Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4849)

EPSS 0% CVSS 7.3
HIGH This Week

Buffer Overflow vulnerability in Open Robotic Robotic Operating System 2 ROS2 navigation2- ROS2-humble&& navigation2-humble allows a local attacker to execute arbitrary code via a crafted .yaml file. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Buffer Overflow vulnerability in Open Robotic Operating System 2 ROS2 navigation2- ROS2-humble&& navigation2-humble allows a local attacker to execute arbitrary code via a crafted .yaml file to the. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 (ROS2) navigation2- ROS2-humble and navigation 2-humble allows a local attacker to execute arbitrary code via the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Buffer Overflow vulnerability in Open Robotics Robotic Operating System 2 (ROS2) navigation2- ROS2-humble and navigation 2-humble allows a local attacker to execute arbitrary code via a crafted. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 (ROS2) navigation2- ROS2-humble and navigation 2-humble allows a local attacker to execute arbitrary code via the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Robot Operating System
NVD GitHub
EPSS 2% CVSS 9.3
CRITICAL POC Act Now

Data Validation / Data Sanitization vulnerabilities in Linux allows unvalidated and unsanitized data to be injected in an Aspect device. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Abb Code Injection Aspect Ent 12 Firmware +18
NVD Exploit-DB
EPSS 2% CVSS 9.3
CRITICAL POC Act Now

Unauthorized Access vulnerabilities allow Remote Code Execution. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Code Injection Abb +20
NVD Exploit-DB
EPSS 3% CVSS 9.3
CRITICAL POC Act Now

Improper Input Validation vulnerability allows Remote Code Execution. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Abb RCE +19
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue in INOVANCE AM401_CPU1608TPTN allows a remote attacker to execute arbitrary code via the ExecuteUserProgramUpgrade function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 1% CVSS 7.3
HIGH This Week

The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution via update_authors_list_ajax AJAX action in all versions up to, and including, 2.0.4. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection WordPress
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

quic-go is an implementation of the QUIC protocol in Go. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

In RaspAP raspap-webgui 3.0.9 and earlier, a command injection vulnerability exists in the clearlog.php script. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection PHP Command Injection +2
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Rank Math SEO Rank Math SEO seo-by-rank-math allows Code Injection.0.231. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 44% CVSS 9.9
CRITICAL Act Now

The Widget Options - The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection WordPress RCE
NVD
EPSS 1% CVSS 7.8
HIGH This Week

In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Emacs
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

A SQL Injection vulnerability was found in /covid-tms/check_availability.php in PHPGurukul COVID 19 Testing Management System v1.0, which allows remote attackers to execute arbitrary code via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +2
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL Act Now

A Improper Control of Generation of Code ('Code Injection') vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Iota C Ai
NVD
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

The The InPost Gallery plugin for WordPress is vulnerable to arbitrary shortcode execution via the inpost_gallery_get_shortcode_template AJAX action in all versions up to, and including, 2.1.4.2. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection WordPress RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

IBM Data Virtualization Manager for z/OS 1.1 and 1.2 could allow an authenticated user to inject malicious JDBC URL parameters and execute code on the server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Code Injection RCE +1
NVD
EPSS 1% CVSS 8.0
HIGH This Week

A Client-Side Template Injection (CSTI) vulnerability in the component /project/new/scrum of Taiga v 8.6.1 allows remote attackers to execute arbitrary code by injecting a malicious payload within. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Microsoft Code Injection +3
NVD GitHub
EPSS 1% CVSS 7.3
HIGH This Week

The The Request a Quote for WooCommerce and Elementor - Get a Quote Button - Product Enquiry Form Popup - Product Quotation plugin for WordPress is vulnerable to arbitrary shortcode execution via. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection WordPress RCE
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries.

Code Injection
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection File Upload RCE
NVD GitHub
EPSS 11% CVSS 9.8
CRITICAL POC THREAT Act Now

H3C GR-1800AX MiniGRW1B0V100R007 is vulnerable to remote code execution (RCE) via the aspForm parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Gr 1800Ax Firmware
NVD
EPSS 0%
POC PATCH This Week

Querydsl 5.1.0 and OpenFeign Querydsl 6.8 allows SQL/HQL injection in orderBy in JPAQuery. Public exploit code available and no vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Infinity
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn quick-learn allows Object Injection.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Prototype Pollution
NVD
EPSS 1% CVSS 7.3
HIGH PATCH This Week

The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection WordPress XSS +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

File Upload vulnerability in Xi'an Daxi Information technology OfficeWeb365 v.8.6.1.0 and v7.18.23.0 allows a remote attacker to execute arbitrary code via the pw/savedraw component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE File Upload
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue in Weaver E-cology v. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE E Cology
NVD GitHub
EPSS 1% CVSS 7.3
HIGH PATCH This Week

The The WPB Popup for Contact Form 7 - Showing The Contact Form 7 Popup on Button Click - CF7 Popup plugin for WordPress is vulnerable to arbitrary shortcode execution via wpb_pcf_fire_contact_form. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection WordPress RCE +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

The The GamiPress - The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection WordPress RCE +1
NVD
EPSS 0% CVSS 8.2
HIGH This Week

The WesHacks GitHub repository provides the official Hackathon competition website source code for the Muweilah Wesgreen Hackathon. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 1% CVSS 7.8
HIGH This Week

Insecure Permissions vulnerability in Micro-star International MSI Center Pro 2.1.37.0 allows a local attacker to execute arbitrary code via the Device_DeviceID.dat.bak file within the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Jpress until v5.1.1 has arbitrary file uploads on the windows platform, and the construction of non-standard file formats such as .jsp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Microsoft +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

An arbitrary file download vulnerability in the component /Basics/DownloadInpFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to download arbitrary files and access sensitive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Nus M9 Erp
NVD GitHub
EPSS 1% CVSS 8.9
HIGH This Week

Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection Apache CSRF +2
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.12.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Code Injection Apache +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

An issue was discovered in Veritas NetBackup before 10.5. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Microsoft +1
NVD
EPSS 1% CVSS 7.3
HIGH This Week

The The Uix Slideshow plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.5. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

The The Drop Shadow Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.14. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE File Upload +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

An issue in UltiMaker Cura v.4.41 and 5.8.1 and before allows a local attacker to execute arbitrary code via Inter-process communication (IPC) mechanism between Cura application and CuraEngine. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Ultimaker Cura
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Origin Validation Error vulnerability in Dataprom Informatics Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS) allows Traffic Injection. Rated high severity (CVSS 8.6), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Personnel Attendance Control Systems Access Control Security Systems
NVD VulDB
EPSS 1% CVSS 9.6
CRITICAL POC PATCH Act Now

Joplin is a free, open source note taking and to-do application. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Node.js +1
NVD GitHub
EPSS 2% CVSS 7.1
HIGH POC This Week

A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.15.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Dom Iterator
NVD GitHub
EPSS 0% CVSS 8.0
HIGH This Week

An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Snipe It
NVD
EPSS 0% CVSS 7.3
HIGH This Week

A code injection vulnerability in the SecuSUITE Server Web Administration Portal of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially inject script commands or other. Rated high severity (CVSS 7.3). No vendor patch available.

Code Injection
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS version 7.4.3 and below, version 7.2.8 and below, version. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Fortinet Fortiproxy +1
NVD
EPSS 1% CVSS 8.6
HIGH PATCH This Week

A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2), SCALANCE M804PB. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Siemens Ruggedcom Rm1224 Lte 4G Eu Firmware +25
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, which allows the execution of arbitrary Python code embedded within .PYM files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Python RCE
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

The Ikhgur mn.ikhgur.khotoch (aka Video Downloader Pro & Browser) application through 1.0.42 for Android allows an attacker to execute arbitrary JavaScript code via the mn.ikhgur.khotoch.MainActivity. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

The com.video.downloader.all (aka All Video Downloader) application through 11.28 for Android allows an attacker to execute arbitrary JavaScript code via the com.video.downloader.all.StartActivity. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

The com.superfast.video.downloader (aka Super Unlimited Video Downloader - All in One) application through 5.1.9 for Android allows an attacker to execute arbitrary JavaScript code via the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

The SYQ com.downloader.video.fast (aka Master Video Downloader) application through 2.0 for Android allows an attacker to execute arbitrary JavaScript code via the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google
NVD GitHub
EPSS 1% CVSS 2.0
LOW Monitor

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

The DS allvideo.downloader.browser (aka Fast Video Downloader: Browser) application through 1.6-RC1 for Android allows an attacker to execute arbitrary JavaScript code via the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google
NVD GitHub
EPSS 2% CVSS 7.3
HIGH PATCH This Week

The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection WordPress RCE +1
NVD
EPSS 0% CVSS 7.3
HIGH This Week

The The FOX - Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection WordPress RCE
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

The The Paid Membership Subscriptions - Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection WordPress RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

SeaCms 13.1 is vulnerable to code injection in the notification module of the member message notification module in the backend user module, due to unsafe handling of the "notify" variable in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

The Inshot com.downloader.privatebrowser (aka Video Downloader - XDownloader) application through 1.3.5 for Android allows an attacker to execute arbitrary JavaScript code via the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

The ASD com.rocks.video.downloader (aka HD Video Downloader All Format) application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google
NVD GitHub
EPSS 83% CVSS 8.1
HIGH POC PATCH THREAT Act Now

A flaw was found in Moodle. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection RCE Moodle
NVD Exploit-DB
EPSS 0% CVSS 8.0
HIGH This Week

Authenticated Gaia users can inject code or commands by global variables through special HTTP requests. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Gaia Os
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

The Tickera - WordPress Event Ticketing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.4. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection WordPress RCE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Langflow
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Agentscope
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

A Host header injection vulnerability in Agile-Board 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Agile Board
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Qualitor v8.24 was discovered to contain a remote code execution (RCE) vulnerability via the gridValoresPopHidden parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Qualitor
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

The eladmin v2.7 and before contains a remote code execution (RCE) vulnerability that can control all application deployment servers of this management system via DeployController.java. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Eladmin
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

The com.videodownload.browser.videodownloader (aka AppTool-Browser-Video All Video Downloader) application 20-30.05.24 for Android allows an attacker to execute arbitrary JavaScript code via the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doGRETunnel function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Vigor3900 Firmware
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL Act Now

The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection WordPress RCE
NVD
EPSS 1% CVSS 7.3
HIGH This Week

The The Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection WordPress RCE +1
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability was found in wuzhicms 4.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Express
NVD HeroDevs
EPSS 1% CVSS 9.3
CRITICAL Act Now

ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Servicenow
NVD
EPSS 92% 6.3 CVSS 10.0
CRITICAL POC THREAT Emergency

Remote code execution in the WP Query Console WordPress plugin (versions up to and including 1.0) by Ajit Bohra allows unauthenticated attackers to inject and execute arbitrary PHP code on the server. The CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, and publicly available exploit code combined with an EPSS of 91.90% (100th percentile) indicates very high likelihood of opportunistic exploitation, though the vulnerability is not yet listed in CISA KEV.

Code Injection RCE
NVD GitHub VulDB
EPSS 57% CVSS 8.3
HIGH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart scottcart allows Code Injection.1. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 56.8% and no vendor patch available.

Code Injection RCE
NVD VulDB
EPSS 53% CVSS 7.3
HIGH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows Code Injection.3.3.4. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 52.5% and no vendor patch available.

Code Injection RCE
NVD VulDB
EPSS 3% CVSS 7.2
HIGH This Week

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection WordPress RCE +1
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 1% CVSS 7.3
HIGH POC This Week

The The Uix Shortcodes - Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection WordPress RCE +1
NVD
Prev Page 21 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4849

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy