Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4852)

EPSS 1% CVSS 8.8
HIGH PATCH This Week

Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Response endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Wazuh Code Injection
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Joblib +2
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper control of code generation in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection En6200 Prime Quad 35 Firmware +1
NVD
EPSS 1% CVSS 5.7
MEDIUM This Month

Authenticated (author+) CSV Injection vulnerability in Export Post Info plugin <= 1.2.0 at WordPress. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Code Injection Export Post Info
NVD
EPSS 99% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Sophos Code Injection +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Apache Code Injection +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A potential local adjacent arbitrary code execution vulnerability that could potentially lead to a loss of confidentiality, integrity, and availability was discovered in HPE Integrated Lights-Out 5. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE HP Code Injection +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

In Zutty before 0.13, DECRQSS in text written to the terminal can achieve arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Zutty
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

HTML injection attack is closely related to Cross-site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE XSS Code Injection +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Code Injection in GitHub repository microweber/microweber prior to 1.3.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Microweber
NVD GitHub
EPSS 100% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection PHP Glpi
NVD GitHub Exploit-DB
EPSS 1% CVSS 8.0
HIGH POC This Week

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Espocrm
NVD
EPSS 1% CVSS 8.0
HIGH POC This Week

The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Code Injection Affiliates Manager
NVD WPScan
EPSS 1% CVSS 8.8
HIGH POC This Week

The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Code Injection Mobile Events Manager
NVD WPScan
EPSS 1% CVSS 6.1
MEDIUM POC This Month

A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Feehi Cms
NVD
EPSS 2% CVSS 9.9
CRITICAL POC PATCH Act Now

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Docker Code Injection Onedev
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Cruddl
NVD GitHub
EPSS 74% CVSS 8.8
HIGH POC PATCH THREAT This Week

XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Python Code Injection +1
NVD GitHub
EPSS 76% CVSS 8.8
HIGH POC PATCH THREAT This Week

XWiki Platform Wiki UI Main Wiki is software for managing subwikis on XWiki Platform, a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Python Code Injection +1
NVD GitHub
EPSS 1% CVSS 7.3
HIGH POC PATCH This Week

Poetry is a dependency manager for Python. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

RCE Python Command Injection +2
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management interface 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.4 may allow a remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Fortisoar
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Openremote
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

mdx-mermaid provides plug and play access to Mermaid in MDX. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

RCE Code Injection Mdx Mermaid
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

TRENDnet TEW733GR v1.03B01 is vulnerable to Command injection via /htdocs/upnpinc/gena.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection Code Injection +2
NVD VulDB
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

DIR845L A1 v1.00-v1.03 is vulnerable to command injection via /htdocs/upnpinc/gena.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection PHP +2
NVD
EPSS 1% CVSS 7.1
HIGH This Week

An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Code Injection Blue Prism
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Movable Type XMLRPC API provided by Six Apart Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Command Injection Code Injection +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Tabit - HTTP Method manipulation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Tabit
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Tabit - arbitrary SMS send on Tabits behalf. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Tabit
NVD
EPSS 1% CVSS 7.2
HIGH POC This Week

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not validate its debug settings, which could allow allowing high privilege users such as admin to perform RCE. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress Code Injection +1
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM This Month

HTTP header injection vulnerability in Cybozu Office 10.0.0 to 10.8.5 may allow a remote attacker to obtain and/or alter the data of the product via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Code Injection Office
NVD
EPSS 2% CVSS 7.2
HIGH POC This Week

DedeCMS v5.7.94 - v5.7.97 was discovered to contain a remote code execution vulnerability in member_toadmin.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

DedeCMS v5.7.93 - v5.7.96 was discovered to contain a remote code execution vulnerability in login.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD GitHub
EPSS 1% CVSS 9.6
CRITICAL Act Now

There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Portal For Arcgis
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Improper neutralization of special elements leaves the Eyes of Network Web application vulnerable to an iFrame injection attack, via the url parameter of /module/module_frame/index.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP Eyes Of Network Web
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Portal For Arcgis
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

This library allows strings to be parsed as functions and stored as a specialized component,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Mozilla Code Injection +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

dproxy-nexgen (aka dproxy nexgen) uses a static UDP source port (selected randomly only at boot time) in upstream queries sent to DNS resolvers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Dproxy Nexgen
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in taocms 3.0.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP +1
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

totd 1.5.3 uses a fixed UDP source port in upstream queries sent to DNS resolvers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Totd
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Arvados
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Node.js Undici
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Insufficient validation of untrusted input in Settings in Google Chrome prior to 104.0.5112.79 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Code Injection Chrome +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Settings application has an argument injection vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Emui Harmonyos +1
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start,. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

RCE Code Injection Go
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Affected devices do not properly sanitize an input field. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Scalance M 800 Firmware Scalance S615 Firmware +88
NVD VulDB
EPSS 1% CVSS 7.8
HIGH This Week

Azure RTOS GUIX Studio Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Code Injection +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Visual Studio Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Visual Studio +3
NVD
EPSS 2% CVSS 7.2
HIGH This Week

Azure Site Recovery Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Microsoft Code Injection +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Microsoft Code Injection +10
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Microsoft Code Injection +5
NVD
EPSS 80% CVSS 9.8
CRITICAL Act Now

Windows Network File System Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Code Injection +1
NVD
EPSS 2% CVSS 8.1
HIGH This Week

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Microsoft Code Injection +10
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Windows WebBrowser Control Remote Code Execution Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

RCE Microsoft Code Injection +10
NVD
EPSS 1% CVSS 7.8
HIGH This Week

Azure RTOS GUIX Studio Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Code Injection +1
NVD
EPSS 0% CVSS 3.3
LOW Monitor

A vulnerability using PendingIntent in Knox VPN prior to SMR Aug-2022 Release 1 allows attackers to access content providers with system privilege. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Android
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability using PendingIntent in DeX for PC prior to SMR Aug-2022 Release 1 allows attackers to access files with system privilege. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Android
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Control Panel
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains Rider before 2022.2 Trust and Open Project dialog could be bypassed, leading to local code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Rider
NVD
EPSS 2% CVSS 7.2
HIGH POC This Week

Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to execute arbitrary code via a crafted Jinja2 template. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Mealie
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Shescape is a simple shell escape package for JavaScript. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft Code Injection Shescape
NVD GitHub
EPSS 45% CVSS 7.2
HIGH This Week

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Atlassian Code Injection +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

EllieGrid Android Application version 3.4.1 is vulnerable to Code Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Google Code Injection +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Moodle +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Code Injection Request A Quote
NVD WPScan
EPSS 9% CVSS 9.8
CRITICAL POC PATCH Act Now

The package convert-svg-core before 0.6.2 are vulnerable to Remote Code Injection via sending an SVG file containing the payload. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Convert Svg Core
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

In JetBrains TeamCity before 2022.04.2 build parameter injection was possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Teamcity
NVD
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Woocommerce
NVD WPScan
EPSS 33% CVSS 9.8
CRITICAL POC THREAT Act Now

PbootCMS v3.1.2 was discovered to contain a remote code execution (RCE) vulnerability via the function parserIfLabel at function.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Code Injection +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

SAP Business One client - version 10.0 allows an attacker with low privileges, to inject code that can be executed by the application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection SAP Business One
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

URL injection in Driva inSync 6.9.0 for MacOS, allows attackers to force a visit to an arbitrary url via the port parameter to the Electron App. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Apple Code Injection Insync Client
NVD VulDB
EPSS 2% CVSS 8.8
HIGH PATCH This Week

A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2), SCALANCE M804PB (6GK5804-0AP00-2AA2), SCALANCE M812-1. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Siemens RCE Code Injection +15
NVD
EPSS 1% CVSS 8.0
HIGH PATCH This Week

A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDCOM i801, RUGGEDCOM i801NC, RUGGEDCOM i802, RUGGEDCOM i802NC, RUGGEDCOM i803, RUGGEDCOM i803NC, RUGGEDCOM M2100,. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Ruggedcom Ros
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A vulnerability has been identified in Mendix Excel Importer Module (Mendix 8 compatible) (All versions < V9.2.2), Mendix Excel Importer Module (Mendix 9 compatible) (All versions < V10.1.2). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Code Injection Excel Importer
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Webswing before 22.1.3 allows X-Forwarded-For header injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Webswing
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Known v1.3.1+2020120201 was discovered to allow attackers to perform an account takeover via a host header injection attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Known
NVD GitHub
EPSS 7% CVSS 5.9
MEDIUM POC This Month

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Code Injection Curl Fedora +12
NVD
EPSS 3% CVSS 6.5
MEDIUM POC PATCH This Month

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Code Injection Gnupg Fedora +3
NVD
EPSS 10% CVSS 7.2
HIGH POC PATCH THREAT This Week

Code Injection in GitHub repository getgrav/grav prior to 1.7.34. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Grav
NVD GitHub
EPSS 17% CVSS 9.8
CRITICAL PATCH Act Now

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Code Injection Spring Data Mongodb
NVD
EPSS 2% CVSS 5.3
MEDIUM This Month

Apache Sling Commons Log <= 5.4.0 and Apache Sling API <= 2.25.0 are vulnerable to log injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Code Injection Sling Api +1
NVD
EPSS 1% CVSS 6.8
MEDIUM POC PATCH This Month

In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

Code Injection Motor Admin
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC This Week

The WP-CRM WordPress plugin through 1.2.1 does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Wp Crm
NVD WPScan
EPSS 9% CVSS 9.8
CRITICAL POC Act Now

The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Code Injection +2
NVD WPScan
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Code Injection in GitHub repository nuitka/nuitka prior to 0.9. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

RCE Code Injection Nuitka
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

The package convert-svg-core before 0.6.3 are vulnerable to Arbitrary Code Injection when using a specially crafted SVG file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Convert Svg Core
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Code Injection in GitHub repository jgraph/drawio prior to 19.0.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Drawio
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Metacalc
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

An unauthenticated attacker can update the hostname with a specially crafted name that will allow for shell commands to be executed during the core collection process. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Lp1501 Firmware Lp1502 Firmware +12
NVD
Prev Page 35 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4852

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy