Skip to main content

Code Injection

web CRITICAL

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization.

How It Works

Code injection occurs when an application accepts user input and passes it directly into a language interpreter or evaluator without proper sanitization. Unlike command injection (which targets the OS shell), code injection exploits the application's own scripting engine—Python's eval(), PHP's eval(), JavaScript's eval(), Ruby's instance_eval(), or similar dynamic execution functions. The attacker crafts input that, when interpreted, executes arbitrary code within the application's runtime context.

Common attack vectors include server-side template engines where user input reaches expression evaluators, configuration files that are dynamically loaded and executed, code validators that ironically execute the code they're supposed to check, and endpoints that process serialized objects or callable definitions. In Python applications, decorators evaluated at class definition time present particularly dangerous targets since they execute before any runtime validation occurs.

The exploitation chain typically begins with identifying an endpoint that processes structured input—API parameters, file uploads, configuration snippets. The attacker then crafts payloads that break out of intended data contexts into executable code contexts. For instance, injecting @os.system('whoami') as a decorator definition, or embedding {{ ''.__class__.__mro__[1].__subclasses__() }} in template syntax to access Python internals and escalate to operating system commands.

Impact

  • Complete server compromise — execute arbitrary Python, PHP, Ruby, or JavaScript code with application privileges
  • Operating system command execution — break out from language runtime to system shell via subprocess calls
  • Data exfiltration — read database credentials, environment variables, source code, and business data
  • Persistence establishment — modify application files, inject backdoors, create scheduled tasks
  • Lateral movement — leverage server access to attack internal network resources and connected services

Real-World Examples

A critical vulnerability in Langflow, a popular AI workflow framework with over 50,000 GitHub stars, exposed an unauthenticated /api/v1/validate/code endpoint meant to check Python code safety. Attackers discovered they could inject malicious decorators into class definitions. Since Python evaluates decorators at class definition time-before the AST validation logic even ran-the payload executed immediately when passed to exec(). This provided complete remote code execution without authentication.

Web template engines frequently suffer from code injection when developers allow user content in template expressions. An attacker might inject {{7*7}} to test for evaluation, then escalate to {{config.items()}} to dump Flask configuration, ultimately reaching {{''.__class__.__bases__[0].__subclasses__()}} to navigate Python's object hierarchy and invoke system commands.

Configuration management systems that dynamically import or evaluate user-supplied configuration have enabled attackers to inject executable code disguised as YAML anchors, JSON with embedded expressions, or INI files with interpreted sections.

Mitigation

  • Eliminate dynamic code execution — refactor to use data-driven approaches instead of eval(), exec(), Function(), or similar constructs
  • Abstract Syntax Tree (AST) allowlisting — if code execution is unavoidable, parse input into AST and validate against a strict allowlist of permitted operations before execution
  • Sandboxed execution environments — use restricted interpreters (Python's RestrictedPython), containers, or separate processes with minimal privileges
  • Remove or authenticate debug/validation endpoints — code validators and test endpoints are prime targets
  • Input type enforcement — accept only serialized data formats (JSON, Protocol Buffers) that cannot contain executable code
  • Defense in depth — run application with minimal OS privileges, use network segmentation, monitor for unusual subprocess creation

Recent CVEs (4856)

EPSS 2% CVSS 8.8
HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Backbone Query Parameters
NVD GitHub
EPSS 4% CVSS 8.8
HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-plugin-query-object 2.2.3 allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Jquery Plugin Query Object
NVD GitHub
EPSS 100% CVSS 10.0
CRITICAL POC KEV THREAT Emergency

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Gitlab Code Injection
NVD Exploit-DB
EPSS 100% CVSS 7.8
HIGH POC KEV PATCH THREAT Act Now

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Exiftool +2
NVD GitHub Exploit-DB
EPSS 1% CVSS 8.8
HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more 1.6.0 allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Mootools More
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam 0.5.1 allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Jquery Deparam
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-sparkle 1.5.2-beta allows a malicious user to inject properties into Object.prototype. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Prototype Pollution Code Injection Jquery Sparkle
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Discord-Recon is a bot for the Discord chat service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Discord Recon
NVD GitHub
EPSS 2% CVSS 8.8
HIGH This Week

Discord Recon Server is a bot that allows one to do one's reconnaissance process from one's Discord. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Discord Recon
NVD GitHub
EPSS 1% CVSS 8.0
HIGH This Week

The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Administrator
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Dio
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

An issue was discovered in MDaemon before 20.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Mdaemon
NVD GitHub
EPSS 5% CVSS 8.8
HIGH POC PATCH This Week

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nextcloud Code Injection Desktop +1
NVD GitHub
EPSS 31% CVSS 7.2
HIGH POC PATCH THREAT This Week

Grav is a file based Web-platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Grav
NVD GitHub Exploit-DB
EPSS 2% CVSS 9.9
CRITICAL Act Now

SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection +1
NVD
EPSS 2% CVSS 10.0
CRITICAL Act Now

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Intelligent Power Manager
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Intelligent Power Manager Intelligent Power Manager Virtual Appliance +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In injectBestLocation and handleUpdateLocation of GnssLocationProvider.java, there is a possible incorrect reporting of location data to emergency services due to improper input validation. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Google Code Injection Android
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Trend Micro Code Injection Password Manager
NVD
EPSS 3% CVSS 8.8
HIGH POC PATCH This Week

Discord Recon Server is a bot that allows you to do your reconnaissance process from your Discord. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Discord Recon
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges on the underlying Linux operating. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Cisco Apple Code Injection +1
NVD
EPSS 1% CVSS 4.1
MEDIUM PATCH This Month

Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity.

Cisco Code Injection Umbrella
NVD
EPSS 1% CVSS 8.6
HIGH This Week

Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Cisco Code Injection Umbrella
NVD
EPSS 3% CVSS 8.8
HIGH This Week

A vulnerability in the SOAP API endpoint of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco RCE Code Injection +4
NVD
EPSS 24% CVSS 7.2
HIGH POC PATCH THREAT This Week

The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress RCE PHP +2
NVD WPScan
EPSS 1% CVSS 4.8
MEDIUM POC This Month

A stored HTML injection vulnerability exists in Knowage Suite version 7.1. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Knowage
NVD GitHub
EPSS 4% CVSS 7.2
HIGH POC PATCH This Week

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Underscore +3
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required.

Python Code Injection Synapse +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Reason Dr60 Firmware
NVD
EPSS 76% CVSS 7.5
HIGH POC THREAT This Week

ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Openam
NVD Exploit-DB
EPSS 0% CVSS 7.3
HIGH This Week

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as the root user. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Cisco Apple Code Injection +2
NVD
EPSS 72% CVSS 9.9
CRITICAL POC PATCH THREAT Act Now

XStream is a Java library to serialize objects to XML and back again. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection Java +16
NVD GitHub
EPSS 47% CVSS 7.5
HIGH POC PATCH THREAT This Week

XStream is a Java library to serialize objects to XML and back again. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Java Oncommand Insight +14
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Service Provider Debian Linux
NVD
EPSS 38% CVSS 7.2
HIGH POC THREAT This Week

A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Oracle Code Injection +4
NVD Exploit-DB
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

shescape is a simple shell escape package for JavaScript. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Code Injection Shescape
NVD GitHub
EPSS 1% CVSS 7.8
HIGH This Week

Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection Contact Form 7 Database Addon
NVD WPScan
EPSS 3% CVSS 8.8
HIGH POC This Week

ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Dell SupportAssist Client for Consumer PCs versions 3.7.x, 3.6.x, 3.4.x, 3.3.x, Dell SupportAssist Client for Business PCs versions 2.0.x, 2.1.x, 2.2.x, and Dell SupportAssist Client ProManage 1.x. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Dell Code Injection Supportassist Client Promanage +2
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Xwiki
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM POC This Month

A flaw was found in the Linux kernel in versions prior to 5.10. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Linux RCE Code Injection +2
NVD
EPSS 51% CVSS 8.8
HIGH This Week

SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Privilege Escalation SAP +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Dell Code Injection Idrac8 Firmware
NVD
EPSS 5% CVSS 9.8
CRITICAL POC PATCH Act Now

The package total.js before 3.4.8 are vulnerable to Remote Code Execution (RCE) via set. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Total Js
NVD GitHub
EPSS 1% CVSS 4.4
MEDIUM This Month

A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection Online Invoicing System
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Fta
NVD GitHub
EPSS 17% 4.0 CVSS 9.8
CRITICAL POC THREAT Emergency

SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.7%.

Code Injection Agcombo Vd625 Firmware
NVD VulDB
EPSS 72% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in SaltStack Salt before 3002.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Salt Fedora +1
NVD GitHub
EPSS 10% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in through SaltStack Salt before 3002.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Salt +2
NVD GitHub
EPSS 6% CVSS 7.2
HIGH POC This Week

Nagios XI below 5.7 is affected by code injection in the /nagiosxi/admin/graphtemplates.php component. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection +1
NVD GitHub
EPSS 82% CVSS 9.8
CRITICAL PATCH Act Now

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Code Injection Smarty +1
NVD GitHub
EPSS 22% CVSS 7.2
HIGH POC PATCH THREAT This Week

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Command Injection Code Injection +23
NVD GitHub
EPSS 2% CVSS 7.2
HIGH This Week

The Trend Micro Security 2020 and 2021 families of consumer products are vulnerable to a code injection vulnerability which could allow an attacker to disable the program's password protection and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Trend Micro Code Injection +8
NVD
EPSS 10% CVSS 9.1
CRITICAL POC PATCH Act Now

In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Java Scimono
NVD GitHub
EPSS 30% CVSS 9.9
CRITICAL Act Now

SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection +1
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

An issue was discovered in SmartFoxServer 2.17.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Python +1
NVD
EPSS 2% CVSS 5.3
MEDIUM POC This Month

A frame-injection issue in the online help in Redwood Report2Web 4.3.4.5 allows remote attackers to render an external resource inside a frame via the help/Online_Help/NetHelp/default.htm turl. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Report2Web
NVD
EPSS 1% CVSS 4.1
MEDIUM This Month

A vulnerability in the user interface of Cisco Webex Meetings and Cisco Webex Meetings Server Software could allow an authenticated, remote attacker to inject a hyperlink into a meeting invitation. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Code Injection Webex Meetings +1
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Youtrack
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE PHP Code Injection +1
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

RSSHub is an open source, easy to use, and extensible RSS feed generator. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Rsshub
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Phplist
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Onedev
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 750, 782 and SAP BW/4HANA, versions 100, 200, allow a low privileged attacker to inject code using a remote enabled function module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE SAP Information Disclosure +4
NVD
EPSS 0% CVSS 7.8
HIGH This Week

There has a CSV injection vulnerability in iManager NetEco 6000 versions V600R021C00. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Imanager Neteco 6000
NVD
EPSS 4% CVSS 7.3
HIGH POC This Week

Email Injection in TerraMaster TOS <= 4.2.06 allows remote unauthenticated attackers to abuse the forget password functionality and achieve account takeover. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Tos
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

An issue was discovered in the http package through 0.12.2 for Dart. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Http
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Thingsboard
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

Eval injection vulnerability in the parserCommom method in the ParserTemplate class in zzz_template.php in zzzphp 1.7.2 allows remote attackers to execute arbitrary commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An issue was discovered on D-Link DSR-250 3.17 devices. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection D-Link Dsr 150 Firmware +9
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

The member center function in fastadmin V1.0.0.20200506_beta is vulnerable to a Server-Side Template Injection (SSTI) vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Fastadmin
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An injection vulnerability exists in RT-AC88U Download Master before 3.1.0.108. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rt Ac88U Firmware
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM This Month

When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Code Injection Firefox
NVD
EPSS 8% CVSS 7.8
HIGH POC This Week

ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Imagemagick Debian Linux
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM This Month

Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Atlassian Code Injection Automation For Jira
NVD
EPSS 2% CVSS 9.0
CRITICAL PATCH Act Now

IBM Cloud Pak for Security 1.3.0.1(CP4S) potentially vulnerable to CVS Injection. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.

IBM Code Injection Cloud Pak For Security
NVD
EPSS 8% CVSS 4.8
MEDIUM PATCH This Month

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Code Injection Jetty Oncommand System Manager +15
NVD GitHub
EPSS 1% CVSS 4.1
MEDIUM This Month

cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567). Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Cpanel
NVD
EPSS 68% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Code Injection Unomi
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

A CSV injection vulnerability in the Admin portal for Netskope 75.0 allows an unauthenticated user to inject malicious payload in admin's portal thus leads to compromise admin's system. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Netskope
NVD
EPSS 1% CVSS 7.8
HIGH This Week

SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection Suitecrm
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection Go
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Code Injection Go +3
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

RSA Archer 6.8 through 6.8.0.3 and 6.9 contains a URL injection vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Archer
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Arcsight Logger
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

JetBrains TeamCity before 2020.1.2 was vulnerable to URL injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Teamcity
NVD
EPSS 10% CVSS 8.8
HIGH POC This Week

In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP +1
NVD Exploit-DB
EPSS 10% CVSS 8.8
HIGH POC This Week

An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMSuno 1.6.2 and run this PHP code in the web page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP +1
NVD Exploit-DB
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

The lettre library through 0.10.0-alpha for Rust allows arbitrary sendmail option injection via transport/sendmail/mod.rs. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Lettre
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

This affects the package nodemailer before 6.4.16. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Nodemailer
NVD GitHub
Prev Page 39 of 54 Next

Quick Facts

Typical Severity
CRITICAL
Category
web
Total CVEs
4856

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy