Code Injection
Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.
How It Works
Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.
Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.
The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.
Impact
- Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
- Operating system command execution — break out from language runtime to system shell via subprocess calls
- Data exfiltration — read database credentials, environment variables, source code, and business data
- Persistence establishment — modify application files, inject backdoors, create scheduled tasks
- Lateral movement — leverage server access to attack internal network resources and connected services
Real-World Examples
A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.
Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.
Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.
Mitigation
- Eliminate dynamic code execution — refactor to use data-driven approaches instead of
eval(),exec(),Function(), or similar constructs - Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
- Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
- Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
- Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
- Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation
Recent CVEs (4831)
Remote code execution in the Monetizemore Advanced Ads WordPress plugin through version 2.0.21 allows authenticated attackers with low privileges to inject and execute arbitrary code via a code injection flaw (CWE-94). The issue was disclosed by Patchstack and carries a CVSS 3.1 base score of 7.5 (high) with high attack complexity. No public exploit identified at time of analysis.
LDAP injection in Apache Shiro's DefaultLdapRealm allows remote unauthenticated attackers to manipulate Distinguished Name construction during LDAP bind authentication, potentially bypassing authentication or impersonating other users. The flaw affects all versions through 2.2.0 and 3.0.0-alpha-1 when DefaultLdapRealm is in use, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.8 reflects high integrity impact against an authentication-critical component.
Remote code execution in Blocksy Companion Pro (Creative Themes) versions 2.1.37 and earlier allows authenticated users with Contributor-level WordPress privileges to inject and execute arbitrary code on the underlying server. The flaw carries a CVSS 3.1 base score of 9.9 with scope change, reflecting that successful exploitation breaks out of the WordPress application context. No public exploit identified at time of analysis, but Patchstack has catalogued the issue in its WordPress vulnerability database.
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code.
Remote code execution in the ACPT (Pro) - Custom Post Types Plugin for WordPress (versions through 2.0.47) allows unauthenticated remote attackers to inject and execute arbitrary code on the underlying WordPress host. The CVSS 3.1 base score of 10.0 with a scope change (S:C) indicates the flaw escapes the plugin sandbox and compromises the entire WordPress installation. No public exploit has been identified at time of analysis, but the trivial attack profile (network, no auth, no UI) makes this a high-priority patching target.
Arbitrary code execution in Themeco Cornerstone WordPress plugin versions prior to 7.8.8 allows authenticated low-privilege users (Subscriber role) to inject and execute arbitrary code on the underlying server. The CVSS:3.1 vector indicates a scope-changed network-vector flaw with high impact on confidentiality, integrity, and availability, though high attack complexity tempers the realistic risk. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Unauthenticated remote code execution in Crawl4AI's Docker API (versions <= 0.8.6) lets attackers escape the computed-fields expression sandbox and run arbitrary OS commands inside the container. The AST validator behind `_safe_eval_expression()` only blocked attribute names beginning with an underscore, so a crafted `JsonCssExtractionStrategy` schema can reach generator/frame attributes (`gi_frame`, `f_back`, `f_builtins`) to recover the real `__import__` and execute code. Because JWT auth is disabled by default, a single `POST /crawl` request suffices; publicly available exploit code exists (SSVC: PoC) and the vendor rates it CVSS 10.0, though EPSS is low at 0.45%.
Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where an unauthenticated attacker reaching the application over HTTP can fully compromise confidentiality, integrity, and availability. Oracle scores this 8.1 with high attack complexity, indicating non-trivial preconditions rather than a trivial mass-exploit primitive. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Privilege escalation and full takeover of Oracle MySQL Shell's VS Code extension affects version 2026.2.0+9.6.1, allowing a low-privileged remote attacker with HTTP network access to fully compromise the Shell with confidentiality, integrity, and availability impact. Because the CVSS vector indicates a scope change (S:C), successful exploitation propagates impact beyond the Shell itself into adjacent components the extension connects to, such as MySQL servers managed through the VS Code workflow. No public exploit identified at time of analysis, but the 9.9 base score and 'easily exploitable' wording from Oracle warrant urgent remediation.
Untrusted search path in OpenClaw before 2026.5.2 allows local attackers who can influence a workspace .env file to redirect bundled runtime dependency loading to attacker-controlled paths, resulting in arbitrary code execution during dependency resolution. The STATE_DIRECTORY environment variable is not validated before being used to anchor runtime dependency roots, so a poisoned workspace can execute code in the context of a user who opens it. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python code on the host by abusing the Shareable Playground (Public Flows) feature. When a flow is shared, the /api/v1/build_public_tmp endpoint accepts user-supplied node code in the JSON payload field data.nodes[X].data.node.template.code.value and executes it during graph instantiation. Publicly available exploit code exists via the GitHub Security Advisory GHSA-v5ff-9q35-q26f, including a working cURL-based PoC.
Arbitrary code execution in vLLM versions prior to 0.22.0 allows remote unauthenticated attackers to run code on the inference server by publishing a malicious HuggingFace model, when vLLM is launched in Python optimized mode (python -O or PYTHONOPTIMIZE=1). The sole guardrail restricting which activation function classes can be loaded from a model's config.json is implemented with a Python assert, which is stripped at compile time under -O, leaving an unrestricted import gadget directly fed by attacker-controlled data. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q8gq-377p-jq3r) and a coordinated huntr.com submission document the issue in detail.
Code injection in NVIDIA NeMo Framework across all supported platforms allows a local attacker with low privileges to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data. The flaw carries a CVSS 3.1 score of 7.8 with high impact across confidentiality, integrity, and availability, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cookie injection in Firefox for iOS (all versions prior to 152.0) arises from the browser's TemporaryDocument PDF handling mechanism incorrectly preserving cookies from an initial PDF request across cross-origin HTTP redirects. This violates same-origin cookie isolation, enabling a malicious site to inject arbitrary cookies into requests directed at an unrelated target domain and potentially manipulate session or authentication state on that domain. No public exploit code has been identified and no CISA KEV listing exists; the CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates low-complexity remote exploitability contingent on user interaction, and Mozilla has shipped a vendor-released patch in Firefox for iOS 152.0.
Remote code execution in the Filipe Nasc RD Station WordPress plugin (versions up to and including 5.6.0) allows authenticated attackers to inject and execute arbitrary PHP code through an improper code-generation control flaw. The issue carries a critical CVSS 3.1 score of 9.9 with a scope-changing impact, and no public exploit identified at time of analysis, though Patchstack has catalogued it as a Remote Code Execution vulnerability in their WordPress vulnerability database.
Remote code execution in the Easy Invoice WordPress plugin (versions <= 2.1.19) allows unauthenticated attackers to run arbitrary code on the underlying server via a code injection flaw (CWE-94). The maximum CVSS 10.0 score reflects network reachability, no privileges, no user interaction, and a scope change with full confidentiality, integrity, and availability impact on the hosting WordPress site. No public exploit identified at time of analysis, but the trivial exploitability profile makes weaponization likely once technical details are published by Patchstack.
Remote code execution in the WordPress 'Responsive Slider by MetaSlider' plugin (versions ≤3.106.0) allows authenticated users with Editor-level privileges to inject and execute arbitrary code on the underlying server. The flaw is tracked as CWE-94 (Improper Control of Generation of Code) and carries a CVSS 3.1 score of 9.1 because exploitation crosses a scope boundary, but no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Code injection in protobufjs-cli pbjs static and static-module code generation allows attacker-influenced JSON descriptor names to be emitted as unsafe JavaScript references in generated output, leading to arbitrary code execution when the generated file is later imported and an affected API path is invoked. This affects npm protobufjs-cli versions <= 1.3.1 and 2.0.0 through 2.4.2, and is an incomplete-fix bypass of CVE-2026-44295 (GHSA-6r35-46g8-jcw9). At time of analysis, no public exploit identified and no CISA KEV listing, but vendor-released patches exist in 1.3.2 and 2.5.0.
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) allows remote attackers to overwrite the project's vite.config.ts and execute arbitrary Node.js code on the host when the browser API server is bound to a network-reachable interface (e.g. --browser.api.host=0.0.0.0). The flaw stems from the cdp() API forwarding raw Chrome DevTools Protocol calls over the browser WebSocket RPC without honoring the allowWrite/allowExec gates that normally restrict Browser Mode. Publicly available exploit code exists in the GHSA-g8mr-85jm-7xhm advisory's step-by-step reproduction, though no CISA KEV listing has been issued.
Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows unauthenticated remote attackers to inject and execute arbitrary code on the host WordPress site. The CVSS 10.0 score with scope change reflects the severe impact: attackers can fully compromise the WordPress instance and potentially pivot beyond it. No public exploit identified at time of analysis, but the trivial attack vector (AV:N/AC:L/PR:N/UI:N) makes mass exploitation likely once details surface.
CSV formula injection in MIA Technology's Pizzy Library (versions 1.0.0.26250 through 1.3.9.26250) allows authenticated attackers to inject malicious formula elements into generated CSV files, leading to code execution when the file is opened in a spreadsheet application. The flaw is rated CVSS 8.8 and was reported by TR-CERT, though no public exploit identified at time of analysis. Impact spans confidentiality, integrity, and availability on the system of any victim who opens the crafted CSV.
Remote code execution in kanishka-linux Reminiscence v0.3.0 allows unauthenticated attackers to execute arbitrary OS commands by supplying crafted input to the media archiving and export pipeline component. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact to confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS sits at 0.67% (47th percentile) indicating limited observed exploitation pressure so far.
Remote code execution affects remotion-dev's Remotion framework at version 4.0.409, enabling attackers to execute arbitrary code on systems running the affected version per CWE-94 code injection semantics. The CVSS 9.8 vector indicates network-reachable, unauthenticated exploitation without user interaction, though no public exploit identified at time of analysis and EPSS probability remains low at 0.25% (16th percentile). The vulnerability is reported by MITRE with a third-party advisory on GitHub but lacks detailed exploitation specifics.
Remote code execution in fossar selfoss v2.20-SNAPSHOT allows unauthenticated attackers to execute arbitrary commands and retrieve sensitive data by sending a crafted HTTP request to the loopback request handling component. The flaw carries a CVSS 9.8 score and a public gist (likely containing proof-of-concept material) is referenced, though EPSS exploitation probability remains low at 0.19% and the issue is not listed in CISA KEV.
Remote code execution in YouTransfer v1.0.6 allows unauthenticated attackers to run arbitrary code by sending a crafted request to the sendmail transport integration component. The flaw is a CWE-94 code injection issue with a critical CVSS 9.8 score and publicly available exploit code exists via a referenced GitHub gist, though no active exploitation has been confirmed by CISA KEV.
Remote code execution in Kitty terminal emulator versions prior to 0.47.0 allows any process or remote peer that can write bytes to the terminal - including SSH sessions, file viewers like cat or less, log tailers, and TUI applications - to execute attacker-supplied Python code inside the running kitty process with full user privileges. Exploitation requires no approval prompt, no shell integration, no clipboard interaction, and no editor involvement, making any rendered untrusted content a viable injection vector. No public exploit identified at time of analysis, but the trivial trigger conditions and broad attack surface make this a high-priority patch.
Code injection in Kitty terminal emulator versions prior to 0.47.3 allows attacker-controlled bytes - including newline characters - to be reflected back into the user's shell input via the OSC 21 (color-control) escape sequence query reply. An attacker who can cause arbitrary bytes to be written to the terminal (malicious file contents, SSH banner, log entry, web page) can inject and execute shell commands at the victim's privilege level. No public exploit identified at time of analysis, but the underlying class of terminal-escape-injection bugs is well documented and exploitation is straightforward once the unsanitized reply path is known.
CRLF injection in the form-data Node.js library (versions through 4.0.5) allows remote attackers to inject arbitrary multipart headers or smuggle additional form parts by supplying attacker-controlled field names or filenames containing CR, LF, or double-quote characters. The library concatenates these values verbatim into the Content-Disposition header without escaping, enabling parameter tampering (e.g., overriding is_admin=true) against downstream multipart parsers. No public exploit identified at time of analysis, though the vulnerability is patched in 2.5.6, 3.0.5, and 4.0.6.
Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the UPDATE_COLLECTION permission to execute arbitrary code on the server by submitting a malicious model repository with trust_remote_code=true to the collection update endpoint. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.4 and HiddenLayer's disclosure indicate a high-severity flaw in a widely used AI vector database. The vulnerability sits in the AI/ML supply chain layer, making it particularly relevant for organizations using ChromaDB as a backend for RAG or embedding pipelines.
HTTP/2-to-HTTP/1.1 request smuggling in swift-nio-http2 (versions prior to 1.44.1) allows unauthenticated remote attackers to inject arbitrary HTTP headers or smuggle entire requests to backend systems in reverse-proxy configurations. The codecs HTTP2FramePayloadToHTTP1ServerCodec and HTTP2ToHTTP1ServerCodec fail to strip CR, LF, or NUL control characters from HTTP/2 pseudo-header values such as :path and :authority before writing them into the HTTP/1.1 output, enabling the binary-safe HTTP/2 layer to act as a covert channel for control characters that become structural delimiters in HTTP/1.1. No public exploit has been identified at time of analysis, but this vulnerability is a direct extension of two prior confirmed CRLF injection flaws in the same library family (GHSA-7fj7-39wj-c64f and GHSA-cq87-8r7h-962v), indicating a recurring pattern that lowers the technical barrier for exploitation.
Account takeover in PenguinMod-BackendApi versions prior to 1.0.0 allows any authenticated user holding a valid password reset token for their own account to change the password of any other account via a NoSQL injection flaw in the password reset endpoint. The issue is tracked as CWE-20 (improper input validation) and tagged as Code Injection; no public exploit identified at time of analysis, but a vendor security advisory (GHSA-wwwc-jwrc-3pj8) has been published.
Arbitrary Python code execution in Vim prior to 9.2.0597 occurs when a user triggers Python omni-completion (`<C-x><C-o>`) on a buffer containing crafted `def` or `class` headers, because the pythoncomplete autoload reconstructs definitions and runs them through `exec()`, which evaluates default values, annotations, and base-class expressions at definition time. The earlier g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this sink. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Vim prior to 9.2.0561 occurs when a user opens a malicious Python file and triggers Python omni-completion (python3complete.vim or pythoncomplete.vim), causing Vim's completion script to execute import/from statements from the buffer through Python's import machinery and run attacker-controlled package code as the editing user. Affects any Vim build with +python3 or +python interpreter support; no public exploit identified at time of analysis, but the upstream patch and detailed advisory (GHSA-52mc-rq6p-rc7c) make the issue well-documented. The CVSS 4.0 score of 7.3 reflects required user interaction (opening the file and invoking completion) but high impact on confidentiality, integrity, and availability of the user's account.
Code injection via unsanitized step-definition patterns in Vim's cucumber filetype plugin allows arbitrary Ruby and shell command execution on any Vim build compiled with +ruby support, prior to version 9.2.0496. An attacker who controls .rb step definition files in a repository can craft a regex-terminating payload that escapes a Kernel.eval() argument, enabling full shell access as the victim's user when the developer invokes the [d or ]d step-jump mapping. No public exploit identified at time of analysis, but the patch commit includes a working proof-of-concept demonstrating the injection technique.
HTTP Response Splitting via CRLF injection in Apache CXF's OAuth2 module allows an attacker who controls the WWW-Authenticate realm parameter to inject arbitrary HTTP headers or split HTTP responses entirely. Affected deployments include cxf-rt-rs-security-oauth2 versions 4.2.0 before 4.2.2 and all versions before 4.1.7. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA KEV, but successful exploitation could enable cache poisoning, header injection, or redirection of downstream HTTP clients processing the malformed response.
Log injection in Apache CXF's OAuth2 module (org.apache.cxf:cxf-rt-rs-security-oauth2) permits remote attackers to forge arbitrary log entries by supplying crafted `clientId` values containing control characters or newline sequences in OAuth2 HTTP requests. Affected are CXF 4.2.0-4.2.1 and all 4.1.x versions before 4.1.7; fixed releases 4.2.2 and 4.1.7 were issued June 10, 2026. No public exploit code or active exploitation has been identified at time of analysis; practical impact is confined to log integrity compromise that could mislead security monitoring and incident response processes.
Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied strings passed through `opts.name` or `opts.uri` into the `zipHardhat`/`zipFoundry` helpers to break out of string literals inside generated Hardhat and Foundry test scaffolding, leading to arbitrary code execution on the developer's machine when `npm test` or `forge test` is run. No public exploit is identified at time of analysis, but a vendor advisory and patched commit are public via GitHub Security Advisory GHSA-4x76-22x2-rx8v.
Local arbitrary code execution in PDM (Python Development Master) versions <= 2.26.9 allows attacker-controlled repositories to execute Python code under the invoking user's privileges when any pdm command (even `pdm --version`) is run inside a malicious checkout. The root cause is implicit loading of project-local `.pdm-plugins` via `site.addsitedir()`, which processes `.pth` files containing executable `import` statements before CLI parsing. Publicly available exploit code exists in the advisory PoC, and CWE-94 code injection is confirmed; no public exploit identified at time of analysis as actively used in the wild.
CRLF injection in guzzlehttp/psr7 versions prior to 2.10.2 allows remote unauthenticated attackers to inject arbitrary HTTP headers into outbound requests by embedding carriage-return/line-feed sequences in a user-controlled URI host component. When a PSR-7 request is manually serialized into a raw HTTP/1.x message - for example via Message::toString() - the unvalidated host is copied verbatim into the Host header, enabling an attacker-supplied host like '"\r\nX-Injected: yes"' to append controlled headers to the serialized request. In deployments behind proxies, gateways, or load balancers with HTTP/1.1 connection reuse, this header injection can cascade into HTTP request smuggling or cache poisoning. No public exploit code has been identified at time of analysis, and exploitation through the standard Guzzle HTTP client API is explicitly not affected.
Expression language injection in Soagen Informatics' Apinizer API management platform versions 2026.04.0 through 2026.04.5 allows remote unauthenticated attackers to inject malicious EL expressions that the server evaluates, resulting in arbitrary code execution. The flaw was reported by Turkey's national CERT (TR-CERT) and carries a CVSS 9.8 critical rating, though SSVC currently indicates no observed exploitation and no public exploit identified at time of analysis. A vendor patch is available in version 2026.04.6.
Content injection via Service Desk email template processing in GitLab CE/EE allows an unauthenticated attacker to impersonate the GitLab Support Bot and inject arbitrary content into issue threads. The vulnerability affects all GitLab instances running versions from 15.9 through 19.0.1 with the Service Desk feature active, and stems from improper neutralization of substitution characters (CWE-153) in email template rendering. A publicly available exploit exists on HackerOne, though no active exploitation has been confirmed by CISA KEV; the official CVSS score of 2.6 reflects the high attack complexity and limited integrity-only impact.
Metric injection via unsanitized newline characters affects Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl, allowing unauthenticated remote attackers to forge or corrupt statsd telemetry streams. The root cause is the _labels function's failure to strip or reject newlines and statsd control characters from tag label values before they are encoded into statsd UDP packets. Because statsd and dogstatsd protocols use newlines as metric delimiters, an attacker who can influence any label value flowing into the adapter can cause the server to parse additional attacker-controlled metrics. No public exploit has been identified at time of analysis, but SSVC rates the flaw as automatable with partial technical impact.
Metric injection in the Perl module Metrics::Any::Adapter::DogStatsd before 0.04 allows remote attackers to inject arbitrary StatsD/DogStatsD metrics by smuggling newline characters through unsanitized metric names and tags. Because the StatsD protocol treats newlines as packet delimiters for multiple metrics, attacker-controlled values forwarded into the adapter can forge additional metrics or tag payloads on the wire, with no public exploit identified at time of analysis and an EPSS score of 0.03% indicating low near-term exploitation probability.
Metric injection in the Perl module Metrics::Any::Adapter::Statsd before version 0.04 allows remote attackers to inject arbitrary StatsD metrics by supplying metric names or values containing newlines, colons, or pipes that the send method passes unvalidated into UDP packets. Because the StatsD protocol multiplexes multiple metrics per packet using newline delimiters, an attacker who controls any string flowing into a recorded metric can forge additional metrics, poisoning monitoring data and downstream alerting. EPSS is very low (0.03%), no public exploit is identified at time of analysis, and there is no CISA KEV listing.
ANSI escape code injection in Splunk SOAR versions below 8.5.0 allows an unauthenticated remote attacker to embed terminal control sequences into application log files via crafted HTTP request paths. When an administrator subsequently views those logs in a terminal emulator, the escape codes may be interpreted, enabling visual output manipulation such as overwriting displayed text, hiding log entries, or altering terminal state. No public exploit code has been identified at time of analysis, and exploitation requires administrator interaction with affected log output, keeping real-world risk moderate despite the low authentication barrier.
Server-side template injection in Apache OFBiz before 24.09.07 allows authenticated users holding Content or DataResource editing privileges to inject template code that is rendered by the framework, resulting in remote code execution on the application server. The flaw is rated CVSS 8.8 with publicly available exploit code exists via the oss-security disclosure thread, though EPSS sits at 0.09% (26th percentile), indicating broad opportunistic exploitation has not yet been observed. Apache has shipped a fix in 24.09.07 and recommends immediate upgrade.
Argument injection in NoMachine remote desktop software before versions 9.5.7 and 8.23.2 allows a local authenticated user to inject command-line arguments and achieve high-impact compromise of confidentiality, integrity, and availability on the host. The flaw is tracked as CWE-88 (Improper Neutralization of Argument Delimiters), reported by CIRCL, and at the time of analysis there is no public exploit identified.
LDAP injection in Roxy-WI 8.2.6.4 and prior exposes LDAP directory attributes to authenticated administrators who can manipulate search filter logic via the username URL path parameter. The vulnerable function get_ldap_email (app/modules/roxywi/user.py:120-157) constructs LDAP queries through unsanitized f-string concatenation, enabling injection of additional filter clauses such as *)(mail=*)(cn=* to enumerate or harvest attributes beyond the intended user record. No patch is available at time of publication, and no public exploit identified at time of analysis.
Server-Side Expression Language (SpEL) injection in Spring Data REST allows authenticated remote attackers to execute arbitrary expressions by sending JSON Patch requests targeting Map-typed entity properties. Affected versions span 3.7.0 through 5.0.5, and successful exploitation yields high confidentiality and integrity impact (CVSS 8.1). No public exploit identified at time of analysis, but the low attack complexity and network reachability make this a credible threat to any exposed REST repository accepting application/json-patch+json.
SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. No public exploit identified at time of analysis and no CISA KEV listing, but the high confidentiality impact rating and network attack vector warrant prompt patching for any application that surfaces Sort query parameters to end users.
Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.
Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a host by tricking a user into triggering inclusion of functionality from an untrusted control sphere (CWE-94 code injection class). The flaw requires user interaction and local access per the CVSS vector (AV:L/UI:R), yielding full confidentiality, integrity, and availability impact at CVSS 7.8. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in Microsoft Exchange Server allows an unauthenticated network-based attacker to execute arbitrary code on the mail server through code injection, though successful exploitation requires user interaction and faces high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The vulnerability is rated CVSS 7.5 with full confidentiality, integrity, and availability impact on a compromised Exchange host.
Code injection in NETGEAR RBE97x routers (firmware prior to V9.12.4.9) enables authenticated administrators on the local network to make unauthorized modifications to router software and functionality beyond their sanctioned scope. The vulnerability stems from insufficient input validation (CWE-94), where administrator-supplied input is not properly sanitized before being processed, potentially allowing execution of injected code. No public exploit exists and CISA SSVC classifies exploitation status as 'none', making this a low-urgency but valid integrity risk for environments where shared or compromised admin accounts are a concern.
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Arbitrary VQL execution in Rapid7 Velociraptor before 0.76.6 allows attackers to compromise analyst workstations by supplying a malicious collection ZIP whose client_info.json hostname field breaks out of a YAML template generated by the Windows.Collectors.Remapping artifact. Triggered when an analyst loads the resulting remapping file with --remap, the injected VQL runs under NullACLManager with full permissions and no sandbox. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Sandboxed remote code execution in Google Chrome versions prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to visit a crafted HTML page that abuses an inappropriate SVG implementation. Google rates the underlying Chromium issue as High severity, and no public exploit identified at time of analysis, though the user-interaction requirement (UI:R) and high CVSS of 8.8 make this a meaningful drive-by browsing risk once a patch is reverse-engineered.
YAML injection in nebula-mesh (juev/nebula-mesh, forked as forgekeep/nebula-mesh) prior to v0.3.2 allows an authenticated operator to inject arbitrary YAML keys into a managed agent's config.yml via the unvalidated adv_tun_device and ListenHost host-override fields. A successful injection lets the attacker self-promote a target host to a Nebula lighthouse or relay, redirecting and intercepting mesh traffic across the overlay network. No public exploit identified at time of analysis, but a detailed PoC payload is published in the GHSA advisory itself.
Code injection in the anyquery chrome_tabs plugin (and Brave/Edge/Safari variants) on macOS allows an authenticated SQL client to break out of an AppleScript URL property record and execute arbitrary `osascript` commands, including `do shell script` for OS-level command execution. The flaw affects anyquery 0.4.4 (commit 0abd460) and stems from unescaped string interpolation at plugins/chrome/tabs.go:141 and :169. Publicly available exploit code exists in the GHSA advisory (GHSA-hrj8-hjv8-mgwc), though no public exploit identified at time of analysis in mass-exploitation feeds and KEV does not list it.
Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via crafted collaborationInstruction strings stored on Bedrock Agent collaborators. When another user in the same AWS account imports the agent, the malicious triple-quote payload breaks out of the generated Python docstring and executes attacker-controlled code on AWS AgentCore Runtime under the imported agent's IAM execution role, as well as on the importing user's local environment. No public exploit identified at time of analysis, but the cross-user, cross-environment scope and 9.0 CVSS rating make this a high-priority patch.
Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar CalcField formula evaluator, which sanitizes input with a recursive regex before passing it to eval(). The same flawed regex is also vulnerable to ReDoS/stack overflow, enabling denial of service against the server. No public exploit identified at time of analysis, but the commit diff in 4.6.6 fully documents the vulnerable code path, lowering the bar for exploit development.
Arbitrary Node.js code execution via signed Actual Budget macOS binary (versions prior to 26.5.0) is enabled by the ELECTRON_RUN_AS_NODE fuse being left active in the Electron 39.2.7 runtime. An attacker who can place a script on disk or influence the process environment can invoke Actual.app with ELECTRON_RUN_AS_NODE=1, causing the signed binary to act as a Node.js interpreter executing attacker-controlled code under Actual's macOS code signature and entitlements. No public exploit identified at time of analysis; a vendor-released patch exists in version 26.5.0 per GHSA-7rvm-xjpp-63r9.
Authenticated remote code execution in OpenBullet2 through version 0.3.2 allows any logged-in user to run arbitrary C# code on the host by abusing the job configuration interface's plain C# execution mode. Because that mode lacks reference filtering or API restrictions, attackers can touch the file system, spawn child processes, and call any .NET API as the OpenBullet2 service account. Publicly available exploit code exists, and the issue was reported by VulnCheck; pairing it with a known authentication bypass route (referenced HackerNoon write-up) materially raises real-world exploitability.
HTTP response splitting in ninenines cowlib allows network-accessible attackers to inject arbitrary HTTP headers when applications route untrusted input through the library's structured-field encoder. The root cause is an encoder/decoder asymmetry in cow_http_struct_hd:escape_string/2: it escapes only backslash and double-quote, emitting all other bytes verbatim - including CR (0x0D) and LF (0x0A) - while the matching parser only accepts printable ASCII. Any Cowboy or Gun application that builds a structured HTTP header from attacker-controlled input via cow_http_struct_hd:item/1 or cow_http_hd:wt_protocol/1 is affected. No public exploit has been identified and this CVE does not appear in CISA KEV, but upstream fixes are available as commits to both Cowboy and Gun.
KVM/x86 on Linux exposes a race condition in interrupt request register (IRR) scanning that causes incorrect reporting of the highest pending interrupt in nested virtualization scenarios. Specifically, when PID.ON is set by a sender vCPU after the target vCPU has already harvested and cleared the PIR, a second call to vmx_sync_pir_to_irr() observes an empty PIR and returns max_irr=-1 without scanning the IRR, producing a spurious kernel WARNING in vmx_check_nested_events() and a wasted L2 VM-Enter/VM-Exit cycle. The interrupt itself is not lost - it resides in the IRR from the first sync - but the incorrect max_irr triggers the assertion. No public exploit exists and EPSS is 0.02%, consistent with the highly localized, timing-dependent nature of this defect.
Authenticated remote code execution in FlowiseAI Flowise prior to 3.1.2 allows any user with a valid session or API key to submit arbitrary JavaScript via POST /api/v1/node-custom-function, which executes inside a NodeVM sandbox that can be escaped to reach the host process and spawn child processes. CVSS 4.0 scores this 9.4 Critical, and publicly available exploit details exist via the GHSA advisory, though no public exploit identified at time of analysis in CISA KEV. The flaw stems from missing route-level authorization combined with a sandbox that Flowise itself documents as a security boundary but which fails to contain malicious payloads.
Code injection in erzhongxmu JeeWMS via the JimuReport test-connection endpoint (/base-boot/jmreport/testConnection) allows remote unauthenticated attackers to inject malicious payloads through the dbType, dbDriver, dbUrl, dbUsername, and dbPassword parameters. Publicly available exploit code exists and the vendor did not respond to disclosure, leaving deployments exposed without a confirmed patched build due to the project's rolling-release model.
Format string injection in the TP-Link Tapo C520WS v2 ONVIF Subscribe service allows a high-privileged attacker on the same network segment to crash the camera's event notification service by supplying crafted format string specifiers in subscription requests or notification generation parameters. Successful exploitation terminates the ONVIF Subscribe service unexpectedly, silently disabling real-time motion alerts and alarm notifications until service recovery or device reboot - a safety-relevant impact in physical security deployments. No public exploit code has been identified at time of analysis, and TP-Link has self-disclosed the issue alongside a firmware patch.
Arbitrary JavaScript execution in the Markdown Preview Enhanced VS Code extension (0.8.x, bundling crossnote 0.9.28) is triggered when a victim opens or previews a crafted Markdown document containing a malicious wavedrom fenced code block. The WaveDrom rendering pipeline passes block contents directly to window.eval() inside the VS Code webview, letting an attacker abuse the extension's message-passing channel to write arbitrary files to the victim's local filesystem. Vendor patches were released on 2026-06-05; no public exploit was identified at time of analysis and the CVE is not listed in CISA KEV.
Remote code execution in the Markdown Preview Enhanced extension (versions before 0.8.28) allows attackers to run arbitrary JavaScript when a victim previews or exports a crafted markdown document containing a WaveDrom diagram. The flaw stems from the renderer evaluating untrusted markdown content with eval() across every render path - live preview, presentation mode, and HTML export - and can also be triggered via raw HTML <script type="WaveDrom"> injection. No public exploit identified at time of analysis; EPSS data was not provided, but the high CVSS 4.0 score (8.6) and trivial trigger via a shared markdown file make this a meaningful risk for developer workstations.
Arbitrary code execution in Markdown Preview Enhanced (shd101wyy) before 0.8.28 lets a crafted markdown document run attacker-controlled JavaScript when rendered or exported, because Bitfield fenced code blocks were evaluated through interpretJS() / vm.runInNewContext() instead of being parsed as data. CVSS 4.0 scores this 8.6 with network vector and active user interaction; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with basic access to execute arbitrary OS commands by injecting JavaScript into the `functionName` parameter of the `POST /runners/load-reader` endpoint. The flaw stems from unsanitized string interpolation into a server-side script template, and the `require=null` sandbox is bypassed via `process.binding("spawn_sync")`. Publicly available exploit code exists (vendor-published PoC in the GHSA advisory), and the issue carries a CVSS 8.8 rating with low-complexity, low-privilege exploitation.
Metric and tag injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows attackers who control event tag content to inject arbitrary metrics, tags, and event data into the DogStatsd telemetry stream. The CVSS 9.8 score reflects an unauthenticated network-vector CWE-93 (CRLF/separator injection) flaw where the format_event method fails to sanitize commas, newlines, pipes, and colons - including an ineffective s/|//g regex that misinterprets the pipe as a regex metacharacter. No public exploit identified at time of analysis and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation interest despite the high CVSS rating.
Metric injection in the Perl DataDog::DogStatsd client (versions through 0.07) allows remote attackers to forge or manipulate StatsD metrics by supplying unsanitised input containing newlines, pipes, or colons in stat names, values, or tags. With a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) rating and CWE-93 (CRLF Injection) classification, attackers can corrupt monitoring data, change metric name prefixes, or inject arbitrary metrics - the SYNOPSIS example of passing a web form 'loginName' parameter as a tag is explicitly called out as unsafe. EPSS is very low (0.03%) and no public exploit identified at time of analysis, but the trivial network attack profile means risk depends entirely on whether untrusted input reaches the library.
Privilege escalation via eval-based command injection in Teltonika Networks RUTOS (7.22-7.23.2) and TSWOS (1.09-1.09.1) allows an authenticated lower-privileged operator to execute arbitrary commands as root through the rpc-profile component. The flaw stems from unsafe evaluation of user-controllable input in a Lua/UCI RPC handler and is constrained to local/management-plane access, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.4 reflects total host compromise once a low-tier admin account is obtained on the device.
Universal Cross-Site Scripting (UXSS) in the Omnibox component of Google Chrome prior to 149.0.7827.53 enables a remote unauthenticated attacker to inject arbitrary scripts or HTML across origin boundaries by exploiting insufficient input validation. Successful exploitation requires convincing a victim to visit a crafted HTML page and perform specific UI gestures, as confirmed by the UI:R CVSS component and the CVE description. No public exploit has been identified at time of analysis, and the EPSS score of 0.07% (22nd percentile) combined with Google's own 'Low' severity classification indicates limited near-term exploitation likelihood.
Remote code execution in Google Chrome on macOS prior to 149.0.7827.53 allows a remote attacker to run arbitrary code by tricking a user into interacting with a malicious file, due to an inappropriate implementation in the Safe Browsing component. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.04%, 12th percentile), though the CVSS base score of 8.1 reflects high confidentiality and integrity impact. Chromium internally rated the security severity as Low, suggesting practical exploitability is constrained despite the high CVSS.
Universal cross-site scripting (UXSS) in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to inject arbitrary scripts or HTML into the context of other origins via a crafted XML file. The flaw stems from an inappropriate implementation in Chrome's XML handling (CWE-91, XML Injection), enabling same-origin policy bypass when a user is lured into loading attacker-controlled content. No public exploit has been identified at time of analysis, and EPSS exploitation probability is low at 0.06% (18th percentile).
Script injection via Chrome's Accessibility component allows a remote attacker who convinces a victim to install a malicious extension to perform Universal Cross-Site Scripting (UXSS), injecting arbitrary scripts or HTML into web page contexts the user visits. Affected are all Chrome desktop versions prior to 149.0.7827.53. EPSS is 0.01% (2nd percentile) and this vulnerability is not in CISA KEV, indicating very low real-world exploitation probability at time of analysis; however, the social-engineering prerequisite (malicious extension installation) remains a credible threat vector in targeted campaigns.
Universal Cross-Site Scripting (UXSS) in Google Chrome's Keyboard implementation prior to version 149.0.7827.53 enables remote unauthenticated attackers to inject arbitrary scripts or HTML across origin boundaries via a crafted HTML page. The Scope:Changed CVSS vector reflects the fundamental nature of this class: successful exploitation bypasses the Same-Origin Policy, potentially granting script access to sessions, cookies, and DOM content across all origins open in the browser. No public exploit has been identified at time of analysis, and the EPSS score of 0.06% (18th percentile) indicates low current exploitation probability, though UXSS primitives are historically high-value for targeted attacks.
Script and HTML injection into privileged Chrome pages is possible in Google Chrome prior to 149.0.7827.53 through insufficient policy enforcement in the Extensions subsystem. An attacker who convinces a user to install a crafted malicious extension can leverage this to inject content into otherwise-restricted privileged pages, compromising page integrity. EPSS is 0.01% (1st percentile), no KEV listing exists, and no public exploit has been identified at time of analysis - indicating low observed exploitation pressure despite the network-accessible attack vector.
Universal Cross-Site Scripting (UXSS) in Google Chrome for Android's Tab Group Sync feature allows remote unauthenticated attackers to inject arbitrary scripts or HTML via malicious network traffic against Chrome versions prior to 149.0.7827.53. The CVSS Changed Scope (S:C) confirms that injected content escapes the vulnerable component's origin boundary, affecting other origins - the defining characteristic of UXSS, which is more severe than conventional XSS because it bypasses the browser-level same-origin policy rather than just application-level controls. No public exploit has been identified at time of analysis, and EPSS at 0.07% (22nd percentile) reflects low current exploitation probability; the vulnerability is not listed in CISA KEV.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code through a crafted HTML page that triggers script injection in the Headless component. The flaw is rated High severity by Chromium and carries a CVSS 3.1 base score of 8.8, requiring only that a victim load attacker-controlled web content. No public exploit identified at time of analysis, but Google has released a fix in the Stable channel update for desktop.
Universal Cross-Site Scripting (UXSS) in Google Chrome's DevTools component allows an attacker who has already compromised the renderer process to inject arbitrary scripts or HTML across security origins via a crafted HTML page, bypassing the same-origin policy. Affected versions are all Chrome releases prior to 149.0.7827.53. No public exploit code exists and no active exploitation has been observed; this vulnerability functions as a second-stage capability within a broader attack chain requiring prior renderer compromise.
Metric injection in the Etsy::StatsD Perl module (versions through 1.002002) allows remote attackers to inject arbitrary statsd metrics by supplying input containing unescaped newlines, colons, or pipe characters to metric names or values. Applications that build metrics from untrusted sources (HTTP parameters, user identifiers, log fields) can be coerced into emitting forged measurements, corrupting downstream monitoring, dashboards, and alerting. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Metric injection in Net::Statsd for Perl (all versions before 0.13) allows network-reachable, unauthenticated attackers to forge additional StatsD metric lines by embedding newlines, colons, or pipes in metric names or values passed through the library. Any application that feeds untrusted external input into Net::Statsd method calls without prior sanitization is directly exposed, because the wire format uses those characters as delimiters between metrics in a single UDP datagram. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the CVSS AV:N/AC:L/PR:N/UI:N surface warrants prompt patching wherever user-controlled strings reach metric instrumentation calls.
Metric name injection in Net::Async::Statsd::Client (Perl, versions through 0.005) allows network-reachable, unauthenticated attackers to inject arbitrary StatsD metrics by supplying untrusted input containing unfiltered newlines, colons, or pipe characters. Because the StatsD wire protocol uses these characters as structural delimiters, unsanitized metric names sourced from user-controlled data can be interpreted as additional, attacker-controlled metrics by the receiving StatsD server. No public exploit identified at time of analysis and EPSS sits at the 9th percentile (0.03%), indicating low observed exploitation pressure, but any Perl application forwarding externally-supplied values as StatsD metric names is directly in scope.
Server-side request forgery and potential remote code execution in Docling versions 2.82.0 through 2.90.x affect deployments that explicitly enable the Playwright-based HTML rendering backend. When `render_page=True` is set, untrusted HTML documents can execute arbitrary JavaScript in the rendering browser context and reach internal network services, enabling SSRF, data exfiltration, or code execution in the rendering environment. No public exploit identified at time of analysis, and the issue is not in CISA KEV, but a vendor-confirmed fix exists in 2.91.0.
Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence boot scripts processed by the bare-metal provisioning service, with integrity impact extending across a CVSS scope change to the provisioned hardware. Confirmed by upstream advisory OSSA-2026-017 and an Ubuntu USN, with no public exploit identified at time of analysis and an EPSS of 0.03% indicating no observed exploitation activity.
Cookie context confusion in Django's signed cookie implementation allows a remote low-privileged attacker to substitute a cookie signed in one application context into a different context where a distinct (name, salt) pair produces the same concatenated string. Affected are Django 6.0 before 6.0.6 and Django 5.2 before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be affected. The real-world impact is limited to low-confidence data exposure (VC:L), with no public exploit identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects a low-severity, contextually constrained flaw.
Quick Facts
- Typical Severity
- CRITICAL
- Category
- web
- Total CVEs
- 4831