Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4851)

EPSS 3% CVSS 7.8
HIGH This Week

The issue was addressed with improved memory handling. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Apple Code Injection +5
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Metagpt
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Code Injection in paddlepaddle/paddle. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Paddle
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

A vulnerability, which was classified as critical, has been found in 个人开源 mldong 1.0.java. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Mldong
NVD GitHub VulDB
EPSS 8% CVSS 10.0
CRITICAL POC Act Now

Remote code execution in the Social Warfare WordPress plugin (versions ≤ 3.5.2) allows unauthenticated attackers to run arbitrary code on the server via the 'swp_url' parameter. Publicly available exploit code exists and the issue carries a maximum CVSS 10.0 with scope change, while the EPSS score of 7.99% (92nd percentile) signals meaningfully elevated exploitation interest. The flaw was reported by Wordfence and primarily threatens WordPress sites still running this abandoned/legacy plugin version.

RCE Code Injection WordPress +1
NVD
EPSS 2% CVSS 7.5
HIGH This Week

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Atlassian +2
NVD
EPSS 2% CVSS 8.8
HIGH This Week

This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Atlassian +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Atlassian +2
NVD
EPSS 9% CVSS 8.8
HIGH POC This Week

An authenticated remote code execution vulnerability in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows attackers to arbitrarily execute commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Archive Storage Manager
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

An issue was discovered in Scada-LTS v2.7.5.2 build 4551883606 and before, allows remote attackers with low-level authentication to escalate privileges, execute arbitrary code, and obtain sensitive. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Scada Lts
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

NVIDIA DGX A100 BMC contains a vulnerability where an attacker may cause an LDAP user injection. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Nvidia Code Injection +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escalate privileges. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity.

Privilege Escalation Code Injection Checkmk
NVD
EPSS 29% CVSS 8.8
HIGH This Month

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 29.1% and no vendor patch available.

RCE Code Injection Manageengine Adselfservice Plus
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A correctness issue was addressed with improved checks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apple Code Injection +5
NVD
EPSS 0% CVSS 7.8
HIGH This Week

This issue was addressed by forcing hardened runtime on the affected binaries at the system level. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Apple Code Injection +1
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. Rated medium severity (CVSS 4.7), this vulnerability is no authentication required. No vendor patch available.

Code Injection Kepware Kepserverex Thingworx Kepware Server +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The vulnerability allows a remote attacker to inject arbitrary HTTP response headers or manipulate HTTP response bodies inside a victim’s session via a crafted URL or HTTP request. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection Nexo Os
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Month

IdentityModel Extensions for .NET provide assemblies for web developers that wish to use federated identity providers for establishing the caller's identity. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Microsoft RCE Code Injection +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Proofpoint Enterprise Protection contains a vulnerability in the email delivery agent that allows an unauthenticated attacker to inject improperly encoded HTML into the email body of a message. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Enterprise Protection
NVD
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05.20), CP-8050 MASTER MODULE (All versions < CPCI85 V05.20). Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Code Injection Sicam A8000 Cp 8050 Firmware Sicam A8000 Cp 8031 Firmware
NVD
EPSS 0% CVSS 8.4
HIGH This Month

In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

SAP RCE Code Injection +1
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH This Week

Azure uAMQP is a general purpose C library for AMQP 1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Microsoft RCE Code Injection +1
NVD GitHub
EPSS 93% 6.3 CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

XWiki Platform prior to specific patched versions contains a CVSS 10.0 remote code execution vulnerability through the user registration form. Attackers inject Groovy code into the first name or last name fields, which is executed server-side when the user profile page is rendered.

RCE Code Injection Xwiki
NVD GitHub
EPSS 71% 4.7 CVSS 5.3
MEDIUM POC PATCH THREAT This Month

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 71.3%.

Python Code Injection Pyload
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

OpenVPN Connect version 3.0 through 3.4.6 on macOS allows local users to execute code in external third party libraries using the DYLD_INSERT_LIBRARIES environment variable. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Apple Code Injection +2
NVD
EPSS 0% CVSS 7.6
HIGH This Week

The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Code Injection LDAP +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability was reported in the Lenovo Browser Mobile and Lenovo Browser HD Apps for Android that could allow an attacker to craft a payload that could result in the disclosure of sensitive. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Lenovo RCE Google +4
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

A flaw was found in libssh. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Libssh Fedora +1
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

APIIDA API Gateway Manager for Broadcom Layer7 v2023.2.2 is vulnerable to Host Header Injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Broadcom Code Injection Api Gateway Manager
NVD
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.5.0 through 1.9.0, which could lead to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache RCE Code Injection +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

There is a command injection vulnerability of ZTE's ZXCLOUD iRAI. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Zte Command Injection RCE +2
NVD
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability has been found in Magic-Api up to 2.0.1 and classified as critical. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Magic Api
NVD GitHub VulDB
EPSS 92% 5.5 CVSS 6.3
MEDIUM POC THREAT This Month

A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 92.0%.

Java RCE Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetElements For Elementor.6.10. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Jetelements
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

SSTI injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to execute arbitrary code via crafted HTTP request to the /jmreport/loadTableData component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Jeecg Boot
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Soft8Soft LLC Verge3D Publishing and E-Commerce.5.2. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Verge3D
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Brainstorm Force Astra Pro.3.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Astra
NVD
EPSS 21% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Qode Interactive Qode Essential Addons.5.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 21.2% and no vendor patch available.

RCE Code Injection Qode Essential Addons
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in TienCOP WP EXtra.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Wp Extra
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in POSIMYTH Nexter Extension.0.3. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Nexter Extension
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Kanban for WordPress Kanban Boards for WordPress.5.21. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection WordPress RCE +1
NVD
EPSS 1% CVSS 9.9
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Milan Dinić Rename Media Files.0.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Rename Media Files
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in David F. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Rsvpmaker
NVD
EPSS 1% CVSS 8.5
HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in BinaryStash WP Booklet.1.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection RCE Wp Booklet
NVD
EPSS 1% CVSS 8.1
HIGH POC This Week

A vulnerability has been found in ShifuML shifu 0.12.0 and classified as critical. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Java RCE Code Injection +1
NVD VulDB
EPSS 2% CVSS 8.8
HIGH POC This Week

SeaCMS v12.9 was discovered to contain a remote code execution (RCE) vulnerability via the component /augap/adminip.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an attacker to bypass intended access restrictions via interaction with the com.example.gurry.kvbrowswer.webview component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Indi Browser
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an attacker to bypass intended access restrictions via interaction with the com.artis.browser.IntentReceiverActivity component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Artisbrowser
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Google +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Google +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Browser Tv Web Browsehere
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in VR-S1000 firmware Ver. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Code Injection Vr S1000 Firmware
NVD
EPSS 44% CVSS 9.8
CRITICAL POC THREAT Emergency

Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Barracuda Email Security Gateway 300 Firmware +4
NVD GitHub
EPSS 17% CVSS 7.8
HIGH POC KEV PATCH THREAT Act Now

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Spreadsheet +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Active Admin
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Hertzbeat is an open source, real-time monitoring system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Hertzbeat
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘opmode’ parameter of the setWiFiApConfig interface of the cstecgi .cgi. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Ex1800T Firmware
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

TOTOLINX EX1800T v9.1.0cu.2112_B20220316 is vulnerable to arbitrary command execution in the ‘enable parameter’ of the setDmzCfg interface of the cstecgi .cgi. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Ex1800T Firmware
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

TOTOlink EX1800T V9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘hour’ parameter of the setRebootScheCfg interface of the cstecgi .cgi. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Ex1800T Firmware
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

An issue was discovered in free5GC version 3.3.0, allows remote attackers to execute arbitrary code and cause a denial of service (DoS) on AMF component via crafted NGAP message. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Denial Of Service +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in LTB Self Service Password before v.1.5.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via hijack of the SMS verification code function to arbitrary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Self Service Password
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue in D-Link DIR-850L v.B1_FW223WWb01 allows a remote attacker to execute arbitrary code via a crafted script to the en parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection D-Link +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a code injection vulnerability that could allow an attacker to perform remote code execution and gain root privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Epmp Force 300 25 Firmware
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&id=1 of the component Bind Request Handler. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection LDAP Nxfilter
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

A vulnerability classified as problematic was found in rmountjoy92 DashMachine 0.5-4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Dashmachine
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

A vulnerability was found in xnx3 wangmarket 6.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Wangmarket
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A vulnerability was found in kalcaddle KodExplorer up to 4.51.03. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection PHP +1
NVD VulDB GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Xwiki
NVD GitHub
EPSS 79% CVSS 8.8
HIGH PATCH This Week

XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Xwiki
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Gitlab
NVD
EPSS 0% CVSS 5.7
MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Gitlab
NVD
EPSS 93% 6.3 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.3%.

RCE PHP Code Injection +2
NVD Exploit-DB VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Multisuns EasyLog web+ has a code injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Easylog Web Firmware
NVD
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Hono is a web framework written in TypeScript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Hono
NVD GitHub
EPSS 76% CVSS 9.8
CRITICAL Act Now

Nagios XI before version 5.11.3 was discovered to contain a remote code execution (RCE) vulnerability via the component command_test.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection PHP +1
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Code Injection Ssti Ansible +5
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity.

Code Injection Jwt Attack H2O
NVD GitHub
EPSS 3% CVSS 8.8
HIGH This Week

The issue was addressed with improved memory handling. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Apple +6
NVD
EPSS 1% CVSS 8.8
HIGH This Week

This vulnerability allows an remote attacker with low privileges to misuse Improper Control of Generation of Code ('Code Injection') to gain full control of the affected device. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Frauscher Diagnostic System 102
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Appointment Scheduler 3.0 is vulnerable to CSV Injection via a Language > Labels > Export action. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Appointment Scheduler
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Car Rental Script v3.0 is vulnerable to CSV Injection via a Language > Labels > Export action. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Car Rental Script
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Shuttle Booking Software 2.0 is vulnerable to CSV Injection in the Languages section via an export. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Shuttle Booking Software
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Time Slots Booking Calendar 4.0 is vulnerable to CSV Injection via the unique ID field of the Reservations List. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Time Slots Booking Calendar
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Availability Booking Calendar
NVD
EPSS 1% CVSS 8.2
HIGH POC This Week

An issue in DARTS SHOP MAXIM mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Line
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Code injection in Remote Desktop Manager 2023.3.9.3 and earlier on macOS allows an attacker to execute code via the DYLIB_INSERT_LIBRARIES environment variable. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Apple +1
NVD
EPSS 95% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Pre-auth RCE in Apache Ofbiz 18.12.09. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Apache +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress PHP +1
NVD WPScan
EPSS 2% CVSS 8.8
HIGH POC This Week

The Filr WordPress plugin before 1.2.3.6 is vulnerable from an RCE (Remote Code Execution) vulnerability, which allows the operating system to execute commands and fully compromise the server on. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection WordPress +1
NVD WPScan
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

HtmlUnit is a GUI-less browser for Java programs. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java RCE Code Injection +1
NVD GitHub
Prev Page 28 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4851

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy