Builder#filename(String, Charset). * The value for the filename is derived from user-supplied input. * The application does not sanitize the user-supplied input. * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details). An application is not vulnerable if any of the following is true: * The application does not set a “Content-Disposition” response header. * The header is not prepared with org.springframework.http.ContentDisposition. * The filename is set via one of: * ContentDisposition.Builder#filename(String), or * ContentDisposition.Builder#filename(String, ASCII) * The filename is not derived from user-supplied input. * The filename is derived from user-supplied input but sanitized by the application. * The attacker cannot inject malicious content in the downloaded content of the response. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Older, unsupported versions are not affected MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.
CVE-2025-4278 is an HTML injection vulnerability in GitLab CE/EE versions 18.0.0 through 18.0.1 that allows authenticated attackers to inject malicious HTML through the new search page. Under specific conditions, this vulnerability can escalate to account takeover by leveraging user interaction (UI requirement), with a CVSS score of 8.7 indicating high severity. The vulnerability requires low attack complexity and network accessibility, making it a significant risk for organizations running affected GitLab versions.
Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.
A remote code execution vulnerability (CVSS 6.1) that allows attackers. Remediation should follow standard vulnerability management procedures.
Critical Code Injection vulnerability (CWE-94) in MetalpriceAPI versions through 1.1.4 that allows authenticated attackers to inject and execute arbitrary code with network access and low complexity. The vulnerability has a maximum severity CVSS score of 9.9 with complete impact across confidentiality, integrity, and availability. This is a high-priority vulnerability affecting any deployment of MetalpriceAPI up to version 1.1.4, with no publicly confirmed workarounds available at this time.
A remote code execution vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.
A security vulnerability in WilderForge (CVSS 9.9). Critical severity with potential for significant impact on affected systems.
A remote code execution vulnerability in Discourse (CVSS 7.1). High severity vulnerability requiring prompt remediation.
Format string vulnerability in QNAP Qsync Central that allows authenticated remote attackers to read sensitive data or modify memory without user interaction. The vulnerability affects all versions prior to Qsync Central 4.5.0.6 (released March 20, 2025), with a CVSS score of 8.1 indicating high severity. While no public exploit or KEV status is currently documented, the low attack complexity and requirement for only low-privilege user access make this a significant risk for organizations running vulnerable versions.
Improper Control of Generation of Code ('Code Injection') vulnerability in cmoreira Team Showcase allows Code Injection. This issue affects Team Showcase: from n/a through n/a.
Code injection vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed only with permissions higher than the view permission.
Code injection vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and executing certain commands that can be executed with view permission.
Critical remote code execution vulnerability in expression language processors that allows unauthenticated attackers to execute arbitrary code with maximum server privileges through improper input neutralization. This is a perfect-score CVSS 10.0 vulnerability affecting expression language engines across multiple frameworks; exploitation requires no authentication, user interaction, or special configuration, making it an immediate priority for any organization using affected technologies.
A security vulnerability in Django 5.2 (CVSS 4.0) that allows remote attackers. Remediation should follow standard vulnerability management procedures.
Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.
A remote code execution vulnerability in webpack-dev-server (CVSS 5.3) that allows users. Risk factors: public PoC available. Vendor patch is available.
Unauthenticated RCE in JEHC-BPM 2.0.1 via execParams. EPSS 17.3%. PoC and patch available. CVSS 10.0.
Remote privilege escalation in Android WLAN AP driver via packet injection.
FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Kea configuration and API directives can be used to load a malicious hook library. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper neutralization of input in Nagvis before version 1.9.47 which can lead to livestatus injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity.
A vulnerability was found in docarray up to 0.40.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue in Hospital Management System In PHP V4.0 allows a remote attacker to execute arbitrary code via the hms/doctor/edit-profile.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The SSID field is not parsed correctly and can be used to inject commands into the hostpad.conf file. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.
Predictable filename vulnerabilities in ASPECT may expose sensitive information to a potential attacker if administrator credentials become compromised*; NEXUS Series: through 3.*; MATRIX Series:. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Remote Code Execution vulnerabilities are present in ASPECT if session administrator credentials become compromised08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable. No vendor patch available.
Remote Code Execution vulnerabilities are present in ASPECT if session administra-tor credentials become compromised.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
Servlet injection vulnerabilities in ASPECT allow remote code execution if session administrator credentials become compromised.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL injection vulnerabilities in ASPECT allow unintended access and manipulation of database repositories if session administrator credentials become compromised.08.03; NEXUS Series: through 3.08.03;. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows Command. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in SeedDMS 6.0.32 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the zip import functionality in the Extension Manager. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in Valvesoftware Steam Client Steam Client 1738026274 allows attackers to escalate privileges via a crafted executable or DLL. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Argument injection in special agent configuration in Checkmk <2.4.0p1, <2.3.0p32, <2.2.0p42 and 2.1.0 allows authenticated attackers to write arbitrary files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Hubble is a fully distributed networking and security observability platform for cloud native workloads. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A command injection vulnerability in the component /cgi-bin/qos.cgi of Wavlink WL-WN579A3 v1.0 allows attackers to execute arbitrary commands via a crafted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.0%.
Langroid is a Python framework to build large language model (LLM)-powered applications. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Langroid is a Python framework to build large language model (LLM)-powered applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG Lite allows Code Injection.6.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in RS WP THEMES RS WP Book Showcase allows Code Injection.7.41. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG allows Code Injection.5.34. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A code injection vulnerability in the Palo Alto Networks Cortex XDR® Broker VM allows an authenticated user to execute arbitrary code with root privileges on the host operating system running Broker. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authenticated attackers to execute arbitrary code through crafted API requests.
EDIMAX CV7428NS v1.20 was discovered to contain a remote code execution (RCE) vulnerability via the command parameter in the mp function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An improper isolation or compartmentalization vulnerability [CWE-653] in FortiClientMac version 7.4.2 and below, version 7.2.8 and below, 7.0 all versions and FortiVoiceUCDesktop 3.0 all versions. Rated low severity (CVSS 2.5). No vendor patch available.
SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) allows an authenticated attacker with SAP standard authorization to execute a certain function module remotely and. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
EspoCRM is a free, open-source customer relationship management platform. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Retool (self-hosted) before 3.196.0 allows Host header injection. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Arbitrary File Upload in user_payment_update.php in SourceCodester Client Database Management System 1.0 allows unauthenticated users to upload arbitrary files via the uploaded_file_cancelled field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Victure RX1800 EN_V1.0.0_r12_110933 was discovered to contain a command injection vulnerability. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Erlang/OTP is a set of libraries for the Erlang programming language. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An Eval Injection issue was discovered in Znuny through 7.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The NEX-Forms - Ultimate Form Builder - Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: don't try to reclaim hwpoison folio Syzkaller reports a bug as follows: Injecting memory failure for pfn 0x18b00e at. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
The Wolmart | Multi-Vendor Marketplace WooCommerce Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.8.11. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web interface of Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an unauthenticated, remote attacker to inject HTML into the browser of an. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member allows Code Injection.10.3. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in GS Plugins GS Testimonial Slider allows Code Injection.2.9. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- web
- Total CVEs
- 4849