Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4831)

CVSS 4.8
MEDIUM PATCH This Month

Prototype pollution in @hey-api/openapi-ts affects all versions through 0.97.2, allowing remote unauthenticated attackers to substitute the prototype chain of the returned params slot object by passing a crafted key such as '$query___proto__' through any application that forwards user-supplied parameters to a generated SDK method. The flaw resides in a runtime template (dist/clients/core/params.ts) that is copied verbatim into every generated SDK, meaning every downstream npm package regenerated from this tool carries the vulnerable code - confirmed affected consumers include @opencode-ai/sdk and @trigger.dev/sdk. A functional proof-of-concept is publicly available; exploitation is not confirmed as actively exploited and is absent from CISA KEV.

Node.js Docker Code Injection +1
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

Cookie tossing in AsyncHttpClient (AHC) library allows a malicious HTTP server to plant cookies scoped to an unrelated trusted domain, affecting versions 2.0.0-2.15.x and 3.0.0.Beta1-3.0.10. ThreadSafeCookieStore accepts and stores a cookie's Domain attribute value without verifying that the responding host is authorised to set cookies for that domain, so any server the client contacts can inject a cookie that AHC will automatically forward to the targeted domain on subsequent requests. Java applications sharing a single AHC instance - and therefore its default shared CookieStore - across calls to both attacker-influenced and trusted hosts are the primary attack surface; no public exploit has been identified at time of analysis, and vendor-released fixes are available in 2.16.0 and 3.0.11.

Code Injection Java Async Http Client
NVD GitHub
EPSS 0% CVSS 8.0
HIGH This Week

Log injection in Elastic Kibana (fixed in 7.17.15 and 8.11.1) allows an attacker with low-privilege access to embed unneutralized control characters in input that Kibana writes verbatim to its log files; when an operator later views those logs in a terminal that interprets ANSI/control sequences, the injected payload can forge, hide, or rewrite displayed log content. The issue is tracked as CWE-117 (Improper Output Neutralization for Logs) and carries a vendor CVSS of 8.0. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Elastic Kibana
NVD VulDB
EPSS 1% CVSS 7.7
HIGH POC This Week

Authenticated remote code execution in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets a logged-in attacker plant a shell script in writable JFFS2 persistent storage and invoke it via popen() through the authenticated Anyka config HTTP endpoint, yielding reboot-surviving persistent RCE. Publicly available exploit code exists (published by VulnCheck), though there is no confirmed active exploitation in CISA KEV. The CVSS 4.0 score of 7.7 reflects high attack complexity offset by full compromise of confidentiality, integrity, and availability.

Code Injection RCE C492A W6 Wi Fi Ip Camera
NVD GitHub
EPSS 0%
NONE PATCH Awaiting Data

Code injection in the Wikimedia Foundation Timeline extension (EasyTimeline) allows authenticated wiki editors to execute arbitrary server-side code via crafted timeline syntax processed by the Perl-based EasyTimeline.Pl script and its PHP integration layer Timeline.Php. The vulnerability stems from CWE-94 improper code generation control, where user-supplied timeline markup is passed to the backend Perl interpreter without sufficient sanitization, enabling remote code execution on the MediaWiki server. No public exploit code has been identified at time of analysis, but the RCE tag and network-accessible attack vector make this a high-priority patching target for any publicly editable or semi-public MediaWiki instance.

Code Injection PHP RCE +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Deserialization of untrusted data in NVIDIA Megatron Bridge for Linux allows a low-privileged local attacker to achieve code execution, privilege escalation, data tampering, and information disclosure. Megatron Bridge is NVIDIA's model-interoperability tooling used to convert and load large-language-model checkpoints in the Megatron/PyTorch training stack, where unsafe object deserialization (CWE-94) lets attacker-controlled serialized data run arbitrary code in the process context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS 7.8 (High) rating with full C/I/A impact makes it a meaningful risk on shared or multi-tenant ML infrastructure.

Deserialization Code Injection Nvidia +3
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in NVIDIA Megatron Bridge for Linux stems from improper control of code generation (CWE-94), allowing an attacker who convinces a user to process a malicious artifact to run code in the context of the training/inference workload. Successful exploitation can escalate privileges, tamper with data, and disclose information. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the CVSS 3.1 vector (AV:L/UI:R) indicates local access with user interaction is required.

Code Injection Nvidia Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome before 150.0.7871.47 enables remote attackers to inject arbitrary scripts or HTML across security origins by serving a crafted HTML page to a victim user. The flaw stems from insufficient input validation in Chrome's HTML handling (CWE-20), and its Scope:Changed CVSS metric confirms the core danger: injected scripts escape the attacker-controlled origin and execute in the context of other web origins, undermining the browser's same-origin policy. No public exploit code or CISA KEV listing is identified at time of analysis; EPSS stands at 0.18% (8th percentile), consistent with the vendor's own 'Low' Chromium severity classification despite a NVD CVSS score of 6.1.

Code Injection Google Suse
NVD
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to inject arbitrary scripts or HTML across origins by exploiting insufficient input validation triggered through specific user UI gestures on a crafted page. The scope change (S:C in CVSS) is the critical dimension here - successful exploitation bypasses the same-origin policy, potentially granting the attacker script execution in the context of arbitrary origins within the browser session. No public exploit code has been identified and EPSS sits at just 0.20% (11th percentile), indicating low observed exploitation activity despite the high-impact class of vulnerability.

Code Injection Apple Google +1
NVD VulDB
EPSS 1% CVSS 9.2
CRITICAL PATCH Act Now

Arbitrary JavaScript execution in Crawl4AI's Docker API server (versions before 0.8.7) lets remote attackers submit code to the /execute_js endpoint, which runs it inside the server's Chromium browser context launched with --disable-web-security. Because the browser's same-origin and CORS protections are disabled, attacker-controlled JavaScript can pivot into server-side request forgery against internal services and metadata endpoints. No public exploit has been identified at time of analysis, and the CVSS 4.0 base score is 9.2 (critical), though the vector's high attack complexity and present attack requirements indicate exploitation is not fully trivial.

Code Injection SSRF Docker +2
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in txtai through 9.10.0 lets a remote attacker reach the API /reindex endpoint and supply an arbitrary dotted callable (for example subprocess.getoutput) that the server imports and invokes during reindexing, running commands as the server process. The flaw is exploitable only when the API is network-exposed with no TOKEN set (so all endpoints are unauthenticated) and the index is writable - not the default posture. No public exploit has been identified at time of analysis, but the issue carries a high CVSS 4.0 base score of 9.3 and was reported by VulnCheck.

Code Injection RCE Txtai
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary Python via the flow `tool_code` mechanism, gaining full control of the Langflow process. Because the scope changes (S:C), the attacker can read every process secret, read and tamper with all flows, conversations, messages, uploads and saved components in the database, reach internal services and cloud metadata endpoints, and pivot across tenants on the same instance. This is a maximum-severity (CVSS 10.0) flaw, though no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Code Injection IBM File Upload +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 lets unauthenticated network attackers run arbitrary code by abusing improper handling of the pre-authentication DRDA handshake. Because the flaw is reachable before any login, any client able to reach the database listener can trigger it, and the CVSS 3.1 base score of 9.8 reflects full compromise of confidentiality, integrity, and availability. No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV.

Code Injection IBM RCE +1
NVD
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-system commands and read sensitive files such as stored credentials, escalating from low-privileged application access to full host compromise. Rated CVSS 9.9 with a scope-changing vector, the flaw enables lateral movement once an attacker holds any valid Langflow account. No public exploit identified at time of analysis, but a vendor patch is available.

Code Injection IBM RCE +1
NVD
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Orkes Conductor (conductor-oss) versions 3.21.21 through 3.30.1 lets remote attackers run arbitrary OS commands by POSTing inline workflow definitions to the workflow API before any authentication check. The flaw stems from GraalVM script evaluators left in an unsandboxed state (HostAccess.ALL / allowAllAccess(true)), allowing JavaScript or Python expressions in INLINE, LAMBDA, DO_WHILE, and SWITCH tasks to reach Java reflection and subprocess APIs. Reported by VulnCheck; no public exploit identified at time of analysis, though a detailed vendor/researcher advisory exists.

Code Injection Python Java +2
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

Code injection via malicious project files in Mendix Studio Pro 10.11 through 11.11 allows arbitrary code execution on a developer's workstation when a victim opens and runs a specially crafted project through the build pipeline. Siemens' own ProductCERT (SSA-779310) reported this flaw, classifying it under CWE-94, with patches available only for the 10.24 and 11.6 long-term support lines. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the breadth of affected versions - spanning the entire 10.x and 11.x release trees - means most active Mendix developer environments are exposed.

Code Injection RCE Mendix Studio Pro 10 11 +25
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote code execution in LLaMA-Factory through version 0.9.5 allows attackers who can reach the Gradio WebUI to run arbitrary Python by entering a malicious model path in the Chat or Training interfaces. Because the app forwards unvalidated user input into Hugging Face's AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True, a referenced repository's custom modeling code executes with the server process's privileges. Publicly available exploit code exists (a proof-of-concept gist plus a VulnCheck advisory), though it is not listed in CISA KEV and no in-the-wild abuse is documented in the available data.

Code Injection Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Snowflake CLI versions prior to 3.19 lets an attacker run code in the context of any developer who bundles or deploys an attacker-supplied Snowpark project. The flaw lives in the Snowpark annotation processor callback template, where untrusted project content is interpolated directly into generated Python code (CWE-94). No public exploit has been identified at time of analysis, but the attack is straightforward and high-impact (CVSS 8.8) given that it executes with the victim's local privileges; exploitation hinges on the victim running the bundling/deployment workflow against malicious content.

Code Injection Python RCE +1
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Remote code execution in Alexantr filemanager v1.0 lets remote attackers run arbitrary code through the filemanager.php component, mapped to CWE-94 (code injection). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw requiring no authentication or user interaction, and publicly available exploit code exists (GitHub POC by SLO-CYBER-SEC). SSVC rates exploitation as proof-of-concept with total technical impact and automatable=yes, but it is not on CISA KEV and no EPSS score was provided.

Code Injection PHP RCE +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.

Code Injection Java RCE +3
NVD VulDB GitHub
EPSS 0% CVSS 7.1
HIGH This Week

The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.

Code Injection Freebsd
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Kestra orchestration platform before 1.0.45 and 1.3.21 lets anonymous attackers fully compromise the host. The REST API authentication filter treats any request path ending in /configs as the public instance-config endpoint, so an attacker appending the literal segment configs (e.g. to flow-create or execution-trigger routes) bypasses Basic-Auth, creates a flow with a Shell/Process task, and executes commands as root inside the container; with the default docker-compose mounting /var/run/docker.sock, this pivots to the host Docker daemon. No public exploit identified at time of analysis, but the technique is fully described in the vendor advisory and is trivially reproducible.

Code Injection Docker RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Spurious WARN_ON_ONCE calls in the Linux kernel's blk-wbt subsystem trigger unnecessary kernel warnings and stack traces under expected failure conditions - memory pressure or a pre-registered writeback throttle. Local low-privileged users can provoke this via ioctl(BLKPG) during MTD partition creation under memory-constrained conditions, generating noise in kernel logs and, on panic_on_warn-enabled kernels, potentially causing a system crash. No public exploit exists and the EPSS score of 0.14% (4th percentile) places this firmly in the low-priority tier; it has not been added to CISA KEV.

Code Injection Linux
NVD
CVSS 9.9
CRITICAL POC PATCH Act Now

Container-to-host filesystem escape in Incus before 7.2.0 lets a user who can import images and create instances read and write arbitrary files on the host as root. A malicious image carrying a duplicate top-level 'rootfs' symlink (rootfs -> /) passes image validation, and the stopped-container file API later chroots into that symlinked path via forkfile, exposing the host root filesystem through 'incus file pull/push'. A working proof-of-concept is published in the GitHub Security Advisory (GHSA-2q3f-q5pq-g8wv); publicly available exploit code exists, but there is no public exploit identified beyond the PoC and the CVE is not in CISA KEV.

Code Injection
NVD GitHub
HIGH PATCH This Week

Pre-authentication login bypass in OpenAM Community Edition through 16.0.6 lets an unauthenticated remote attacker mint a valid OpenAM session for an arbitrary user without supplying a password. The MSISDN authentication module concatenates a request-supplied MSISDN value directly into an LDAP search filter (CWE-90), and because the default trusted-gateway list permits all traffic, any realm with an MSISDN module in its authentication chain is reachable and exploitable. No public exploit identified at time of analysis, and the issue is fixed in version 16.1.1.

Code Injection LDAP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

RESP protocol injection in Dragonfly's EvalSerializer allows an authenticated low-privilege user to embed raw CRLF sequences inside Lua redis.error_reply() and redis.status_reply() return values, causing response stream desynchronization for connection-pool clients. All Dragonfly releases prior to 1.39.9 are affected; the vulnerability is confirmed fixed in 1.39.9 per GitHub security advisory GHSA-h77h-c6hc-qc9h. No public exploit has been identified at time of analysis, and exploitation requires authenticated access plus a connection-pooling client architecture, substantially limiting real-world risk.

Code Injection Redis Dragonfly
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

OS command execution on the Dokku host is possible through the openresty-vhosts plugin in versions prior to 0.38.2, where custom OpenResty include filenames from an app's git repository are interpolated unescaped into a single-quoted shell string that is later run through eval. An attacker who can deploy a Dokku app with the openresty proxy enabled can plant a file whose name contains a single quote to break the quoting and inject a command substitution, executing arbitrary commands as the dokku user on the next deploy. There is no public exploit identified at time of analysis and it is not in CISA KEV, though the upstream advisory and a security regression test document the mechanism precisely.

Code Injection Information Disclosure Docker +1
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Network annotation injection in KubeVirt's VirtualMachineInstance API allows authenticated tenants to attach launcher pods to arbitrary network namespaces by writing unsanitized JSON into the Multus CNI default-network annotation. Exploitation is gated on the ExternalNetResourceInjection Beta feature gate being explicitly enabled by a cluster-admin (off by default, first available in OpenShift Virtualization 4.21), which intentionally bypasses the NAD namespace lookup that would otherwise reject malformed annotation values. A successful attack permits cross-namespace network attachment and IP/MAC address impersonation on segments normally segregated from tenant workloads; no public exploit has been identified at time of analysis.

Code Injection Red Hat Openshift Virtualization 4 Suse
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Remote code execution in Blocksy Companion Pro (the premium add-on plugin for the Blocksy WordPress theme) versions 2.1.45 and earlier allows authenticated users holding only the low-privilege Contributor role to inject and execute arbitrary PHP code on the host. The flaw, reported by Patchstack and tracked under CWE-94, carries a CVSS 3.1 base score of 8.5 with a changed scope, meaning successful exploitation can impact components beyond the WordPress application itself. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; no EPSS score was provided in the source data.

Code Injection RCE
NVD VulDB
EPSS 0% CVSS 3.5
LOW Monitor

Markdown image rendering restrictions in Mattermost are bypassed specifically for AI bot tool result posts, enabling authenticated attackers to exfiltrate data to attacker-controlled infrastructure. Affected are Mattermost versions 10.11.x through 10.11.18, 11.5.x through 11.5.6, and 11.6.x through 11.6.3. When a victim's client renders an AI bot tool result post containing injected markdown image syntax, the client issues an outbound request to the attacker's server, leaking request metadata such as session tokens or channel context. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Code Injection Mattermost Mattermost Server
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Authenticated code injection (CWE-94) in Trellix Network Security appliances (NX, EX, FX, AX, and CMS/Central Management) lets a logged-in administrator run arbitrary commands by abusing how the web UI renders Alert artifact details. The flaw requires existing high-privilege admin access on an adjacent network rather than remote anonymous access, so it functions primarily as a privilege/trust-boundary escape rather than a mass-exploitable internet-facing bug. The CVSS 4.0 maturity flag (E:P) indicates proof-of-concept exploit material exists, but the issue is not listed in CISA KEV and shows no confirmed active exploitation.

Code Injection RCE Trellix Network Security Nx Ex Fx Ax And Cms
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for CVE-2026-34916, either by supplying a disallowed-but-valid plugin identifier in the `type` parameter or by abusing the `ox.setChannelTargeting` XML-RPC API method. The flaw lets an attacker inject and execute arbitrary code (CWE-94) on the server, fully compromising confidentiality, integrity, and availability. Reported via HackerOne by multiple researchers (including phucrio and offsetmd); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Adserver
NVD
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

JSON injection in Bitwarden Server's IntegrationTemplateProcessor.ReplaceTokens() allows authenticated organization members to corrupt event-integration payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints. Any organization running Bitwarden Server prior to 2026.5.0 that has configured event integrations referencing user-controlled tokens such as #ActingUserName# or #UserName# is exposed. A public proof-of-concept exists per VulnCheck and independent researcher disclosure; exploitation is constrained by authentication and specific integration-configuration prerequisites, reflected in the low CVSS 4.0 score of 2.3.

Code Injection Server
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Stored code injection in ToolJet self-hosted (prior to 3.20.178-lts) lets any authenticated builder-role user - available on the free tier - overwrite a globally-shared marketplace plugin with arbitrary JavaScript that runs server-side with full Node.js capabilities (require, process). Because the poisoned plugin executes whenever any user on the instance runs a query that uses it, a single low-privileged account achieves remote code execution and an instance-wide supply-chain compromise. The flaw carries a CVSS 4.0 score of 9.4; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Node.js RCE +1
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Arbitrary Python code execution in Vim before 9.2.0699 occurs when a victim triggers Python omni-completion (omnifunc) inside a malicious buffer; the python3complete.vim and legacy pythoncomplete.vim runtime plugins reconstruct in-buffer function and class definitions and run them through Python's exec(), inserting each scope's docstring verbatim between triple quotes. Because the docstring is never escaped, a crafted docstring can close the triple-quoted literal and inject attacker-controlled Python that runs with the user's privileges. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a regression test bundled with the fix demonstrates the breakout, confirming exploitability; EPSS data was not provided.

Code Injection Python RCE +2
NVD GitHub
EPSS 0% CVSS 8.5
HIGH This Week

Remote code execution in the Post Snippets WordPress plugin (versions 4.0.19 and earlier) lets an authenticated user with only Contributor-level privileges inject and execute arbitrary PHP/code on the server via the plugin's snippet-handling functionality (CWE-94). Because a low-privilege role can pivot to full server compromise with a scope change (S:C), this is a privilege-escalation-to-RCE flaw reported by Patchstack; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Code Injection RCE Post Snippets
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Code injection in the Widget Options WordPress plugin (versions <= 4.2.3, by marketingfire) allows authenticated users holding the low-privileged Contributor role to achieve remote code execution on the host. Because exploitation only requires a Contributor account - a role frequently granted on multi-author and membership sites - an attacker who can register or compromise such an account can run arbitrary PHP and fully take over the site. There is no public exploit identified at time of analysis, but the 9.9 CVSS and CWE-94 classification place this at the most severe end of WordPress plugin flaws.

Code Injection RCE Widget Options
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Local privilege escalation / host compromise risk in the Linux kernel arm64 KVM subsystem arises because __kvm_at_s12() (AT instruction emulation) and __kvm_find_s1_desc_level() invoke the stage-1/nested stage-2 page-table walkers walk_s1() and kvm_walk_nested_s2() without holding kvm->srcu, which those walkers require to guard against concurrent memslot changes. A malicious or compromised guest on an affected arm64 host can race memslot updates against these walks, with CVSS scoring confidentiality, integrity and availability all High under a changed scope (host impact). It is patched in stable trees, EPSS is low (0.17%), and there is no public exploit identified at time of analysis.

Code Injection Linux
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content injection in GitLab CE/EE via improper Snippet input validation permits authenticated low-privilege users to conceal arbitrary content within Snippets, affecting all versions from 14.8 through 19.1.0. Despite being tagged as Code Injection (CWE-94) with RCE in vendor-supplied tags, the published CVSS score of 4.3 with only low integrity impact (I:L) indicates the vendor-confirmed impact is scoped to content concealment rather than full remote code execution. Patches are available in versions 18.11.6, 19.0.3, and 19.1.1; no public exploit and no CISA KEV listing have been identified at time of analysis.

Code Injection Gitlab RCE
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-impacting memory corruption in the Linux kernel's Intel ice network driver allows a double-free of a transmit buffer's skb when the TX offload paths fail. When ice_tso() or ice_tx_csum() return an error, ice_xmit_frame_ring() frees the skb but leaves the 'first' tx_buf still marked ICE_TX_BUF_SKB, so a later ice_clean_tx_ring() during interface teardown frees the same skb a second time. Carries a CVSS 3.1 base of 7.8 (AV:L/PR:L), but with a low EPSS of 0.15% (5th percentile), no KEV listing, and no public exploit identified at time of analysis.

Code Injection Linux Intel
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in the Linux kernel arises from a SOFTIRQ-safe to SOFTIRQ-unsafe lock-ordering deadlock in the fasync signaling path (fs/fcntl), where send_sigio() and send_sigurg() take read_lock(&tasklist_lock) from softirq context while traversing a process group (PIDTYPE_PGID). When this collides with a writer spinning on tasklist_lock during fork()/exit(), the CPU can deadlock and hang. The flaw is reachable remotely via TCP URG packets (send_sigurg through NET_RX_SOFTIRQ), affects multiple stable branches, and is fixed by switching the traversal to RCU. There is no public exploit identified at time of analysis and EPSS is low (0.18%).

Code Injection Linux
NVD VulDB
EPSS 0% CVSS 3.7
LOW Monitor

LDAP injection in Jenkins Active Directory Plugin 2.41.1 and earlier allows unauthenticated remote attackers to enumerate Active Directory entries and authenticate as any directory user they can identify via wildcard matching, provided they already know that user's password. The vulnerability is confined to the Windows native ADSI authentication path, limiting exposure to Jenkins instances running on Windows with ADSI configured. No public exploit code or active exploitation has been identified; SSVC rates it non-automatable with partial technical impact.

Code Injection LDAP Jenkins +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP code injection in the AdRotate Banner Manager WordPress plugin (versions ≤5.17.7) allows Contributor-level users to execute arbitrary PHP on the server by abusing the 'banner' attribute of the [adrotate] shortcode. Exploitation requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings, where unsanitized input is concatenated into a PHP string wrapped in mfunc/fragment cache markers. Reported by Wordfence; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection WordPress PHP +2
NVD
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Detection bypass in picklescan before 0.0.29 allows malicious pickle files to evade scanning by abusing the undetected idlelib.calltip.Calltip.fetch_tip function, enabling arbitrary code execution when the file is later loaded via pickle.load(). Affects ML supply chains relying on picklescan to vet PyTorch models; publicly available exploit code exists in the GHSA advisory, but no public exploit identified in active campaigns at time of analysis.

Code Injection RCE Picklescan
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Arbitrary file write in TortoiseGit's TortoiseGitBlame component is triggered when a user opens a malicious git repository and invokes blame history on a file whose historical filenames contain argument injection payloads. The injected arguments are passed unsanitized to underlying git subprocess calls, allowing an attacker-controlled repository to write files to arbitrary paths on the victim's Windows filesystem. No public exploit has been identified at time of analysis, and no KEV listing exists; however, a fix commit is available upstream.

Code Injection Tortoisegit
NVD VulDB
EPSS 0% CVSS 7.9
HIGH This Week

Log injection in upKeeper Instant Privilege Access through 1.6.1 on Windows allows remote unauthenticated attackers to forge, tamper with, or inject crafted entries into application logs by smuggling unneutralized control characters through logged inputs. The flaw (CWE-117) does not directly compromise the upKeeper agent itself but produces high integrity, confidentiality, and availability impact on subsequent log-consuming systems (SIEM, audit pipelines). No public exploit identified at time of analysis and the CVE is not present in CISA KEV.

Code Injection Microsoft Upkeeper Instant Privilege Access
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in the Linux kernel's netfilter NFQUEUE subsystem affects bridge LOCAL_IN packet handling, where br_pass_frame_up() rewrites skb->dev to the bridge master before queuing without holding a reference on that device. A local attacker who can influence queued bridge traffic and trigger bridge teardown (NETDEV_DOWN) can cause the kernel to re-enter the receive path with a freed bridge master device, yielding a use-after-free with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).

Code Injection Linux Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

PHP Object Injection in the Post Duplicator WordPress plugin before 3.0.15 lets authenticated users with Contributor-level access or higher inject arbitrary serialized PHP objects by abusing the plugin's post-duplication routine, which copies attacker-controlled custom meta-data without the WordPress meta API's double-serialization safeguard. Successful exploitation can lead to property-oriented programming attacks and, with a suitable gadget chain present, full compromise of the site. Publicly available exploit code exists (WPScan), though the flaw is not listed in CISA KEV and carries a low EPSS score (0.15%, 5th percentile).

WordPress Code Injection PHP +1
NVD WPScan VulDB
EPSS 0% CVSS 8.9
HIGH This Week

Trusted measurement-list poisoning in Google go-attestation through 0.6.0 lets a remote actor who controls a TPM event log fed to an attestation verifier inject arbitrary SHA256 hashes into the verifier's trusted hash database. Because parseEfiSignatureList() never advances past the EFI_SIGNATURE_LIST SignatureHeaderSize vendor bytes, those attacker-chosen bytes are accepted as legitimate hash entries, allowing a compromised boot state to be attested as healthy. No public exploit identified at time of analysis, but the fix is upstream in v0.6.1 and the root cause is documented in GHSA-9r4w-jg96-92mv.

Google Code Injection Go Attestation
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-tenant data injection in the Snipe-IT Accessories API (versions <= 8.6.1) lets a low-privileged authenticated user in one company write persistent accessory records into another company's inventory by supplying a foreign company_id in the API request body. The flaw only manifests when Full Multiple Companies Support (FMCS) is enabled, and it breaks tenant isolation because the API store/update path mass-assigns company_id without the enforcement the web UI applies. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the fix and a regression test are publicly visible in the vendor commit, making the mechanism easy to reproduce.

Code Injection
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via configparser.write() to smuggle arbitrary keys and values into the resulting INI-style configuration file by embedding carriage return (\r) characters. All CPython versions are listed as affected per the NVD CPE wildcard, and any Python application that writes attacker-influenced data to config files via configparser is a candidate target. No public exploit has been identified at time of analysis; CVSS 4.0 scores this at 4.1 (Medium) with high privilege requirements and specific attack conditions.

Code Injection Cpython Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to embed arbitrary PHP into the compiledlimitations database field via the logical parameter of delivery limitations, with execution occurring later during banner delivery. The flaw is exploitable over the network with low complexity and yields full confidentiality, integrity, and availability impact (CVSS 8.8), though no public exploit identified at time of analysis.

PHP RCE Code Injection +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpected parameter into the delivery limitations save flow, planting attacker-controlled PHP into the compiledlimitations field that is then evaluated when banners are served. With CVSS 8.8 and a CWE-94 root cause, successful exploitation yields full code execution under the web/ad-delivery process, though there is no public exploit identified at time of analysis and the vulnerability is not in CISA KEV.

PHP RCE Code Injection +1
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Missing cookie name validation on the write path in Hono's setCookie(), serialize(), and serializeSigned() functions allows user-controlled input containing CRLF control characters to produce malformed Set-Cookie headers. Affected are all Hono npm releases before 4.12.12. In practice, modern runtimes including Node.js and Cloudflare Workers reject the malformed headers before they are transmitted, meaning confirmed impact is availability loss (runtime errors crashing the response) rather than header injection or response splitting - though theoretical risk exists on less-strict runtimes. No active exploitation is confirmed, and no public exploit code has been identified.

Code Injection Node.js Hono
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL Act Now

Arbitrary JavaScript code execution in the expr-eval npm package affects all released versions when applications pass user-controlled expressions to the toJSFunction() API, which compiles them via new Function() and executes them in the host process context. Snyk discloses no public exploit identified at time of analysis, but the trivial attack pattern (sandbox escape via crafted math expressions) and CVSS 4.0 score of 9.2 make this a high-priority issue for any Node.js or browser application that exposes expr-eval to untrusted input.

RCE Code Injection Expr Eval
NVD GitHub VulDB
CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in XWiki Pro Macros (com.xwiki.pro:xwiki-pro-macros) versions >=1.13 and <1.14.5 allows any authenticated user with page-edit rights to execute arbitrary Groovy code via the excerpt-include macro, which fails to escape the included page's title and renders excerpt content with the macro's elevated rights. A working proof-of-concept is published in the GHSA advisory demonstrating injection through both a crafted page title and excerpt body. No public exploit identified at time of analysis as actively used, but the publicly available exploit code exists in the advisory itself.

Atlassian RCE Code Injection
NVD GitHub
EPSS 1% CVSS 9.6
CRITICAL PATCH Act Now

Arbitrary code execution in mise (jdx/mise) versions prior to 2026.3.10 allows attackers to run shell commands as the victim user simply by having them `cd` into a directory containing a malicious `.tool-versions` file. Unlike `.mise.toml`, `.tool-versions` files bypass the trust verification gate in non-paranoid mode, so the Tera template engine's `exec()` function fires silently from the shell `hook-env`. No public exploit identified at time of analysis beyond the detailed reporter PoC, but exploitation is trivial and a working PoC is embedded in the advisory.

RCE Python Apple +2
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Remote code execution in Autodesk Fusion Desktop's MCP (Model Context Protocol) extension allows attackers to execute arbitrary code with current user privileges when a victim visits a malicious webpage while Fusion is running with the MCP extension enabled. The flaw is rated CVSS 9.6 (Critical) due to its network-reachable nature and scope change, though successful exploitation requires user interaction (visiting a crafted page) and the non-default MCP extension being enabled. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

RCE Code Injection Fusion
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution and denial of service in IBM WebSphere Application Server and WebSphere Application Server Liberty (including IBM i 7.3-7.6) occurs when the WebServer Plug-in component is deployed with Intelligent Management enabled. An attacker who can impersonate a backend application server and return crafted responses can trigger code injection (CWE-94) against the plug-in, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS 0.38% and SSVC exploitation 'none' indicate no observed weaponization despite the 9.8 CVSS rating.

RCE IBM Denial Of Service +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution and denial of service in the IBM WebSphere Web Server Plug-in shipped with IBM i 7.3, 7.4, 7.5, and 7.6 (through 1.8.4) allows an attacker positioned on the adjacent network to abuse the plug-in's handling of responses from an upstream WebSphere Application Server. By impersonating the application server and returning crafted responses, the attacker can trigger code injection (CWE-94) against the plug-in, leading to full compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and EPSS is low (0.25%), but SSVC rates the technical impact as total.

RCE IBM Denial Of Service +1
NVD VulDB
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. IBM has confirmed the issue and released a patch via support advisory node/7277242.

Code Injection IBM Python +3
NVD VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

HTML injection in Canarytokens' Google Chat webhook notifications allows an attacker who triggers a deployed canarytoken to embed limited HTML content - including crafted hyperlinks - inside the resulting alert message rendered in Google Chat. The vulnerable system is Canarytokens itself (Docker tag sha-4aef1db90 through sha-8ab4dccd), but the integrity impact lands on the subsequent system: the Google Chat interface where defenders receive their alerts. A proof of concept exists per CVSS 4.0 supplemental metric E:P; no confirmed active exploitation or CISA KEV listing exists at time of analysis.

Google Code Injection Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configuration to write attacker-controlled content to a PHP file under the webroot, yielding code execution as the web server user. No public exploit identified at time of analysis, but a vendor patch is available via the MISP GitHub repository.

RCE PHP Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric names or values to inject arbitrary statsite protocol commands by smuggling newlines, colons, and pipe characters that the library fails to sanitize. The flaw maps to CWE-93 (CRLF Injection) and affects any application that forwards untrusted input into metric reporting. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Code Injection Net
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Formula injection in Venueless Excel exports allows an attacker with a low-privilege account to embed malicious spreadsheet formulas into user-supplied data fields, which execute when an administrator opens the generated export file. Affected deployments include all versions of Venueless (pretix) as indicated by the wildcard CPE entry. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low attack complexity and the availability of a GitHub security advisory signal a credible, reproducible attack path against administrative workflows.

Code Injection Venueless
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

LDAP injection in Central Dogma's Apache Shiro-based authentication module exposes unauthenticated remote attackers to authentication confusion and Active Directory enumeration. The SearchFirstActiveDirectoryRealm component in centraldogma-server-auth-shiro versions prior to 0.84.0 inserts the login username directly into an LDAP search filter without escaping metacharacters, allowing filter logic manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required beyond reaching the login endpoint. No public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Central Dogma LDAP +1
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

Code injection in langflow's Bundle URL Loader component allows local attackers with low privileges to inject and execute arbitrary code within the langflow process across versions 1.9.0 through 1.9.3. A publicly available proof-of-concept demonstrating startup-time RCE via maliciously crafted bundle URLs has been published by the researcher, though the CVSS 4.0 vector (VC:L/VI:L/VA:L) rates impact as low - a discrepancy with the RCE claim in the PoC that warrants independent verification. No vendor-released patch is available; the vendor did not respond to the researcher's disclosure.

Code Injection Langflow
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Authenticated remote code execution in Craft CMS versions 5.5.0 through 5.9.13 allows admin users to execute arbitrary PHP by injecting Yii2 event handlers via the fieldLayoutConfig POST parameter to FieldsController::actionRenderCardPreview(). The flaw stems from missing Component::cleanseConfig() sanitization, enabling disclosure of environment variables including database credentials and CRAFT_SECURITY_KEY. No public exploit identified at time of analysis, though VulnCheck has published a detailed advisory describing the attack technique.

Code Injection RCE PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 5.2
MEDIUM This Month

SQL injection via improperly escaped MySQL table names in Apache NiFi's CaptureChangeMySQL Processor (versions 1.2.0 through 2.9.0) allows an attacker with MySQL CREATE TABLE access in a monitored database to inject arbitrary SQL commands executed under NiFi's MySQL service credentials. A partial mitigation introduced in 1.8.0 added manual quoted boundaries that narrowed - but did not eliminate - the injection surface; the root flaw persisted for years until full remediation in 2.10.0. No public exploit identified at time of analysis and not listed in CISA KEV; the issue was discovered by Roberto Suggi Liverani of the NATO Cyber Security Centre (NCSC) and disclosed in April 2026.

Apache Code Injection Nifi
NVD VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Remote code execution in Prefect 3.6.23 allows any user holding deployment-creation permissions to run arbitrary commands on shared worker machines by abusing the GitRepository storage class. The commit_sha and directories parameters are concatenated into git invocations without a `--` separator or validation, letting attackers smuggle flags such as `--upload-pack` to execute external programs. No public exploit identified at time of analysis, but the bug was reported via huntr and is particularly dangerous for multi-tenant work pools where worker compromise crosses trust boundaries.

RCE Code Injection Prefecthq Prefect
NVD VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Denial Of Service +2
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE WordPress +2
NVD Exploit-DB VulDB
CVSS 6.8
MEDIUM PATCH This Month

LDAP injection in OpenBao versions 0.1.0 through 2.5.4 allows an attacker with a valid low-privileged LDAP account to impersonate arbitrary directory users, including administrators, by supplying filter metacharacters in the username field at login. The root cause is a function selection error in `sdk/helper/ldaputil/client.go`: `EscapeLDAPValue()` (RFC 4514, DN escaping) is used in LDAP filter construction instead of `ldap.EscapeFilter()` (RFC 4515), leaving characters `*`, `(`, `)`, `\`, and NUL unescaped and injectable. Publicly available exploit code exists in the vendor advisory; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

LDAP Code Injection RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Code injection in @tinacms/cli versions prior to 2.4.3 allows an attacker who controls a Forestry-style project to achieve remote code execution on a developer's workstation when the `tinacms init` Forestry migration runs and the developer subsequently executes `tinacms dev` or `tinacms build`. The `addVariablesToCode` helper unquotes any value matching the marker `__TINA_INTERNAL__:::(.*?):::` placed in a stringified collection JSON, and user-supplied `label`/`name` fields from `.forestry/**/*.yml` are inserted into that JSON without sanitisation, yielding a top-level IIFE in the generated `tina/templates.ts`. A detailed end-to-end PoC is published in the GHSA-4936-9hrh-qqpw advisory; no public exploit identified at time of analysis beyond the disclosure PoC, and the CVE is not in CISA KEV.

Node.js Microsoft Code Injection +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers to alter authorization outcomes by smuggling Cedar expressions through unescaped string values. The flaw is in toCedarExpr() on Cedar Value types, which fails to escape quote and backslash characters when serializing user-controlled values into policy text. No public exploit identified at time of analysis, but the integrity impact is severe because injected fragments like '|| true' can neutralize permit/forbid logic in fine-grained authorization decisions.

Code Injection Java RCE
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Cookie domain validation in guzzlehttp/guzzle before 7.12.1 allows cross-origin cookie injection when a shared CookieJar contacts both attacker-controlled and trusted hosts. The flaw stems from SetCookie::matchesDomain() normalizing dot-only Domain values (e.g., 'Domain=.', 'Domain=..') to an empty string, while SetCookie::validate() only rejected strictly empty domains - meaning normalized-empty domains were stored and silently treated as matching every request host. Any application using new Client(['cookies' => true]) or an explicit shared CookieJar that requests data from an attacker-reachable origin is exposed to session fixation or cookie injection against unrelated downstream services. No public exploit or CISA KEV listing has been identified at time of analysis.

Code Injection
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

CRLF injection in guzzlehttp/psr7 (all versions prior to 2.12.1) enables header injection, response splitting, request smuggling, or cache poisoning when attacker-controlled data reaches the HTTP start-line fields - request method, protocol version, or response reason phrase - and the resulting PSR-7 object is serialized to raw HTTP/1.x. The vulnerability is confined to the serialization pathway: standard Guzzle HTTP client usage is explicitly not affected, but proxies, crawlers, webhook delivery systems, and custom transports that call `Message::toString()`, `Message::parseRequest()`, or `Message::parseResponse()` and re-emit the raw bytes are at direct risk. No public exploit has been identified at time of analysis, and the vendor has released a confirmed patch in version 2.12.1.

Code Injection
NVD GitHub
EPSS 0% CVSS 8.5
HIGH POC This Week

Local privilege escalation in Avast Antivirus 25.11 allows non-privileged Windows users to execute arbitrary code as SYSTEM by abusing an unquoted service path in the SecureLine service. Publicly available exploit code exists (Exploit-DB 52510), and the issue was reported by VulnCheck; no public exploit identified at time of analysis indicates wider active exploitation, but the low-complexity local vector makes this attractive for post-compromise escalation.

Code Injection Avast Antivirus
NVD Exploit-DB VulDB
EPSS 1% CVSS 9.4
CRITICAL PATCH Act Now

{token}_{clusterId}.yaml. CVSS 4.0 rates this 9.4 (Critical) with a scope-changing impact on subsequent systems, but no public exploit was identified at time of analysis and it is not listed in CISA KEV. Reported by SUSE through GitHub Security Advisory GHSA-mhc6-2gfq-xx62.

Command Injection Code Injection Rancher +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Environment variable injection in pam_usb prior to version 0.9.2 allows a local authenticated user to bypass hardware USB token authentication by manipulating the XRDP_SESSION, DISPLAY, or TMUX environment variables before invoking setuid binaries such as sudo or su. Because the PAM module calls standard getenv() - which does not sanitize values in privileged contexts - attacker-controlled environment data is used to determine whether the current session is local or remote, potentially defeating the core purpose of hardware-enforced authentication. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the authentication bypass impact makes this a high-priority upgrade for any deployment relying on pam_usb for privileged command gating.

Code Injection Pam Usb
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Arbitrary file and environment variable reads on xDS client hosts are possible in Armeria versions 1.38.0 and 1.39.0 via the armeria-xds module's SDS (Secret Discovery Service) implementation. The DataSourceStream class resolves control-plane-supplied filename and environment_variable fields from SDS Secret resources without any path confinement or allow-listing, enabling a compromised or semi-trusted xDS control plane - or an attacker who can MITM unprotected SDS gRPC streams - to extract TLS private keys, Kubernetes service-account tokens, cloud credential files, and environment variables such as AWS_SECRET_ACCESS_KEY. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the confused-deputy pattern and Kubernetes deployment context make it a high-priority upgrade for affected users.

Kubernetes Java Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Indirect prompt injection in Eclipse Theia before 1.71.0 allows a malicious repository to automatically override the AI agent's system prompts when a victim opens the workspace, by placing files under .prompts/*.prompttemplate that Theia auto-loads. Combined with built-in AI chat features, the hijacked prompt can chain to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Code Injection Eclipse Theia
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Indirect prompt injection in Eclipse Theia versions prior to 1.71.0 allows attackers who control a workspace's filesystem layout to coerce the built-in AI chat agent into executing attacker-supplied instructions, enabling data exfiltration through Markdown image rendering or arbitrary command execution through task definitions. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high impact across confidentiality, integrity and availability once a developer opens an untrusted repository. The flaw is reported by the Eclipse Foundation and fixed in version 1.71.0.

Code Injection Eclipse Theia
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

{signal} for abort support), the polluted prototype value flows into worker_threads.Worker and the attacker's exported function is invoked with every legitimate caller's task data. Publicly available exploit code exists (full PoC in the GHSA advisory), but no public exploit identified at time of analysis as in-the-wild abuse and the CVE is not in CISA KEV.

Code Injection RCE Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Configuration injection in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with permission to create or modify NginxProxy Custom Resource Definitions to inject arbitrary NGINX directives into generated configuration files via the unsanitized access log format setting. The flaw resides in the control plane configuration generator and affects deployments using NGINX Plus or NGINX Open Source as the data plane. There is no public exploit identified at time of analysis, and CVSS 4.0 rates the impact at 8.6 (High) driven by high confidentiality and integrity loss on the vulnerable system.

Nginx Code Injection Nginx Gateway Fabric
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Out-of-band data exfiltration in Claude Code (npm/@anthropic-ai/claude-code versions 0.2.54 through 2.1.162) allows a prompt-injection attacker to silently exfiltrate files, environment variables, and command output by exploiting a pre-approved bare hostname bypass in the WebFetch tool. Because huggingface.co was whitelisted at the hostname level only, any path on that domain - including attacker-controlled model repository paths - was auto-approved without triggering a permission prompt and without being constrained by --allowedTools restrictions. The prerequisite is the ability to inject untrusted content into a Claude Code context window (e.g., via a malicious README, dependency file, or data file read during a session); no public exploit code has been identified at time of analysis, and the vulnerability has been patched in version 2.1.163.

Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Response queue poisoning in Undici's HTTP/1.1 client allows an attacker-controlled or compromised upstream server to inject unsolicited HTTP responses onto idle keep-alive sockets, causing subsequent outbound requests to receive falsified responses. All Undici versions across the v6, v7, and v8 branches prior to the patched releases are affected when keep-alive connection reuse is active (the default). While the CVSS score is low (3.7) and no public exploit or KEV listing exists, the integrity impact can carry significant business logic consequences in applications that proxy requests through third-party or partially trusted upstream servers.

Code Injection Undici
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Scanner evasion in picklescan versions prior to 1.0.3 lets an attacker smuggle malicious PyTorch pickle payloads past the scan_pytorch detection routine and gain arbitrary code execution when the model is later loaded with torch.load(). The bypass exploits a parser-differential between picklescan's pickletools.genops()-based magic-number extraction and PyTorch's pickle_module.load(), allowing a __reduce__(eval, ('MAGIC_NUMBER',)) trick to produce files that scan as clean but still deserialize correctly. A detailed proof-of-concept is published in the GHSA advisory and the VulnCheck writeup; no CISA KEV listing or EPSS score was supplied in the input.

Code Injection RCE Picklescan
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host process by supplying a crafted SCXML document whose `<data expr="...">` attributes are passed unsandboxed to eval() inside SCXMLProcessor. Reported by VulnCheck with publicly available exploit code and a vendor advisory (GHSA-v4jc-pm6r-3vj8); no public exploit identified at time of analysis as actively in the wild, and the flaw is not listed in CISA KEV.

Python Code Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Configuration injection in F5 NGINX Gateway Fabric lets an authenticated Kubernetes user who can create or modify NginxProxy or AuthenticationFilter Custom Resources inject arbitrary NGINX directives into generated data-plane configuration. The flaw lives in the control-plane config generator, which renders the serverTokens and extraAuthArgs fields into NGINX templates without escaping, so any tenant holding RBAC rights over these CRDs can rewrite the NGINX Plus config that gets deployed. There is no public exploit identified at time of analysis and EPSS is low (0.36%), but SSVC rates the technical impact as total.

Nginx Code Injection Nginx Gateway Fabric
NVD VulDB
Prev Page 2 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4831

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy