Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4851)

EPSS 6% CVSS 9.9
CRITICAL POC Act Now

JumpServer is an open source bastion host and an operation and maintenance security audit system. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Jumpserver
NVD GitHub
EPSS 6% CVSS 9.9
CRITICAL POC Act Now

JumpServer is an open source bastion host and an operation and maintenance security audit system. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Jumpserver
NVD GitHub
EPSS 1% CVSS 8.4
HIGH This Week

The YI Smart Kami Vision com.kamivision.yismart application through 1.0.0_20231219 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Google
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Astro-Shield is a library to compute the subresource integrity hashes for your JS scripts and CSS stylesheets. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Astro Shield
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

An authenticated malicious client can send a special LINQ query to execute arbitrary code remotely (RCE) on the SCM server from List control, and execute the arbitrary code on the same system where. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection RCE
NVD
EPSS 1% CVSS 7.5
HIGH This Week

SCM Software is a client and server application. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection RCE
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

A user with administrative privileges can create a compromised dll file of the same name as the original dll within the HP printer’s Firmware Update Utility (FUU) bundle and place it in the Microsoft. Rated medium severity (CVSS 6.3), this vulnerability is low attack complexity. No vendor patch available.

Code Injection HP RCE +29
NVD
EPSS 1% CVSS 8.1
HIGH This Week

The Check & Log Email plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 1.0.9 via the check_nonce function. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection WordPress
NVD VulDB
EPSS 1% CVSS 7.8
HIGH PATCH This Week

In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection RCE Emacs +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue in Home-Made.io fastmagsync v.1.7.51 and before allows a remote attacker to execute arbitrary code via the getPhpBin() component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Fastmag Sync
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

ClickUp Desktop before 3.3.77 on macOS and Windows allows code injection because of specific Electron Fuses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Apple +2
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Moodle
NVD
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection RCE Grav
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection RCE Grav
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection RCE Grav
NVD GitHub
EPSS 6% CVSS 8.8
HIGH POC PATCH This Week

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection RCE Grav
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM POC This Month

An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE File Upload +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM This Month

An issue in zuoxingdong lagom v.0.1.2 allows a local attacker to execute arbitrary code via the pickle_load function of the serialize.py file. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE Lagom
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

EspoCRM is an Open Source Customer Relationship Management software. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required. Public exploit code available.

Code Injection Espocrm
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

An issue in Lepton CMS v.7.0.0 allows a local attacker to execute arbitrary code via the upgrade.php file in the languages place. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP +1
NVD GitHub Exploit-DB VulDB
EPSS 1% CVSS 7.5
HIGH This Week

An issue in MyPrestaModules ordersexport v.6.0.2 and before allows a remote attacker to execute arbitrary code via the download.php component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Using a markup injection an attacker could have stolen nonce values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Mozilla +2
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Zitadel
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Komm.One CMS 10.4.2.14 has a Server-Side Template Injection (SSTI) vulnerability via the Velocity template engine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection Command Injection RCE
NVD
EPSS 8% CVSS 8.8
HIGH PATCH This Week

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Java RCE +1
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Java RCE +1
NVD GitHub
EPSS 13% CVSS 8.8
HIGH POC PATCH THREAT This Week

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Java RCE +1
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical.php of the component HTTP POST Request Handler. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Glpi
NVD
EPSS 1% CVSS 8.8
HIGH This Week

zenml v0.55.4 was discovered to contain an arbitrary file upload vulnerability in the load function at /materializers/cloudpickle_materializer.py. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE File Upload +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Ckan
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

An unauthenticated remote attacker can perform a log injection due to improper input validation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Charx Sec 3000 Firmware Charx Sec 3050 Firmware +2
NVD
EPSS 9% CVSS 6.5
MEDIUM This Month

An injection vulnerability has been reported to affect several QNAP operating system versions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Qnap Qts +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An injection issue was addressed with improved validation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple Code Injection Safari +8
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

The issue was addressed with improved checks. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Apple Code Injection +5
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

The issue was addressed with improved checks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apple Code Injection Ipad Os +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

An injection issue was addressed with improved input validation. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Code Injection macOS
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

An injection issue was addressed with improved input validation. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Code Injection macOS
NVD VulDB
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

remote code execution in paddlepaddle/paddle 2.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Paddlepaddle
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

An issue in Teamwire Windows desktop client v.2.0.1 through v.2.4.0 allows a remote attacker to obtain sensitive information via a crafted payload to the message function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Microsoft +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability exists in SuperCali version 1.1.0, allowing remote attackers to execute arbitrary JavaScript code via the email parameter in the bad_password.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP XSS +1
NVD
EPSS 0% CVSS 5.9
MEDIUM POC This Month

CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Ssti Cms Made Simple
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Command Centre
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Command Injection RCE +1
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

mjml-app versions 3.0.4 and 3.1.0-beta were discovered to contain a remote code execution (RCE) via the href attribute. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Mjml App
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Pdfmake
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Deskfiler v1.2.3 allows attackers to execute arbitrary code via uploading a crafted plugin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Deskfiler
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue in EpointWebBuilder 5.1.0-sp1, 5.2.1-sp1, 5.4.1 and 5.4.2 allows a remote attacker to execute arbitrary code via the infoid parameter of the URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Epointwebbuilder
NVD
EPSS 2% CVSS 8.6
HIGH POC This Week

yyjson through 0.8.0 has a double free, leading to remote code execution in some cases, because the pool_free function lacks loop checks. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Yyjson +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

SQL Injection vulnerability in /zms/admin/edit-ticket.php in PHPGurukul Zoo Management System 1.0 via tickettype and tprice parameters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +2
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Cross Site Scripting vulnerability in Phpgurukul User Registration & Login and User Management System 1.0 allows attackers to run arbitrary code via the search bar. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection XSS RCE +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection James Mime4J
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

This vulnerability allows remote attackers to execute arbitrary code on the affected webOS of LG Signage. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Webos Signage
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

ZKteco ZKBio WDMS before 9.0.2 Build 20250526 allows an attacker to download a database backup via the /files/backup/ component because the filename is based on a predictable timestamp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Zkbio Wdms
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Python Mjml Python
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection Information Disclosure RCE +2
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE File Upload +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue in He3 App for macOS version 2.0.17, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Apple +1
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

A vulnerability was found in Shopwind up to 4.6. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection PHP RCE +1
NVD VulDB
EPSS 1% CVSS 7.2
HIGH This Week

This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 (all versions). Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Atlassian +1
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Mozilla Firefox +2
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Expression Language Injection vulnerability in Hitachi Global Link Manager on Windows allows Code Injection.8.7-03. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Microsoft Global Link Manager
NVD
EPSS 1% CVSS 9.3
CRITICAL POC PATCH Act Now

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Admin Classic Bundle
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

An issue was discovered in REDAXO version 5.15.1, allows attackers to execute arbitrary code and obtain sensitive information via modules.modules.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 27% CVSS 7.2
HIGH POC THREAT This Week

A remote code execution (RCE) vulnerability in /admin/define_language.php of CE Phoenix v1.0.8.20 allows attackers to execute arbitrary PHP code via injecting a crafted payload into the file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub Exploit-DB
EPSS 1% CVSS 7.2
HIGH POC This Week

A XSLT Server Side injection vulnerability in the Import Jobs function of FireBear Improved Import And Export v3.8.6 allows attackers to execute arbitrary commands via a crafted XSLT file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Improved Import Export
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Directory Traversal vulnerability in flusity CMS v.2.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via the download_backup.php component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +2
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

An HTML injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Repository parameters, which could lead to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Security Center
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

Redaxo v5.15.1 was discovered to contain a remote code execution (RCE) vulnerability via the component /pages/templates.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP RCE +1
NVD GitHub
EPSS 11% CVSS 8.8
HIGH PATCH This Week

Microsoft Outlook Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection RCE Microsoft +4
NVD
EPSS 30% CVSS 7.6
HIGH KEV PATCH THREAT This Week

Windows SmartScreen Security Feature Bypass Vulnerability. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection RCE Microsoft +12
NVD
EPSS 1% CVSS 7.2
HIGH This Week

In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE SAP +1
NVD
EPSS 1% CVSS 8.0
HIGH POC This Week

CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Koha
NVD
EPSS 7% CVSS 8.1
HIGH PATCH This Week

The UAMQP is a general purpose C library for AMQP 1.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection RCE Azure Uamqp
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Display custom fields in the frontend - Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

WordPress RCE Code Injection +1
NVD VulDB
EPSS 13% CVSS 8.8
HIGH POC THREAT Act Now

Remote code execution in the WordPress File Manager Pro plugin (versions up to and including 8.3.4) allows authenticated attackers with subscriber-level access to upload arbitrary files via the mk_check_filemanager_php_syntax AJAX endpoint, leading to full server compromise. Publicly available exploit code exists, and the high EPSS score of 13.31% (94th percentile) indicates significant real-world exploitation likelihood. The flaw is patched in version 8.3.5, which introduces a missing capability check.

Code Injection RCE WordPress +2
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Malwarebytes Binisoft Windows Firewall Control before 6.9.9.2 allows remote attackers to execute arbitrary code via gRPC named pipes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Microsoft +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Beetl
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Apple +1
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Vinchin Backup And Recovery
NVD VulDB
EPSS 1% CVSS 7.8
HIGH This Week

In Helix Sync versions prior to 2024.1, a local command injection was identified. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Command Injection RCE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A vulnerability was found in openBI up to 1.0.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection PHP RCE +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection RCE Vantage6
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE E Ddc3 3 Firmware
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue in Loom on macOS version 0.196.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Apple +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Apple +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Dell Unity Operating Environment +2
NVD
EPSS 29% 4.3 CVSS 9.8
CRITICAL POC THREAT Emergency

An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 28.9%.

Code Injection RCE Snapcast
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Buffer Overflow +5
NVD
Prev Page 27 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4851

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy