Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2013-1412

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-02 Jun, 2014 | 15:00
Updated At-06 Aug, 2024 | 14:57
Rejected At-
Credits

DataLife Engine (DLE) 9.7 allows remote attackers to execute arbitrary PHP code via the catlist[] parameter to engine/preview.php, which is used in a preg_replace function call with an e modifier.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:02 Jun, 2014 | 15:00
Updated At:06 Aug, 2024 | 14:57
Rejected At:
▼CVE Numbering Authority (CNA)

DataLife Engine (DLE) 9.7 allows remote attackers to execute arbitrary PHP code via the catlist[] parameter to engine/preview.php, which is used in a preg_replace function call with an e modifier.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://www.securityfocus.com/bid/57603
vdb-entry
x_refsource_BID
http://www.exploit-db.com/exploits/24444
exploit
x_refsource_EXPLOIT-DB
http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
x_refsource_CONFIRM
http://osvdb.org/89662
vdb-entry
x_refsource_OSVDB
http://www.exploit-db.com/exploits/24438
exploit
x_refsource_EXPLOIT-DB
http://archives.neohapsis.com/archives/bugtraq/2013-01/0117.html
mailing-list
x_refsource_BUGTRAQ
http://karmainsecurity.com/KIS-2013-01
x_refsource_MISC
http://secunia.com/advisories/51971
third-party-advisory
x_refsource_SECUNIA
Hyperlink: http://www.securityfocus.com/bid/57603
Resource:
vdb-entry
x_refsource_BID
Hyperlink: http://www.exploit-db.com/exploits/24444
Resource:
exploit
x_refsource_EXPLOIT-DB
Hyperlink: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
Resource:
x_refsource_CONFIRM
Hyperlink: http://osvdb.org/89662
Resource:
vdb-entry
x_refsource_OSVDB
Hyperlink: http://www.exploit-db.com/exploits/24438
Resource:
exploit
x_refsource_EXPLOIT-DB
Hyperlink: http://archives.neohapsis.com/archives/bugtraq/2013-01/0117.html
Resource:
mailing-list
x_refsource_BUGTRAQ
Hyperlink: http://karmainsecurity.com/KIS-2013-01
Resource:
x_refsource_MISC
Hyperlink: http://secunia.com/advisories/51971
Resource:
third-party-advisory
x_refsource_SECUNIA
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://www.securityfocus.com/bid/57603
vdb-entry
x_refsource_BID
x_transferred
http://www.exploit-db.com/exploits/24444
exploit
x_refsource_EXPLOIT-DB
x_transferred
http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
x_refsource_CONFIRM
x_transferred
http://osvdb.org/89662
vdb-entry
x_refsource_OSVDB
x_transferred
http://www.exploit-db.com/exploits/24438
exploit
x_refsource_EXPLOIT-DB
x_transferred
http://archives.neohapsis.com/archives/bugtraq/2013-01/0117.html
mailing-list
x_refsource_BUGTRAQ
x_transferred
http://karmainsecurity.com/KIS-2013-01
x_refsource_MISC
x_transferred
http://secunia.com/advisories/51971
third-party-advisory
x_refsource_SECUNIA
x_transferred
Hyperlink: http://www.securityfocus.com/bid/57603
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: http://www.exploit-db.com/exploits/24444
Resource:
exploit
x_refsource_EXPLOIT-DB
x_transferred
Hyperlink: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://osvdb.org/89662
Resource:
vdb-entry
x_refsource_OSVDB
x_transferred
Hyperlink: http://www.exploit-db.com/exploits/24438
Resource:
exploit
x_refsource_EXPLOIT-DB
x_transferred
Hyperlink: http://archives.neohapsis.com/archives/bugtraq/2013-01/0117.html
Resource:
mailing-list
x_refsource_BUGTRAQ
x_transferred
Hyperlink: http://karmainsecurity.com/KIS-2013-01
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://secunia.com/advisories/51971
Resource:
third-party-advisory
x_refsource_SECUNIA
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:02 Jun, 2014 | 15:55
Updated At:06 May, 2026 | 22:30

DataLife Engine (DLE) 9.7 allows remote attackers to execute arbitrary PHP code via the catlist[] parameter to engine/preview.php, which is used in a preg_replace function call with an e modifier.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches

dleviet
dleviet
>>datalife_engine>>9.7
cpe:2.3:a:dleviet:datalife_engine:9.7:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-94Primarynvd@nist.gov
CWE ID: CWE-94
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://archives.neohapsis.com/archives/bugtraq/2013-01/0117.htmlcve@mitre.org
Exploit
http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.htmlcve@mitre.org
Patch
Vendor Advisory
http://karmainsecurity.com/KIS-2013-01cve@mitre.org
Exploit
http://osvdb.org/89662cve@mitre.org
N/A
http://secunia.com/advisories/51971cve@mitre.org
N/A
http://www.exploit-db.com/exploits/24438cve@mitre.org
Exploit
http://www.exploit-db.com/exploits/24444cve@mitre.org
Exploit
http://www.securityfocus.com/bid/57603cve@mitre.org
N/A
http://archives.neohapsis.com/archives/bugtraq/2013-01/0117.htmlaf854a3a-2127-422b-91ae-364da2661108
Exploit
http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.htmlaf854a3a-2127-422b-91ae-364da2661108
Patch
Vendor Advisory
http://karmainsecurity.com/KIS-2013-01af854a3a-2127-422b-91ae-364da2661108
Exploit
http://osvdb.org/89662af854a3a-2127-422b-91ae-364da2661108
N/A
http://secunia.com/advisories/51971af854a3a-2127-422b-91ae-364da2661108
N/A
http://www.exploit-db.com/exploits/24438af854a3a-2127-422b-91ae-364da2661108
Exploit
http://www.exploit-db.com/exploits/24444af854a3a-2127-422b-91ae-364da2661108
Exploit
http://www.securityfocus.com/bid/57603af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: http://archives.neohapsis.com/archives/bugtraq/2013-01/0117.html
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
Source: cve@mitre.org
Resource:
Patch
Vendor Advisory
Hyperlink: http://karmainsecurity.com/KIS-2013-01
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://osvdb.org/89662
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://secunia.com/advisories/51971
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.exploit-db.com/exploits/24438
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://www.exploit-db.com/exploits/24444
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://www.securityfocus.com/bid/57603
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://archives.neohapsis.com/archives/bugtraq/2013-01/0117.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Vendor Advisory
Hyperlink: http://karmainsecurity.com/KIS-2013-01
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: http://osvdb.org/89662
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://secunia.com/advisories/51971
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.exploit-db.com/exploits/24438
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: http://www.exploit-db.com/exploits/24444
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: http://www.securityfocus.com/bid/57603
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

902Records found

CVE-2014-2027
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.08% / 89.47%
||
7 Day CHG+0.03%
Published-31 Mar, 2015 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP object injection attacks, delete arbitrary files, and possibly execute arbitrary code via the (1) addr_fields or (2) trans parameter to addressbook/csv_import.php, (3) cal_fields or (4) trans parameter to calendar/csv_import.php, (5) info_fields or (6) trans parameter to csv_import.php in (a) projectmanager/ or (b) infolog/, or (7) processed parameter to preferences/inc/class.uiaclprefs.inc.php.

Action-Not Available
Vendor-egroupwaren/a
Product-egroupwaren/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-2044
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-12.39% / 95.71%
||
7 Day CHG~0.00%
Published-06 Oct, 2014 | 23:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.

Action-Not Available
Vendor-n/aownCloud GmbH
Product-owncloud_serverowncloudn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-1716
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-7.5||HIGH
EPSS-1.93% / 77.59%
||
7 Day CHG~0.00%
Published-09 Apr, 2014 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype function in runtime.cc in Google V8, as used in Google Chrome before 34.0.1847.116, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)."

Action-Not Available
Vendor-n/aDebian GNU/LinuxopenSUSEGoogle LLC
Product-chromedebian_linuxopensusen/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-1613
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.28% / 81.06%
||
7 Day CHG~0.00%
Published-16 May, 2014 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php.

Action-Not Available
Vendor-dotclearn/a
Product-dotclearn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-2293
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.86% / 90.96%
||
7 Day CHG~0.00%
Published-26 Mar, 2018 | 18:00
Updated-06 Aug, 2024 | 10:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.

Action-Not Available
Vendor-zikulan/a
Product-zikula_application_frameworkn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-35339
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.41% / 90.16%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 14:32
Updated-04 Aug, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In 74cms version 5.0.1, there is a remote code execution vulnerability in /Application/Admin/Controller/ConfigController.class.php and /ThinkPHP/Common/functions.php where attackers can obtain server permissions and control the server.

Action-Not Available
Vendor-74cmsn/a
Product-74cmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-2208
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.68% / 84.01%
||
7 Day CHG~0.00%
Published-28 Dec, 2014 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

Action-Not Available
Vendor-n/aFacebook
Product-hiphop_virtual_machinen/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-2223
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-10.02% / 95.05%
||
7 Day CHG~0.00%
Published-11 Sep, 2014 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then accessing the PHP file via a direct request to it in plog-content/uploads/archive/.

Action-Not Available
Vendor-ploggern/a
Product-ploggern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-1999
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.5||HIGH
EPSS-2.72% / 84.22%
||
7 Day CHG~0.00%
Published-20 Jul, 2014 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The auto-format feature in the Request_Curl class in FuelPHP 1.1 through 1.7.1 allows remote attackers to execute arbitrary code via a crafted response.

Action-Not Available
Vendor-fuelphpn/a
Product-fuelphpn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-1939
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.07% / 60.79%
||
7 Day CHG~0.00%
Published-03 Mar, 2014 | 02:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjunction with creating an object of the SearchBoxImpl class, which allows attackers to execute arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels.

Action-Not Available
Vendor-n/aGoogle LLCLenovo Group Limited
Product-androidshareitn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-1691
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-42.90% / 98.56%
||
7 Day CHG~0.00%
Published-01 Apr, 2014 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.

Action-Not Available
Vendor-n/aHorde LLC
Product-horde_application_frameworkn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-2302
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.52% / 90.38%
||
7 Day CHG~0.00%
Published-19 Jul, 2018 | 17:00
Updated-06 Aug, 2024 | 10:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org.

Action-Not Available
Vendor-webeditionn/a
Product-webedition_cmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-2051
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.46% / 70.46%
||
7 Day CHG~0.00%
Published-05 Jun, 2014 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified vectors, as demonstrated using a "login query."

Action-Not Available
Vendor-n/aownCloud GmbH
Product-owncloud_servern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2005-4573
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-11.70% / 95.55%
||
7 Day CHG~0.00%
Published-29 Dec, 2005 | 11:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHP remote file include vulnerability in plog-admin-functions.php in Plogger Beta 2 allows remote attackers to execute arbitrary code via a URL in the config[basedir] parameter.

Action-Not Available
Vendor-ploggern/a
Product-ploggern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-21305
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.4||HIGH
EPSS-12.68% / 95.77%
||
7 Day CHG~0.00%
Published-08 Feb, 2021 | 19:20
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code Injection vulnerability in CarrierWave

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

Action-Not Available
Vendor-carrierwave_projectcarrierwaveuploader
Product-carrierwavecarrierwave
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2007-1233
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.27% / 86.88%
||
7 Day CHG~0.00%
Published-03 Mar, 2007 | 19:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHP remote file inclusion vulnerability in downloadcounter.php in STWC-Counter 3.4.0.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the stwc_counter_verzeichniss parameter.

Action-Not Available
Vendor-stwc-countern/a
Product-stwc-countern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2007-1415
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-9.29% / 94.76%
||
7 Day CHG~0.00%
Published-12 Mar, 2007 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0.13 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path parameter to (a) includes/resa_func.inc.php (b) admin/notices/perso.inc.php, or (c) admin/quotas/main.inc.php; the (2) base_path parameter to (d) opac_css/rec_panier.php or (e) opac_css/includes/author_see.inc.php; or the (3) include_path parameter to (f) bull_info.inc.php or (g) misc.inc.php in includes/; (h) options_date_box.php, (i) options_file_box.php, (j) options_list.php, (k) options_query_list.php, or (l) options_text.php in includes/options/; (m) options.php, (n) options_comment.php, (o) options_date_box.php, (p) options_list.php, (q) options_query_list.php, or (r) options_text.php in includes/options_empr/; or (s) admin/import/iimport_expl.php, (t) admin/netbase/clean.php, (u) admin/param/param_func.inc.php, (v) admin/sauvegarde/lieux.inc.php, (w) autorites.php, (x) account.php, (y) cart.php, or (z) edit.php.

Action-Not Available
Vendor-pmb_servicesn/a
Product-pmb_servicesn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-7703
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.88%
||
7 Day CHG~0.00%
Published-03 May, 2026 | 16:15
Updated-05 May, 2026 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AV Stumpfl Pixera Two Media Server Websocket API code injection

A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised.

Action-Not Available
Vendor-AV Stumpfl
Product-Pixera Two Media Server
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-0602
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.85% / 85.01%
||
7 Day CHG~0.00%
Published-07 Jul, 2014 | 10:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the DumpToFile method in the NQMcsVarSet ActiveX control in NetIQ Security Manager through 6.5.4 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3460.

Action-Not Available
Vendor-n/aMicro Focus International Limited
Product-security_managern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-0818
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.5||HIGH
EPSS-2.49% / 82.71%
||
7 Day CHG~0.00%
Published-22 Feb, 2014 | 21:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Untrusted search path vulnerability in Autodesk AutoCAD before 2014 allows local users to gain privileges and execute arbitrary VBScript code via a Trojan horse FAS file in the FAS file search path.

Action-Not Available
Vendor-n/aAutodesk Inc.
Product-autocadn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-7086
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.53% / 87.83%
||
7 Day CHG~0.00%
Published-19 Dec, 2013 | 02:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.

Action-Not Available
Vendor-webbynoden/a
Product-webbynoden/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2017-20099
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-1.09% / 61.31%
||
7 Day CHG~0.00%
Published-27 Jun, 2022 | 18:11
Updated-15 Apr, 2025 | 14:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Analytics Stats Counter Statistics Plugin code injection

A vulnerability was found in Analytics Stats Counter Statistics Plugin 1.2.2.5 and classified as critical. This issue affects some unknown processing. The manipulation leads to code injection. The attack may be initiated remotely.

Action-Not Available
Vendor-analytics_stats_counter_statistics_projectunspecified
Product-analytics_stats_counter_statisticsAnalytics Stats Counter Statistics Plugin
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-7034
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.58% / 72.58%
||
7 Day CHG~0.00%
Published-05 May, 2014 | 17:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The setCookieValue function in _lib/functions.global.inc.php in LiveZilla before 5.1.2.1 allows remote attackers to execute arbitrary PHP code via a serialized PHP object in a cookie.

Action-Not Available
Vendor-livezillan/a
Product-livezillan/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2014-0057
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.59% / 72.64%
||
7 Day CHG~0.00%
Published-18 Mar, 2014 | 14:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-cloudformscloudforms_3.0_management_enginen/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-5647
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.99% / 78.19%
||
7 Day CHG~0.00%
Published-29 Aug, 2013 | 10:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.

Action-Not Available
Vendor-adam_zaninovichn/aRuby
Product-rubysoundern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-6110
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 32.84%
||
7 Day CHG~0.00%
Published-12 Apr, 2026 | 02:00
Updated-30 Apr, 2026 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FoundationAgents MetaGPT Tree-of-Thought Solver tot.py generate_thoughts code injection

A vulnerability was identified in FoundationAgents MetaGPT up to 0.8.1. This affects the function generate_thoughts of the file metagpt/strategy/tot.py of the component Tree-of-Thought Solver. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-deepwisdomFoundationAgents
Product-metagptMetaGPT
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-5674
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.10% / 79.42%
||
7 Day CHG~0.00%
Published-16 Sep, 2013 | 10:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.

Action-Not Available
Vendor-n/aMoodle Pty Ltd
Product-moodlen/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-4203
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-2.08% / 79.16%
||
7 Day CHG~0.00%
Published-11 Oct, 2013 | 22:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.

Action-Not Available
Vendor-richard_cookn/a
Product-rgpgn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-6594
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.34% / 25.50%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 01:45
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
brikcss merge prototype pollution

A vulnerability was determined in brikcss merge up to 1.3.0. This affects an unknown part. Executing a manipulation of the argument __proto__/constructor.prototype/prototype can lead to improperly controlled modification of object prototype attributes. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-brikcss
Product-merge
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-6603
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.88%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 04:00
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
modelscope agentscope _python.py execute_shell_command code injection

A vulnerability was determined in modelscope agentscope up to 1.0.18. Affected by this vulnerability is the function execute_python_code/execute_shell_command of the file src/AgentScope/tool/_coding/_python.py. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-modelscope
Product-agentscope
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-6621
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.34% / 25.50%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 08:30
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
1024bit extend-deep index.js prototype pollution

A vulnerability was determined in 1024bit extend-deep up to 0.1.6. The impacted element is an unknown function of the file index.js. This manipulation of the argument __proto__ causes improperly controlled modification of object prototype attributes. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The code repository of the project has not been active for many years.

Action-Not Available
Vendor-1024bit
Product-extend-deep
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-4537
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-2.93% / 85.37%
||
7 Day CHG~0.00%
Published-04 Nov, 2014 | 21:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image.

Action-Not Available
Vendor-n/aQEMU
Product-qemun/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2019-16774
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.4||MEDIUM
EPSS-1.23% / 65.22%
||
7 Day CHG~0.00%
Published-12 Dec, 2019 | 23:05
Updated-05 Aug, 2024 | 01:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Object injection in cookie driver

In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.

Action-Not Available
Vendor-phpfastcachePHPSocialNetwork
Product-phpfastcachephpfastcache
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2013-4376
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-2.75% / 84.40%
||
7 Day CHG~0.00%
Published-09 Dec, 2013 | 11:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go Server before 4.0.0.2 allows remote attackers to execute arbitrary code via unspecified vectors, related to the path to libx2go-server-db-sqlite3-wrapper.pl.

Action-Not Available
Vendor-x2gon/a
Product-x2go_servern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-4830
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-7.5||HIGH
EPSS-5.58% / 91.94%
||
7 Day CHG~0.00%
Published-16 Oct, 2013 | 10:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HP Service Manager 9.30 through 9.32 allows remote attackers to execute arbitrary code via an unspecified "injection" approach.

Action-Not Available
Vendor-n/aHP Inc.
Product-service_managern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-4338
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-8.75% / 94.52%
||
7 Day CHG~0.00%
Published-12 Sep, 2013 | 10:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations.

Action-Not Available
Vendor-n/aWordPress.org
Product-wordpressn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-2617
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-4.42% / 90.18%
||
7 Day CHG~0.00%
Published-20 Mar, 2013 | 22:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

Action-Not Available
Vendor-curl_projectn/a
Product-curln/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-2827
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-49.23% / 98.74%
||
7 Day CHG~0.00%
Published-15 Jan, 2014 | 16:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unspecified ActiveX control in WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 allows remote attackers to download arbitrary DLL code onto a client machine and execute this code via the ProjectURL property value.

Action-Not Available
Vendor-wellintechn/a
Product-kinggraphickingalarm\&eventkingscadan/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2019-16759
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-99.73% / 99.95%
||
7 Day CHG~0.00%
Published-24 Sep, 2019 | 21:01
Updated-07 Nov, 2025 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

Action-Not Available
Vendor-vbulletinn/avBulletin
Product-vbulletinn/avBulletin
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-5631
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.88%
||
7 Day CHG~0.00%
Published-06 Apr, 2026 | 06:30
Updated-27 Apr, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
assafelovic gpt-researcher ws Endpoint server_utils.py extract_command_data code injection

A vulnerability has been found in assafelovic gpt-researcher up to 3.4.3. This affects the function extract_command_data of the file backend/server/server_utils.py of the component ws Endpoint. Such manipulation of the argument args leads to code injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-assafelovic
Product-gpt-researcher
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-3520
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-55.64% / 98.92%
||
7 Day CHG~0.00%
Published-17 Jun, 2013 | 01:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does not proper handle uploads, which allows remote attackers to execute arbitrary code via unspecified vectors.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)
Product-vcenter_chargeback_managern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-5739
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.39% / 30.82%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 19:15
Updated-27 Apr, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PowerJob OpenAPI Endpoint addWorkflowNode GroovyEvaluator.evaluate code injection

A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-n/a
Product-PowerJob
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-5970
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.39% / 30.72%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 17:00
Updated-29 Apr, 2026 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FoundationAgents MetaGPT HumanEvalBenchmark/MBPPBenchmark check_solution code injection

A vulnerability was detected in FoundationAgents MetaGPT up to 0.8.1. This affects the function check_solution of the component HumanEvalBenchmark/MBPPBenchmark. Performing a manipulation results in code injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

Action-Not Available
Vendor-deepwisdomFoundationAgents
Product-metagptMetaGPT
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-5971
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.39% / 30.72%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 18:00
Updated-29 Apr, 2026 | 19:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FoundationAgents MetaGPT XML action_node.py ActionNode.xml_fill eval injection

A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

Action-Not Available
Vendor-deepwisdomFoundationAgents
Product-metagptMetaGPT
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CVE-2013-2549
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-6.42% / 92.86%
||
7 Day CHG~0.00%
Published-11 Mar, 2013 | 10:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unspecified vulnerability in Adobe Reader 11.0.02 allows remote attackers to execute arbitrary code via vectors related to a "break into the sandbox," as demonstrated by George Hotz during a Pwn2Own competition at CanSecWest 2013.

Action-Not Available
Vendor-n/aAdobe Inc.
Product-acrobat_readern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-1875
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-3.63% / 88.16%
||
7 Day CHG~0.00%
Published-20 Mar, 2013 | 22:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.

Action-Not Available
Vendor-rubygemsn/a
Product-command_wrapn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-1898
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-2.11% / 79.52%
||
7 Day CHG~0.00%
Published-09 Apr, 2013 | 20:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

Action-Not Available
Vendor-digineon/a
Product-thumbshootern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-0912
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-7.5||HIGH
EPSS-4.27% / 89.87%
||
7 Day CHG~0.00%
Published-11 Mar, 2013 | 10:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WebKit in Google Chrome before 25.0.1364.160 allows remote attackers to execute arbitrary code via vectors that leverage "type confusion."

Action-Not Available
Vendor-n/aGoogle LLC
Product-chromen/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-1436
Matching Score-4
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-4
Assigner-Debian GNU/Linux
CVSS Score-7.5||HIGH
EPSS-8.98% / 94.64%
||
7 Day CHG~0.00%
Published-06 Oct, 2014 | 23:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.

Action-Not Available
Vendor-xmonadn/a
Product-xmonad-contrabn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2013-1397
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.62% / 73.13%
||
7 Day CHG~0.00%
Published-02 Jun, 2014 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml\Parser::parse function, a different vulnerability than CVE-2013-1348.

Action-Not Available
Vendor-sensiolabsn/a
Product-symfonyn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 18
  • 19
  • Next
Details not found