Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-42374

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-13 Feb, 2024 | 00:00
Updated At-24 Apr, 2025 | 15:40
Rejected At-
Credits

An issue in mystenlabs Sui Blockchain before v.1.6.3 allow a remote attacker to execute arbitrary code and cause a denial of service via a crafted compressed script to the Sui node component.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:13 Feb, 2024 | 00:00
Updated At:24 Apr, 2025 | 15:40
Rejected At:
▼CVE Numbering Authority (CNA)

An issue in mystenlabs Sui Blockchain before v.1.6.3 allow a remote attacker to execute arbitrary code and cause a denial of service via a crafted compressed script to the Sui node component.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://medium.com/%40Beosin_com/memory-bomb-vulnerability-causes-sui-node-to-crash-7e8e3ef5057c
N/A
https://github.com/MystenLabs/sui/commit/42d4ad103a21d23fecd7c0271453da41604e71e9
N/A
https://beosin.com/resources/%22memory-bomb%22-vulnerability-causes-sui-node-to-crash?lang=en-US
N/A
Hyperlink: https://medium.com/%40Beosin_com/memory-bomb-vulnerability-causes-sui-node-to-crash-7e8e3ef5057c
Resource: N/A
Hyperlink: https://github.com/MystenLabs/sui/commit/42d4ad103a21d23fecd7c0271453da41604e71e9
Resource: N/A
Hyperlink: https://beosin.com/resources/%22memory-bomb%22-vulnerability-causes-sui-node-to-crash?lang=en-US
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
mystenlabs
Product
sui_blockchain
CPEs
  • cpe:2.3:a:mystenlabs:sui_blockchain:1.6.3:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 1.6.3 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-94CWE-94 Improper Control of Generation of Code ('Code Injection')
Type: CWE
CWE ID: CWE-94
Description: CWE-94 Improper Control of Generation of Code ('Code Injection')
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://medium.com/%40Beosin_com/memory-bomb-vulnerability-causes-sui-node-to-crash-7e8e3ef5057c
x_transferred
https://github.com/MystenLabs/sui/commit/42d4ad103a21d23fecd7c0271453da41604e71e9
x_transferred
https://beosin.com/resources/%22memory-bomb%22-vulnerability-causes-sui-node-to-crash?lang=en-US
x_transferred
Hyperlink: https://medium.com/%40Beosin_com/memory-bomb-vulnerability-causes-sui-node-to-crash-7e8e3ef5057c
Resource:
x_transferred
Hyperlink: https://github.com/MystenLabs/sui/commit/42d4ad103a21d23fecd7c0271453da41604e71e9
Resource:
x_transferred
Hyperlink: https://beosin.com/resources/%22memory-bomb%22-vulnerability-causes-sui-node-to-crash?lang=en-US
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:13 Feb, 2024 | 01:15
Updated At:21 Oct, 2024 | 20:17

An issue in mystenlabs Sui Blockchain before v.1.6.3 allow a remote attacker to execute arbitrary code and cause a denial of service via a crafted compressed script to the Sui node component.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches

mystenlabs
mystenlabs
>>sui>>Versions before 1.6.3(exclusive)
cpe:2.3:a:mystenlabs:sui:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-94Primarynvd@nist.gov
CWE-94Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-94
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-94
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://beosin.com/resources/%22memory-bomb%22-vulnerability-causes-sui-node-to-crash?lang=en-UScve@mitre.org
Third Party Advisory
https://github.com/MystenLabs/sui/commit/42d4ad103a21d23fecd7c0271453da41604e71e9cve@mitre.org
Patch
https://medium.com/%40Beosin_com/memory-bomb-vulnerability-causes-sui-node-to-crash-7e8e3ef5057ccve@mitre.org
Broken Link
Hyperlink: https://beosin.com/resources/%22memory-bomb%22-vulnerability-causes-sui-node-to-crash?lang=en-US
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://github.com/MystenLabs/sui/commit/42d4ad103a21d23fecd7c0271453da41604e71e9
Source: cve@mitre.org
Resource:
Patch
Hyperlink: https://medium.com/%40Beosin_com/memory-bomb-vulnerability-causes-sui-node-to-crash-7e8e3ef5057c
Source: cve@mitre.org
Resource:
Broken Link

Change History

0
Information is not available yet

Similar CVEs

699Records found

CVE-2024-45186
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.24% / 46.94%
||
7 Day CHG~0.00%
Published-02 Oct, 2024 | 00:00
Updated-04 Oct, 2024 | 13:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials.

Action-Not Available
Vendor-n/afilesender
Product-n/afilesender
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-32692
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.57% / 67.77%
||
7 Day CHG~0.00%
Published-30 May, 2023 | 03:15
Updated-10 Jan, 2025 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution Vulnerability in Validation Placeholders

CodeIgniter is a PHP full-stack web framework. This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally. This issue is patched in version 4.3.5.

Action-Not Available
Vendor-codeignitercodeigniter4
Product-codeigniterCodeIgniter4
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-44623
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.3||HIGH
EPSS-12.71% / 93.73%
||
7 Day CHG~0.00%
Published-16 Sep, 2024 | 00:00
Updated-25 Sep, 2024 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in TuomoKu SPx-GC v.1.3.0 and before allows a remote attacker to execute arbitrary code via the child_process.js function.

Action-Not Available
Vendor-spxn/atuomoku
Product-spx_graphics_controllern/aspx_gc
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-3224
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.1||HIGH
EPSS-1.93% / 82.64%
||
7 Day CHG~0.00%
Published-13 Jun, 2023 | 00:00
Updated-03 Jan, 2025 | 02:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code Injection in nuxt/nuxt

Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3.

Action-Not Available
Vendor-nuxtnuxt
Product-nuxtnuxt/nuxt
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-15348
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.24% / 78.39%
||
7 Day CHG~0.00%
Published-26 Jun, 2020 | 13:46
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows use of live/CPEManager/AXCampaignManager/delete_cpes_by_ids?cpe_ids= for eval injection of Python code.

Action-Not Available
Vendor-n/aZyxel Networks Corporation
Product-cloud_cnm_secumanagern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-44758
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 60.77%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 00:00
Updated-27 Nov, 2024 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files.

Action-Not Available
Vendor-n/aerp
Product-n/amanagement_software
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-32697
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-3.51% / 87.16%
||
7 Day CHG~0.00%
Published-23 May, 2023 | 22:45
Updated-05 Mar, 2025 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled

SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2.

Action-Not Available
Vendor-sqlite_jdbc_projectxerial
Product-sqlite_jdbcsqlite-jdbc
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-32728
Matching Score-4
Assigner-Zabbix
ShareView Details
Matching Score-4
Assigner-Zabbix
CVSS Score-4.6||MEDIUM
EPSS-0.53% / 66.12%
||
7 Day CHG~0.00%
Published-18 Dec, 2023 | 09:19
Updated-27 Nov, 2024 | 20:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code injection in zabbix_agent2 smart.disk.get caused by smartctl plugin

The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.

Action-Not Available
Vendor-ZABBIX
Product-zabbix-agent2Zabbix
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-15371
Matching Score-4
Assigner-Brocade Communications Systems, LLC
ShareView Details
Matching Score-4
Assigner-Brocade Communications Systems, LLC
CVSS Score-9.8||CRITICAL
EPSS-0.57% / 67.66%
||
7 Day CHG~0.00%
Published-25 Sep, 2020 | 13:10
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Brocade Fabric OS versions before Brocade Fabric OS v9.0.0, v8.2.2c, v8.2.1e, v8.1.2k, v8.2.0_CBN3, contains code injection and privilege escalation vulnerability.

Action-Not Available
Vendor-n/aBroadcom Inc.
Product-fabric_operating_systemBrocade Fabric OS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-15591
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.03% / 88.04%
||
7 Day CHG~0.00%
Published-17 Mar, 2022 | 15:39
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

fexsrv in F*EX (aka Frams' Fast File EXchange) before fex-20160919_2 allows eval injection (for unauthenticated remote code execution).

Action-Not Available
Vendor-uni-stuttgartn/a
Product-frams\'_fast_file_exchangen/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-15865
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.78% / 90.93%
||
7 Day CHG~0.00%
Published-18 Aug, 2020 | 20:02
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Remote Code Execution vulnerability in Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0 allows an attacker to encode C# scripts as base-64 in the report XML file so that they will be compiled and executed on the server that processes this file. This can be used to fully compromise the server.

Action-Not Available
Vendor-stimulsoftn/a
Product-reportsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-32540
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.2||HIGH
EPSS-0.09% / 26.43%
||
7 Day CHG~0.00%
Published-05 Jun, 2023 | 23:16
Updated-08 Jan, 2025 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/scadaWebAccess/SCADA
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-32626
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.54% / 66.49%
||
7 Day CHG~0.00%
Published-18 Aug, 2023 | 09:36
Updated-08 Oct, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Hidden functionality vulnerability in LAN-W300N/RS all versions, and LAN-W300N/PR5 all versions allows an unauthenticated attacker to log in to the product's certain management console and execute arbitrary OS commands.

Action-Not Available
Vendor-LOGITEC CORPORATIONlogitecElecom Co., Ltd.
Product-lan-w300n\/rs_firmwarelan-w300n\/pr5lan-w300n\/rslan-w300n\/pr5_firmwareLAN-W300N/RSLAN-W300N/PR5lan-w300n\/rslan_w300n_pr5
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-15150
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9||CRITICAL
EPSS-5.34% / 89.69%
||
7 Day CHG~0.00%
Published-01 Sep, 2020 | 16:30
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution in paginator(hex)

There is a vulnerability in Paginator (Elixir/Hex package) which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the paginate() function. This will potentially affect all current users of Paginator prior to version 1.0.0. The vulnerability has been patched in version 1.0.0 and all users should upgrade to this version immediately. Note that this patched version uses a dependency that requires an Elixir version >=1.5.

Action-Not Available
Vendor-duffelduffelhq
Product-paginatorpaginator
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-30990
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.6||HIGH
EPSS-0.21% / 43.11%
||
7 Day CHG~0.00%
Published-03 Jul, 2023 | 23:14
Updated-25 Nov, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM i command execution

IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036.

Action-Not Available
Vendor-IBM Corporation
Product-ii
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-42393
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-9.8||CRITICAL
EPSS-0.53% / 66.33%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 18:58
Updated-12 Aug, 2024 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Stack-Based Buffer Overflow Remote Command Execution (RCE) in the Soft AP Daemon Service Accessed by the PAPI Protocol

There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

Action-Not Available
Vendor-HP Inc.Aruba NetworksHewlett Packard Enterprise (HPE)
Product-arubaosinstantosHpe Aruba Networking InstantOS and Aruba Access Points running ArubaOS 10instant
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-787
Out-of-bounds Write
CVE-2023-30912
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-0.96% / 75.62%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 14:39
Updated-17 Sep, 2024 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote code execution issue exists in HPE OneView.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)
Product-oneviewHPE OneView
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-42733
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.86% / 74.17%
||
7 Day CHG~0.00%
Published-07 Mar, 2025 | 00:00
Updated-23 Jun, 2025 | 19:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input

Action-Not Available
Vendor-docmosisn/a
Product-tornadon/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-15227
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-93.79% / 99.85%
||
7 Day CHG~0.00%
Published-01 Oct, 2020 | 19:00
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution vulnerability

Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.

Action-Not Available
Vendor-nettenetteDebian GNU/Linux
Product-applicationdebian_linuxapplication
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-31447
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.24% / 46.80%
||
7 Day CHG~0.00%
Published-21 Aug, 2023 | 00:00
Updated-07 Oct, 2024 | 19:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

user_login.cgi on Draytek Vigor2620 devices before 3.9.8.4 (and on all versions of Vigor2925 devices) allows attackers to send a crafted payload to modify the content of the code segment, insert shellcode, and execute arbitrary code.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor2625_firmwarevigor2620_firmwarevigor2620vigor2625n/avigor2620
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-42936
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.46% / 80.06%
||
7 Day CHG+0.43%
Published-21 Jan, 2025 | 00:00
Updated-18 Jun, 2025 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The mqlink.elf is service component in Ruijie RG-EW300N with firmware ReyeeOS 1.300.1422 is vulnerable to Remote Code Execution via a modified MQTT broker message.

Action-Not Available
Vendor-n/aRuijie Networks Co., Ltd.
Product-reyee_osrg-ew300nn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-42355
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.3||HIGH
EPSS-1.14% / 77.54%
||
7 Day CHG~0.00%
Published-08 Aug, 2024 | 14:49
Updated-12 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag

Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.

Action-Not Available
Vendor-shopwareshopwareshopware
Product-shopwareshopwareshopware
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-13756
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-19.90% / 95.24%
||
7 Day CHG-4.92%
Published-03 Jun, 2020 | 13:46
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

Action-Not Available
Vendor-sabberwormn/a
Product-php_css_parsern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-29453
Matching Score-4
Assigner-Zabbix
ShareView Details
Matching Score-4
Assigner-Zabbix
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.62%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 05:50
Updated-18 Sep, 2024 | 15:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Agent 2 package are built with Go version affected by CVE-2023-24538

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g., "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template. Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.

Action-Not Available
Vendor-ZABBIX
Product-zabbix-agent2Zabbixzabbix-agent2
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-30349
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.78% / 85.50%
||
7 Day CHG~0.00%
Published-27 Apr, 2023 | 00:00
Updated-31 Jan, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function.

Action-Not Available
Vendor-jflyfoxn/a
Product-jfinal_cmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-41366
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.56% / 84.95%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 00:00
Updated-04 Sep, 2024 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\userScripts.php

Action-Not Available
Vendor-sourcefabricn/asourcefabric
Product-phonieboxn/arpi-jukebox-rfid
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-30145
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-66.96% / 98.49%
||
7 Day CHG~0.00%
Published-26 May, 2023 | 00:00
Updated-16 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.

Action-Not Available
Vendor-tuzition/a
Product-camaleon_cmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-29382
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.56% / 67.45%
||
7 Day CHG-0.02%
Published-06 Jul, 2023 | 00:00
Updated-19 Nov, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.

Action-Not Available
Vendor-n/aZimbra
Product-collaborationn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-30404
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.52% / 84.82%
||
7 Day CHG~0.00%
Published-25 Apr, 2023 | 00:00
Updated-03 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Aigital Wireless-N Repeater Mini_Router v0.131229 was discovered to contain a remote code execution (RCE) vulnerability via the sysCmd parameter in the formSysCmd function. This vulnerability is exploited via a crafted HTTP request.

Action-Not Available
Vendor-aigitaln/a
Product-wireless-n_repeater_mini_routerwireless-n_repeater_mini_router_firmwaren/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-30131
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.24% / 46.93%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 00:00
Updated-12 Sep, 2024 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue discovered in IXP EasyInstall 6.6.14884.0 allows attackers to run arbitrary commands, gain escalated privilege, and cause other unspecified impacts via unauthenticated API calls.

Action-Not Available
Vendor-ixpdatan/a
Product-easyinstalln/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-29862
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.97% / 82.80%
||
7 Day CHG~0.00%
Published-15 May, 2023 | 00:00
Updated-23 Jan, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue found in Agasio-Camera device version not specified allows a remote attacker to execute arbitrary code via the check and authLevel parameters.

Action-Not Available
Vendor-agasio_camera_projectn/a
Product-agasio_cameraagasio_camera_firmwaren/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-29492
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-25.53% / 96.02%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 00:00
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2023-05-04||Apply updates per vendor instructions.

Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data.

Action-Not Available
Vendor-3rdmilln/anovisurveyNovi Survey
Product-novi_surveyn/anovi_surveyNovi Survey
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-29404
Matching Score-4
Assigner-Go Project
ShareView Details
Matching Score-4
Assigner-Go Project
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 25.59%
||
7 Day CHG~0.00%
Published-08 Jun, 2023 | 20:19
Updated-06 Jan, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

Action-Not Available
Vendor-Go toolchainFedora ProjectGo
Product-gofedoracmd/go
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-29402
Matching Score-4
Assigner-Go Project
ShareView Details
Matching Score-4
Assigner-Go Project
CVSS Score-9.8||CRITICAL
EPSS-0.12% / 32.31%
||
7 Day CHG~0.00%
Published-08 Jun, 2023 | 20:19
Updated-13 Feb, 2025 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code injection via go command with cgo in cmd/go

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

Action-Not Available
Vendor-Go toolchainFedora ProjectGo
Product-gofedoracmd/go
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-29566
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.17% / 83.65%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 00:00
Updated-04 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

Action-Not Available
Vendor-huedawn-tesseract_projectdawnsparks-node-tesseract_projectn/a
Product-dawnsparks-node-tesseracthuedawn-tesseractn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2020-11851
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-3.89% / 87.79%
||
7 Day CHG~0.00%
Published-17 Nov, 2020 | 01:02
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in the execution of arbitrary code.

Action-Not Available
Vendor-Micro Focus International Limited
Product-arcsight_loggerArcSight Logger
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-29861
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.97% / 82.80%
||
7 Day CHG~0.00%
Published-15 May, 2023 | 00:00
Updated-31 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue found in FLIR-DVTEL version not specified allows a remote attacker to execute arbitrary code via a crafted request to the management page of the device.

Action-Not Available
Vendor-flirn/a
Product-dvtel_cameradvtel_camera_firmwaren/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-41369
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.88% / 85.79%
||
7 Day CHG~0.00%
Published-29 Aug, 2024 | 00:00
Updated-04 Sep, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\inc.setWifi.php

Action-Not Available
Vendor-sourcefabricn/asourcefabric
Product-phonieboxn/arpi-jukebox-rfid
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-28706
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.99% / 75.95%
||
7 Day CHG~0.00%
Published-07 Apr, 2023 | 14:54
Updated-22 Oct, 2024 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Airflow Hive Provider Beeline Remote Command Execution

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Software Foundation Apache Airflow Hive Provider.This issue affects Apache Airflow Hive Provider: before 6.0.0.

Action-Not Available
Vendor-The Apache Software Foundation
Product-airflow_hive_providerApache Airflow Hive Providerairflow_hive_provider
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-3955
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 49.23%
||
7 Day CHG~0.00%
Published-02 May, 2024 | 09:43
Updated-01 Aug, 2024 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary code execution in CraftBeerPi 4

URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os.system" function in "cbpi/controller/system_controller.py" without prior validation allowing to execute arbitrary code.This issue affects CraftBeerPi 4: from 4.0.0.58 (commit 563fae9) before 4.4.1.a1 (commit 57572c7).

Action-Not Available
Vendor-PiBrewingCraftBeerPi - Brewing ControllerPiBrewing
Product-CraftBeerPi 4CraftBeerPi 4
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-39864
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-4.03% / 88.03%
||
7 Day CHG~0.00%
Published-05 Jul, 2024 | 13:40
Updated-19 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache CloudStack: Integration API service uses dynamic port when disabled

The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.

Action-Not Available
Vendor-apache_software_foundationThe Apache Software Foundation
Product-cloudstackApache CloudStackapache_cloudstack
CWE ID-CWE-665
Improper Initialization
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-40446
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.05% / 15.32%
||
7 Day CHG~0.00%
Published-22 Apr, 2025 | 00:00
Updated-23 Jun, 2025 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted script

Action-Not Available
Vendor-ctann/a
Product-mimetexn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-11546
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-91.83% / 99.68%
||
7 Day CHG~0.00%
Published-14 Jul, 2020 | 19:16
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.

Action-Not Available
Vendor-superwebmailern/a
Product-superwebmailern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-28354
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.31% / 84.12%
||
7 Day CHG~0.00%
Published-09 Jan, 2025 | 00:00
Updated-10 Jan, 2025 | 17:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Opsview Monitor Agent 6.8. An unauthenticated remote attacker can call check_nrpe against affected targets, specifying known NRPE plugins, which in default installations are configured to accept command control characters and pass them to command-line interpreters for NRPE plugin execution. This allows the attacker to escape NRPE plugin execution and execute commands remotely on the target as NT_AUTHORITY\SYSTEM.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-10948
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-18.07% / 94.92%
||
7 Day CHG~0.00%
Published-01 Apr, 2020 | 20:11
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests.

Action-Not Available
Vendor-alienform2_projectn/a
Product-alienform2n/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-11079
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-5.69% / 90.04%
||
7 Day CHG~0.00%
Published-28 May, 2020 | 18:40
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
command injection fix in node-dns-sync

node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.

Action-Not Available
Vendor-node-dns-sync_projectskoranga
Product-node-dns-syncnode-dns-sync
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39331
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.25% / 47.73%
||
7 Day CHG~0.00%
Published-23 Jun, 2024 | 00:00
Updated-30 Apr, 2025 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.

Action-Not Available
Vendor-n/aGNU
Product-emacsn/aemacs
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-39236
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.68% / 81.43%
||
7 Day CHG~0.00%
Published-01 Jul, 2024 | 00:00
Updated-27 Jun, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user attacking himself.

Action-Not Available
Vendor-gradio_projectn/agradio_project
Product-gradion/agradio
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-10176
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 62.87%
||
7 Day CHG~0.00%
Published-07 May, 2020 | 20:38
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow Eval Injection of commands.

Action-Not Available
Vendor-assaabloyn/a
Product-yale_wipc-301wyale_wipc-301w_firmwaren/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-10055
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-9.8||CRITICAL
EPSS-2.70% / 85.31%
||
7 Day CHG~0.00%
Published-14 Aug, 2020 | 15:24
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Desigo CC (V4.x), Desigo CC (V3.x), Desigo CC Compact (V4.x), Desigo CC Compact (V3.x). Affected applications are delivered with a 3rd party component (BIRT) that contains a remote code execution vulnerability if the Advanced Reporting Engine is enabled. The vulnerability could allow a remote unauthenticated attacker to execute arbitrary commands on the server with SYSTEM privileges.

Action-Not Available
Vendor-Siemens AG
Product-desigo_consumption_control_compactdesigo_consumption_controlDesigo CC CompactDesigo CC
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 13
  • 14
  • Next
Details not found