Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4849)

EPSS 0% CVSS 8.7
HIGH This Week

KNIME Business Hub is affected by the Ingress-nginx CVE-2025-1974 ( a.k.a IngressNightmare ) vulnerability which affects the ingress-nginx component. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Nginx +2
NVD
EPSS 67% 5.5 CVSS 9.8
CRITICAL POC THREAT Emergency

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 67.3% and no vendor patch available.

RCE PostgreSQL Code Injection +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Telesquare TLR-2005KSH 1.1.4 is affected by an unauthorized command execution vulnerability when requesting the admin.cgi parameter with setAutorest. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Tlr 2005Ksh Firmware
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

An issue in Arris NVG443B 9.3.0h3d36 allows a physically proximate attacker to execute arbitrary code via the cshell login component. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Visual Text Editor allows Remote Code Inclusion.2.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

A template injection vulnerability in the Dashboard of NASA Fprime v3.4.3 allows attackers to execute arbitrary code via uploading a crafted Vue file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Fprime
NVD
EPSS 2% CVSS 9.8
CRITICAL This Week

An issue in IIT Bombay, Mumbai, India Bodhitree of cs101 version allows a remote attacker to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

A Host Header Injection vulnerability in TRMTracker application may allow an attacker by modifying the host header value in an HTTP request to leverage multiple attack vectors, including defacing the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The TRMTracker web application is vulnerable to LDAP injection attack potentially allowing an attacker to inject code into a query and execute remote commands that can read and update data on the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection LDAP
NVD
EPSS 0% CVSS 9.2
CRITICAL Act Now

An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to read files. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Block Logic - Full Gutenberg Block Display Control plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.8 via the block_logic_check_logic. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress Code Injection
NVD
EPSS 1% CVSS 8.7
HIGH This Week

Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Microsoft Code Injection +2
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Dify
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

SuperAGI is vulnerable to remote code execution in the latest version. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Superagi
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Month

A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Python
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Litellm
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

A vulnerability in danny-avila/librechat prior to version 0.7.6 allows for logs debug injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Librechat
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

In the `manim` plugin of binary-husky/gpt_academic, versions prior to the fix, a vulnerability exists due to improper handling of user-provided prompts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Gpt Academic
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

In binary-husky/gpt_academic version <= 3.83, the plugin `CodeInterpreter` is vulnerable to code injection caused by prompt injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Gpt Academic
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

In h2oai/h2o-3 version 3.46.0.1, the `run_tool` command exposes classes in the `water.tools` package through the `ast` parser. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Denial Of Service +1
NVD
EPSS 0% CVSS 4.6
MEDIUM POC PATCH This Month

In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Librechat
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE SSRF Code Injection +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue in Termius Version 9.9.0 through v.9.16.0 allows a physically proximate attacker to execute arbitrary code via the insecure Electron Fuses configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +2
NVD GitHub
EPSS 0% CVSS 8.4
HIGH This Week

An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Fortisoar
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Incorrect string encoding vulnerability in NASK - PIB BotSense allows injection of an additional field separator character or value in the content of some fields of the generated event. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Ohio Extra allows Code Injection.4.7. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 8.6
HIGH This Week

The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying operating system. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Logicaldoc
NVD
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

File Upload vulnerability in nestjs nest v.10.3.2 allows a remote attacker to execute arbitrary code via the Content-Type header. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection File Upload +1
NVD GitHub
EPSS 1% CVSS 7.3
HIGH This Week

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.8.5. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress Code Injection
NVD
EPSS 2% CVSS 9.0
CRITICAL PATCH Act Now

graphql-ruby is a Ruby implementation of GraphQL. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection Red Hat
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Plenti <= 0.7.16 is vulnerable to code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Plenti +1
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

hostapd fails to process crafted RADIUS packets properly. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Code Injection Hostapd
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Siemens SiPass integrated access control systems (AC5102 ACC-G2 and ACC-AP, before V6.4.9) allow authenticated administrators to escalate to root via command injection in the REST API's pubkey endpoint. While high privileges are required, the scope change enables full system compromise.

Code Injection
NVD
EPSS 0% CVSS 8.2
HIGH This Week

A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.9), SiPass integrated ACC-AP (All versions < V6.4.9). Affected devices improperly sanitize user input for specific commands on the telnet command line interface. [CVSS 8.2 HIGH]

Code Injection
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The mobile application (com.transsnet.store) has a man-in-the-middle attack vulnerability, which may lead to code injection risks. [CVSS 8.1 HIGH]

Code Injection
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Improper Input Validation vulnerability in ZTE GoldenDB allows Input Data Manipulation.This issue affects GoldenDB: from 6.1.03 through 6.1.03.04. [CVSS 4.9 MEDIUM]

Code Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

canvg 4.0.2 is vulnerable to arbitrary code execution through prototype pollution in the StyleElement class constructor. An attacker can exploit this to execute code in environments that process SVG content with canvg. A PoC exists with no patch available.

RCE Code Injection Red Hat
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Fresh Framework for WordPress (through 1.70.0) contains a code injection vulnerability that allows unauthenticated attackers to execute arbitrary code with scope change, achieving maximum impact on confidentiality, integrity, and availability.

Code Injection RCE
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The The Code Snippets CPT plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.1.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress Code Injection +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Allow PHP Execute plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress PHP +2
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Tornado
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap Code Injection Qts +1
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap Code Injection Qts +1
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Atlassian Code Injection
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Move the conditional loading of hardware DR6 with the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Linux Code Injection Linux Kernel +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Kubernetes Gateway +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

The The Listingo theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.7. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress Code Injection
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Client Remote Code Execution V-2023-001. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Vasion Print +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Remote Code Execution V-2023-008. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Vasion Print +1
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

An issue in xxyopen novel plus v.4.4.0 and before allows a remote attacker to execute arbitrary code via the PageController.java file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Java +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Rack is a modular Ruby web server interface. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Rack Red Hat +1
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

Unauthenticated remote code execution vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary code via the X-Forwarded-For header in an HTTP GET request. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Tripleplay
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unauthenticated remote code execution vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary code via a specially crafted HTTP POST request. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Tripleplay
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Ark Theme Core ark-core allows Code Injection.71.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 4.9
MEDIUM POC This Month

Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE Code Injection XSS +1
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM POC PATCH This Month

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE Code Injection XSS +2
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability was found in Incorta 2023.4.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM This Month

The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

ToDesktop before 2024-10-03, as used by Cursor before 2024-10-03 and other applications, allows remote attackers to execute arbitrary commands on the build server (e.g., read secrets from the. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks (ex log injection). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Cryptographic key extraction from internal flash in Minut M2 with firmware version #15142 allows physically proximate attackers to inject modified firmware into any other Minut M2 product via USB. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 8.1
HIGH POC This Week

A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Syspass
NVD GitHub
EPSS 11% CVSS 8.8
HIGH POC THREAT Act Now

GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.5%.

RCE Code Injection
NVD GitHub Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Command Injection Code Injection
NVD GitHub
EPSS 0% CVSS 3.9
LOW PATCH Monitor

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. Rated low severity (CVSS 3.9), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection Mongosh
NVD
EPSS 0% CVSS 7.6
HIGH PATCH This Week

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection Mongosh
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

FoxCMS v1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the index() method at \controller\Sitemap.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

In OPSWAT MetaDefender Kiosk before 4.7.0, arbitrary code execution can be performed by an attacker via the MD Kiosk Unlock Device feature for software encrypted USB drives. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 1% CVSS 7.3
HIGH This Week

The The Custom Post Type Date Archives plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.7.1. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress Code Injection +2
NVD
EPSS 1% CVSS 7.3
HIGH This Week

The The Show Me The Cookies plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress Code Injection +2
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

A vulnerability in the SecureROM of some Apple devices can be exploited by an unauthenticated local attacker to execute arbitrary code upon booting those devices. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Apple +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

A Remote Code Execution (RCE) vulnerability in Loggrove v.1.0 allows a remote attacker to execute arbitrary code via the path parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Loggrove
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

There is a RCE vulnerability in Tenda AC6 15.03.05.16_multi. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Tenda Code Injection +1
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable.

RCE WordPress PHP +2
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

A remote code execution (RCE) vulnerability in the ZScript function of ZDoom Team GZDoom v4.13.1 allows attackers to execute arbitrary code via supplying a crafted PK3 file containing a malicious. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection
NVD GitHub
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

XWiki Platform allows unauthenticated remote code execution through the SolrSearch endpoint, enabling guests to execute arbitrary code and compromise the entire XWiki installation.

RCE Code Injection Xwiki
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.8
HIGH This Week

PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Meeting Room Booking System
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Cinema Booking System
NVD
EPSS 0% CVSS 7.8
HIGH This Week

IBM Security Verify Access Appliance 10.0.0.0 through 10.0.0.9 and 11.0.0.0 could allow a local user to execute arbitrary code due to improper restrictions on code generation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE IBM Code Injection +1
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

PHPJabbers Cleaning Business Software v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Cleaning Business Software
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

PHPJabbers Shared Asset Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Shared Asset Booking System
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

PHPJabbers Night Club Booking Software v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Night Club Booking Software
NVD
EPSS 0% CVSS 8.8
HIGH POC This Week

PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Bus Reservation System
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

PHPJabbers Restaurant Booking System v3.0 is vulnerable to Multiple HTML Injection in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key, title" parameters. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Restaurant Booking System
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

SQL Injection vulnerability in Uniclare Student portal v.2 and before allows a remote attacker to execute arbitrary code via the Forgot Password function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection SQLi
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

PHPJabbers Restaurant Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Restaurant Booking System
NVD
Prev Page 18 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4849

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy