Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4849)

EPSS 1% CVSS 9.4
CRITICAL Act Now

Dispatch's notification service uses Jinja templates to generate messages to users. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 1% CVSS 9.6
CRITICAL Act Now

Elektra is an opinionated Openstack Dashboard for Operators and Consumers of Openstack Services. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Code Injection RCE Xwiki
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

An arbitrary file upload vulnerability in the uploadFileAction() function of WonderCMS v3.4.3 allows attackers to execute arbitrary code via a crafted SVG file. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE File Upload +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Versions of Delphix Engine prior to Release 25.0.0.0 contain a flaw which results in Remote Code Execution (RCE). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in fscache_withdraw_volume() We got the following issue in our fault injection stress test:. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Linux Code Injection +2
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() We got the following issue in our fault injection stress test:. Rated high severity (CVSS 7.0). This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Linux Code Injection +2
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The "reset password" login page accepted an HTML injection via URL parameters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Dotcms
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

A CRLF injection vulnerability in E-Staff v5.1 allows attackers to insert Carriage Return (CR) and Line Feed (LF) characters into input fields, leading to HTTP response splitting and header. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection E Staff
NVD GitHub
EPSS 35% CVSS 8.8
HIGH PATCH This Week

In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Java RCE +1
NVD
EPSS 1% CVSS 8.0
HIGH POC This Week

A vulnerability was discovered in Linksys Router E2500 with firmware 2.0.00, allows authenticated attackers to execute arbitrary code via the hnd_parentalctrl_unblock function. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Linksys RCE +1
NVD GitHub VulDB
EPSS 4% CVSS 8.8
HIGH POC PATCH This Week

OpenAM is an open access management solution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Java RCE
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue in Intelight X-1L Traffic controller Maxtime v.1.9.6 allows a remote attacker to execute arbitrary code via the /cgi-bin/generateForm.cgi?formID=142 component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE
NVD GitHub Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL Act Now

All versions of `SuperAGI` are vulnerable to Arbitrary Code Execution due to unsafe use of the ‘eval’ function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability, which was classified as critical, has been found in Prain up to 1.3.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub VulDB
EPSS 1% CVSS 5.1
MEDIUM This Month

A vulnerability was found in Flute CMS 0.2.2.4-alpha. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD GitHub VulDB
EPSS 1% CVSS 5.1
MEDIUM This Month

A vulnerability was found in Flute CMS 0.2.2.4-alpha. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Flute
NVD GitHub VulDB
EPSS 1% CVSS 5.1
MEDIUM POC This Month

A vulnerability was found in DedeCMS 5.7.114. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

A vulnerability, which was classified as problematic, has been found in formtools.org Form Tools 3.1.1.php?page=accounts of the component Setting Handler. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD GitHub VulDB
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

D-Link DIR-823X AX3000 Dual-Band Gigabit Wireless Router v21_D240126 was discovered to contain a remote code execution (RCE) vulnerability in the ntp_zone_val parameter at /goform/set_ntp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE D-Link +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

calculator-boilerplate v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the eval function at /routes/calculator.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Streampark
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Vulnerability in SonicWall SMA100 NetExtender Windows (32 and 64-bit) client 10.2.339 and earlier versions allows an attacker to arbitrary code execution when processing an EPC Client update. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Sonicwall +2
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Cooked is a recipe plugin for WordPress. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Cooked
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection Apache RCE +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Race in DevTools in Google Chrome prior to 126.0.6478.182 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Code Injection Race Condition Google +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

JupyterLab extension template is a `copier` template for JupyterLab extensions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE Jupyterlab
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

A formula injection vulnerability exists in Tenable Identity Exposure where an authenticated remote attacker with administrative privileges could manipulate application form fields in order to trick. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Identity Exposure
NVD
EPSS 0% CVSS 7.0
HIGH This Week

A flaw was found in the GTK library. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 1% CVSS 9.4
CRITICAL Act Now

This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 2% CVSS 8.5
HIGH PATCH This Week

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval'. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection Python RCE +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

PublicCMS v4.0.202302.e was discovered to contain a remote commande execution (RCE) vulnerability via the cmdarray parameter at /site/ScriptComponent.java. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Publiccms
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

There is a remote code execution vulnerability in SeaCMS 12.9. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

SeaCMS 12.9 has a remote code execution vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Livechat messages can be leaked by combining two NoSQL injections affecting livechat:loginByToken (pre-authentication) and livechat:loadHistory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in realmag777 WPCS allows Code Injection.2.0.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: don't unpoison huge_zero_folio When I did memory failure tests recently, below panic occurs: kernel BUG at. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Code Injection Linux Linux Kernel
NVD
EPSS 1% CVSS 7.7
HIGH PATCH This Week

An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Code Injection Juniper J Web +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue was discovered on Renesas SmartBond DA14691, DA14695, DA14697, and DA14699 devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

14Finger v1.1 was discovered to contain a remote command execution (RCE) vulnerability in the fingerprint function. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE 14Finger
NVD GitHub
EPSS 0% CVSS 3.5
LOW Monitor

A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

A mismatch between allocator and deallocator could have led to memory corruption. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow +3
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.8.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Ninja Forms
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Photo Gallery Team Photo Gallery by Ays allows Code Injection.7.1. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Photo Gallery
NVD
EPSS 0% CVSS 2.7
LOW Monitor

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in WpDirectoryKit WP Directory Kit allows Code Injection.3.6. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Wp Directory Kit
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.9.2. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection WordPress
NVD
EPSS 30% CVSS 9.8
CRITICAL Emergency

The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'saveCustomTitle' function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 30.3% and no vendor patch available.

WordPress PHP RCE +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Cloudstack
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Command Injection RCE +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked When requesting an NMI window, WARN on vNMI support being enabled. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Code Injection Linux Linux Kernel
NVD
EPSS 1% CVSS 7.7
HIGH POC PATCH This Week

Gogs through 0.13.0 allows argument injection during the tagging of a new release. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Gogs
NVD GitHub
EPSS 17% CVSS 9.9
CRITICAL POC PATCH THREAT Act Now

Gogs through 0.13.0 allows argument injection during the previewing of changes. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Gogs
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Improper privilege management in Jungo WinDriver before 12.2.0 allows local attackers to escalate privileges and execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE Windriver +34
NVD
EPSS 75% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

GeoTools is an open source Java library that provides tools for geospatial data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Java RCE
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Gradio
NVD GitHub
EPSS 8% CVSS 7.5
HIGH POC This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Flowise
NVD GitHub
EPSS 100% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

GeoServer is an open source server that allows users to share and edit geospatial data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE Geoserver +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling.42.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Compass
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Denial Of Service
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC This Month

rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function util.clone. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Denial Of Service +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Tada5hi sp-common v0.5.4 was discovered to contain a prototype pollution via the function mergeDeep. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Denial Of Service
NVD GitHub
EPSS 1% CVSS 2.0
LOW Monitor

In Helix ALM versions prior to 2024.2.0, a local command injection was identified. Rated low severity (CVSS 2.0). No vendor patch available.

Code Injection Command Injection RCE
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

HCL DRYiCE AEX product is impacted by lack of input validation vulnerability in a particular web application. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Dryice Aex
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

luci-app-sms-tool v1.9-6 was discovered to contain a command injection vulnerability via the score parameter. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Command Injection RCE
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

The CoSoSys Endpoint Protector through 5.9.3 and Unify agent through 7.0.6 is susceptible to an arbitrary code execution vulnerability due to the way an archive obtained from the Endpoint Protector. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the Endpoint Protector and Unify agent in the way that the EasyLock. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be called. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Denial Of Service +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

In the Console in Soffid IAM before 3.5.39, necessary checks were not applied to some Java objects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Java RCE
NVD
EPSS 0% CVSS 8.4
HIGH This Week

An issue in Nepstech Wifi Router xpon (terminal) NTPL-Xpon1GFEVN, hardware verstion 1.0 firmware 2.0.1 allows a remote attacker to execute arbitrary code via the router's Telnet port 2345 without. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

A security vulnerability has been identified in HPE Athonet Mobile Core software. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection RCE
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix handling of dissolved but not taken off from buddy pages When I did memory failure tests recently, below. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Code Injection Linux Linux Kernel
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection WordPress PHP
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

DataGear v5.0.0 and earlier was discovered to contain a SpEL (Spring Expression Language) expression injection vulnerability via the Data Viewing interface. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Java Datagear
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.26.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Wishlist Member
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion.6.4.4 before 6.6.4.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD VulDB
EPSS 0% CVSS 3.3
LOW POC Monitor

A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Lollms
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection RCE Emacs
NVD
EPSS 0% CVSS 8.8
HIGH This Week

IBM Security SOAR 51.0.2.0 could allow an authenticated user to execute malicious code loaded from a specially crafted script. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Code Injection RCE +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() syzbot reported that nf_reinject() could be called. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Code Injection Google Linux +1
NVD
EPSS 1% CVSS 8.0
HIGH POC PATCH This Week

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection RCE Atlassian +1
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM This Month

SQL Injection vulnerability in H3C technology company SeaSQL DWS V2.0 allows a remote attacker to execute arbitrary code via a crafted file. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE SQLi
NVD GitHub
EPSS 5% CVSS 5.3
MEDIUM POC This Month

An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE
NVD GitHub Exploit-DB
EPSS 1% CVSS 8.8
HIGH This Week

The Custom Field Suite plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.6.7 via the Loop custom field. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP WordPress +2
NVD GitHub
Prev Page 24 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4849

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy