Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4849)

EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The Booster for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 7.1.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection RCE WordPress +1
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

The FOX - Currency Switcher Professional for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 1.4.1.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection WordPress
NVD
EPSS 1% CVSS 7.7
HIGH This Week

An issue in Alfresco Content Services v.23.3.0.7 allows a remote attacker to execute arbitrary code via the Transfer Service. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os.system" function in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue in phiola/src/afilter/pcm_convert.h:513 of phiola v2.0-rc22 allows a remote attacker to execute arbitrary code via the a crafted .wav file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Phiola
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC This Month

An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the add_post.php component. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

IBM WebSphere Automation 1.7.0 could allow an attacker with privileged access to the network to conduct a CSV injection. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

IBM Code Injection Websphere Automation
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Certain HP software packages (SoftPaqs) are potentially vulnerable to arbitrary code execution when the SoftPaq configuration file has been modified after extraction. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.

Code Injection HP RCE +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to remove unnecessary f2fs_bug_on() to avoid panic verify_blkaddr() will trigger panic once we inject fault into. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Code Injection Linux Linux Kernel
NVD
EPSS 1% CVSS 7.1
HIGH POC This Week

An issue in onethink v.1.1 allows a remote attacker to execute arbitrary code via a crafted script to the AddonsController.class.php component. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

An issue in Ecommerce-CodeIgniter-Bootstrap commit v. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue in Ecommerce-CodeIgniter-Bootstrap commit v. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in hisiphp v2.0.111 allows a remote attacker to execute arbitrary code via a crafted script to the SystemPlugins::mkInfo parameter in the SystemPlugins.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 1% CVSS 7.1
HIGH This Week

An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail view in the customer front allows the execution of external JavaScript. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Znuny
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Znuny
NVD
EPSS 60% CVSS 7.6
HIGH POC PATCH THREAT This Week

An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Flowise
NVD Exploit-DB
EPSS 0% CVSS 7.7
HIGH This Week

MCUboot is a secure bootloader for 32-bits microcontrollers. Rated high severity (CVSS 7.7). No vendor patch available.

Code Injection
NVD GitHub
EPSS 1% CVSS 6.0
MEDIUM This Month

Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1, allows remote attackers to execute arbitrary code via a crafted payload to the Markup Sandbox feature. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Relate
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hprinter parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hmsg parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 84% CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Ssti
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Information Disclosure Vyper
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Information Disclosure Vyper
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

An issue in Jpress v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the custom plug-in module function, a different vulnerability than CVE-2024-43033. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Jpress
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

A log injection flaw was found in Keycloak. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection
NVD GitHub VulDB
EPSS 1% CVSS 9.1
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in AlgolPlus Advanced Order Export For WooCommerce allows Code Injection.4.4. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress Code Injection
NVD
EPSS 1% CVSS 9.0
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows Code Injection.21.96. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via a crafted script to the edit_addon_post.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

A buffer overflow vulnerability in pdf2json v0.70 allows a local attacker to execute arbitrary code via the GString::copy() and ImgOutputDev::ImgOutputDev function. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Buffer Overflow RCE
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Python Flask Cors
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection RCE Google +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

SQL Injection vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the where Clause in Racer Document Rendering. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE SQLi +1
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote code execution in the WP Dummy Content Generator WordPress plugin (versions up to and including 3.2.1) allows unauthenticated attackers to inject and execute arbitrary code due to improper input handling (CWE-94). With a maximum CVSS score of 10.0 and a scope-changing vector, successful exploitation grants full compromise of the WordPress site and underlying host context; no public exploit identified at time of analysis, while EPSS sits at 0.72% (72nd percentile).

Code Injection RCE
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Hashicorp Go Getter
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix data re-injection from stale subflow When the MPTCP PM detects that a subflow is stale, all the packet scheduler must. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Code Injection Linux Linux Kernel
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissions as the application using a model that allow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Keras
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Argument injection in websphere_mq agent plugin in Checkmk 2.0.0, 2.1.0, <2.2.0p26 and <2.3.0b5 allows local attacker to inject one argument to runmqsc. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Checkmk
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

An issue in JNT Telecom JNT Liftcom UMS V1.J Core Version JM-V15 allows a remote attacker to execute arbitrary code via the Network Troubleshooting functionality. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Cross Site Scripting (XSS) in Insurance Management System v1.0, allows remote attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter at. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection XSS RCE +1
NVD GitHub
EPSS 1% CVSS 6.6
MEDIUM This Month

Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through Device Synchronizations (/admin/DeviceReplication). Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Wbsairback
NVD
EPSS 1% CVSS 6.6
MEDIUM This Month

Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through Device NAS shared section (/admin/DeviceNAS). Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Wbsairback
NVD
EPSS 1% CVSS 6.6
MEDIUM This Month

Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through S3 Accounts (/admin/CloudAccounts). Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Wbsairback
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Cross Site Scripting vulnerability in Rainbow external link network disk v.5.5 allows a remote attacker to execute arbitrary code via the validation component of the input parameters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection XSS RCE +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

An issue discovered in Thesycon Software Solutions Gmbh & Co. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE Tusbaudio
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

Server Side Template Injection (SSTI) vulnerability in Form Tools 3.1.1 allows attackers to run arbitrary commands via the Group Name field under the add forms section of the application. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Form Tools
NVD
EPSS 1% CVSS 7.6
HIGH POC This Week

An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component. Rated high severity (CVSS 7.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in RageFrame2 v2.6.43, allows remote attackers to execute arbitrary web scripts or HTML and obtain sensitive information via a crafted payload injected into. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection XSS RCE +1
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Buffer Overflow +2
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE Xwiki
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE Xwiki
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

HTML injection vulnerability in Enpass Password Manager Desktop Client 6.9.2 for Windows and Linux allows attackers to run arbitrary HTML code via creation of crafted note. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Microsoft +1
NVD
EPSS 83% CVSS 8.8
HIGH POC PATCH THREAT This Week

XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection RCE Xwiki
NVD GitHub
EPSS 34% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE Xwiki
NVD GitHub
EPSS 16% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 76% CVSS 8.8
HIGH POC PATCH THREAT This Week

XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Information Disclosure Xwiki
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in the kiosk mode of Secure Lockdown Multi Application Edition v2.00.219 allows attackers to execute arbitrary code via running a ClickOnce application instance. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Secure Lockdown
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Aim
NVD
EPSS 1% CVSS 4.7
MEDIUM POC This Month

Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Leantime
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Dell Alienware Command Center, versions prior to 6.2.7.0, contain an uncontrolled search path element vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Dell Alienware Command Center
NVD
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Mysql2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Apache RCE +1
NVD GitHub
EPSS 1% CVSS 4.7
MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Contao
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Contao is an open source content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Contao
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the hostTime parameter in the NTPSyncWithHost function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Ex200 Firmware
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in CandyCMS version 1.0.0, allows remote attackers to execute arbitrary code via the install.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

There is an HTML injection vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Portal For Arcgis
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

An issue was discovered in SeaCMS version 12.9, allows remote attackers to execute arbitrary code via admin notify.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 1% CVSS 7.6
HIGH POC This Week

Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted PDF file to the files/browse endpoint. Rated high severity (CVSS 7.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection XSS RCE +1
NVD GitHub
EPSS 47% CVSS 9.8
CRITICAL POC THREAT Act Now

Netgear R6850 1.1.0.88 was discovered to contain a command injection vulnerability via the c4-IPAddr parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Command Injection RCE +2
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Canto Inc. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Canto
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Cwicly Builder, SL. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

: Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Breakdance allows : Code Injection.7.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Oxygen Builder allows Code Injection. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Dolibarr Erp Crm
NVD GitHub VulDB
EPSS 49% CVSS 9.9
CRITICAL Emergency

Authenticated code injection in the WP Fusion Lite WordPress plugin (versions up to and including 3.41.24) allows low-privileged users to execute arbitrary PHP code on the underlying server. With a CVSS of 9.9 and changed scope, successful exploitation fully compromises the WordPress site and potentially adjacent components; EPSS places this in the top 2% (98th percentile) of vulnerabilities most likely to be exploited, though no public exploit is identified at time of analysis.

Code Injection RCE
NVD VulDB
EPSS 1% CVSS 8.5
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in inpersttion Slivery Extender slivery-extender allows Remote Code Inclusion.0.2. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection RCE
NVD VulDB
EPSS 1% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.1.0.8. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Arbitrary file write vulnerability in beescms v.4.0, allows a remote attacker to execute arbitrary code via a file path that was not isolated and the suffix was not verified in admin_template.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC This Week

An issue in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the Ap4MdhdAtom.cpp,AP4_MdhdAtom::AP4_MdhdAtom,mp4fragment. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Code Injection RCE Bento4
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the Ap4StsdAtom.cpp,AP4_StsdAtom::AP4_StsdAtom,mp4fragment. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Bento4
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

Buffer Overflow vulnerability in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the AP4_MemoryByteStream::WritePartial at Ap4ByteStream.cpp. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Buffer Overflow +1
NVD GitHub
EPSS 33% CVSS 9.8
CRITICAL Act Now

An issue was discovered in seeyonOA version 8, allows remote attackers to execute arbitrary code via the importProcess method in WorkFlowDesignerController.class component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/edit_fire_wall.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/add_getlogin.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue in Huashi Private Cloud CDN Live Streaming Acceleration Server hgateway-sixport v.1.1.2 allows a remote attacker to execute arbitrary code via the manager/ipping.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE
NVD GitHub
EPSS 6% CVSS 9.9
CRITICAL POC Act Now

JumpServer is an open source bastion host and an operation and maintenance security audit system. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Jumpserver
NVD GitHub
EPSS 6% CVSS 9.9
CRITICAL POC Act Now

JumpServer is an open source bastion host and an operation and maintenance security audit system. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Jumpserver
NVD GitHub
Prev Page 26 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4849

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy