Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-41623

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-13 Aug, 2024 | 00:00
Updated At-18 Mar, 2025 | 20:41
Rejected At-
Credits

An issue in D3D Security D3D IP Camera (D8801) v.V9.1.17.1.4-20180428 allows a local attacker to execute arbitrary code via a crafted payload

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:13 Aug, 2024 | 00:00
Updated At:18 Mar, 2025 | 20:41
Rejected At:
▼CVE Numbering Authority (CNA)

An issue in D3D Security D3D IP Camera (D8801) v.V9.1.17.1.4-20180428 allows a local attacker to execute arbitrary code via a crafted payload

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://d3d.com
N/A
https://github.com/Anonymous120386/Anonymous
N/A
Hyperlink: http://d3d.com
Resource: N/A
Hyperlink: https://github.com/Anonymous120386/Anonymous
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
ezviz
Product
internet_pt_camera
CPEs
  • cpe:2.3:a:ezviz:internet_pt_camera:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • v.v9.1.17.1.4-20180428
Problem Types
TypeCWE IDDescription
CWECWE-94CWE-94 Improper Control of Generation of Code ('Code Injection')
Type: CWE
CWE ID: CWE-94
Description: CWE-94 Improper Control of Generation of Code ('Code Injection')
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:13 Aug, 2024 | 14:15
Updated At:18 Mar, 2025 | 21:15

An issue in D3D Security D3D IP Camera (D8801) v.V9.1.17.1.4-20180428 allows a local attacker to execute arbitrary code via a crafted payload

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches

d3dsecurity
d3dsecurity
>>d8801_firmware>>9.1.17.1.4-20180428
cpe:2.3:o:d3dsecurity:d8801_firmware:9.1.17.1.4-20180428:*:*:*:*:*:*:*
d3dsecurity
d3dsecurity
>>d8801>>-
cpe:2.3:h:d3dsecurity:d8801:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE-94Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-94
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://d3d.comcve@mitre.org
Not Applicable
https://github.com/Anonymous120386/Anonymouscve@mitre.org
Third Party Advisory
Hyperlink: http://d3d.com
Source: cve@mitre.org
Resource:
Not Applicable
Hyperlink: https://github.com/Anonymous120386/Anonymous
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

701Records found

CVE-2022-22965
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-9.8||CRITICAL
EPSS-94.46% / 99.99%
||
7 Day CHG~0.00%
Published-01 Apr, 2022 | 22:17
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-25||Apply updates per vendor instructions.

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Action-Not Available
Vendor-n/aVeritas Technologies LLCSiemens AGVMware (Broadcom Inc.)Oracle CorporationCisco Systems, Inc.
Product-communications_cloud_native_core_unified_data_repositorycx_cloud_agentfinancial_services_analytical_applications_infrastructurenetbackup_appliancesimatic_speech_assistant_for_machinescommunications_cloud_native_core_binding_support_functioncommunications_cloud_native_core_automated_test_suitesd-wan_edgeretail_customer_management_and_segmentation_foundationcommunications_cloud_native_core_network_exposure_functionaccess_applianceflex_appliancenetbackup_virtual_applianceretail_bulk_data_integrationfinancial_services_behavior_detection_platformsipass_integratednetbackup_flex_scale_appliancesiveillance_identitycommunications_policy_managementcommunications_cloud_native_core_network_slice_selection_functionspring_frameworkcommunications_cloud_native_core_security_edge_protection_proxysinec_network_management_systemcommunications_unified_inventory_managementweblogic_servercommerce_platformretail_financial_integrationcommunications_cloud_native_core_policycommunications_cloud_native_core_network_function_cloud_native_environmentcommunications_cloud_native_core_consolemysql_enterprise_monitorretail_xstore_point_of_servicejdkcommunications_cloud_native_core_network_repository_functionfinancial_services_enterprise_case_managementoperation_schedulerretail_integration_busretail_merchandising_systemproduct_lifecycle_analyticsSpring FrameworkSpring Framework
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-38196
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.36% / 86.86%
||
7 Day CHG~0.00%
Published-08 Aug, 2021 | 05:07
Updated-04 Aug, 2024 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the better-macro crate through 2021-07-22 for Rust. It intentionally demonstrates that remote attackers can execute arbitrary code via proc-macros, and otherwise has no legitimate purpose.

Action-Not Available
Vendor-better-macro_projectn/a
Product-better-macron/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-38117
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-8.8||HIGH
EPSS-0.95% / 75.47%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 15:34
Updated-10 Apr, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possible Remote Code Execution Vulnerability OpenText iManager

Possible Command injection Vulnerability in iManager has been discovered in OpenText™ iManager 3.2.4.0000.

Action-Not Available
Vendor-Open Text CorporationMicro Focus International Limited
Product-imanageriManagerimanager
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-11036
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.3||HIGH
EPSS-2.19% / 83.71%
||
7 Day CHG~0.00%
Published-19 Nov, 2024 | 11:02
Updated-04 Feb, 2025 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.1.5 - Unauthenticated Arbitrary Shortcode Execution via gamipress_get_user_earnings

The The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipress_get_user_earnings AJAX action in all versions up to, and including, 7.1.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Action-Not Available
Vendor-gamipressrubengcgamipress
Product-gamipressGamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPressgamipress
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-21797
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-0.10% / 29.16%
||
7 Day CHG~0.00%
Published-26 Sep, 2022 | 05:05
Updated-17 Sep, 2024 | 04:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary Code Execution

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.

Action-Not Available
Vendor-joblib_projectn/ajoblib_projectDebian GNU/LinuxFedora Project
Product-joblibdebian_linuxfedorajoblibjoblibdebian_linuxfedora
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-36424
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.33% / 55.48%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation.

Action-Not Available
Vendor-phpwcmsn/a
Product-phpwcmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-0738
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.21% / 43.06%
||
7 Day CHG~0.00%
Published-19 Jan, 2024 | 21:31
Updated-12 Sep, 2024 | 18:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
个人开源 mldong DecisionModel.java ExpressionEngine code injection

A vulnerability, which was classified as critical, has been found in 个人开源 mldong 1.0. This issue affects the function ExpressionEngine of the file com/mldong/modules/wf/engine/model/DecisionModel.java. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-251561 was assigned to this vulnerability.

Action-Not Available
Vendor-garethhk个人开源
Product-mldongmldong
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-0917
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.4||CRITICAL
EPSS-2.38% / 84.39%
||
7 Day CHG~0.00%
Published-07 Mar, 2024 | 08:24
Updated-13 Feb, 2025 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

remote code execution in paddlepaddle/paddle 2.6.0

Action-Not Available
Vendor-paddlepaddlepaddlepaddlepaddlepaddle
Product-paddlepaddlepaddlepaddle/paddlepaddle
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2018-1275
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.8||CRITICAL
EPSS-32.45% / 96.70%
||
7 Day CHG~0.00%
Published-11 Apr, 2018 | 13:00
Updated-17 Sep, 2024 | 02:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.

Action-Not Available
Vendor-Oracle CorporationVMware (Broadcom Inc.)
Product-communications_diameter_signaling_routerinsurance_rules_paletteretail_customer_insightstape_library_acslsprimavera_gatewayhealthcare_master_person_indexcommunications_performance_intelligence_centerspring_frameworkservice_architecture_leveraging_tuxedohealth_sciences_information_managerretail_order_brokercommunications_converged_application_servergoldengate_for_big_databig_data_discoveryinsurance_calculation_engineretail_open_commerce_platformapplication_testing_suitecommunications_services_gatekeeperretail_predictive_application_serverSpring Framework
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-358
Improperly Implemented Security Check for Standard
CVE-2022-21686
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9||CRITICAL
EPSS-0.62% / 69.25%
||
7 Day CHG~0.00%
Published-26 Jan, 2022 | 20:10
Updated-23 Apr, 2025 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server Side Twig Template Injection in PrestaShop

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.

Action-Not Available
Vendor-PrestaShop S.A
Product-prestashopPrestaShop
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-35514
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 65.50%
||
7 Day CHG~0.00%
Published-28 Jun, 2021 | 11:29
Updated-04 Aug, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel.

Action-Not Available
Vendor-narou_projectn/a
Product-naroun/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-46042
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-68.24% / 98.54%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 00:00
Updated-12 Sep, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via a crafted payload to the phpinfo().

Action-Not Available
Vendor-get-simplen/a
Product-getsimplecmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-21122
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9||CRITICAL
EPSS-1.56% / 80.78%
||
7 Day CHG~0.00%
Published-03 Jun, 2022 | 20:05
Updated-16 Sep, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary Code Execution

The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor.

Action-Not Available
Vendor-metarhian/a
Product-metacalcmetacalc
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-33635
Matching Score-4
Assigner-openEuler
ShareView Details
Matching Score-4
Assigner-openEuler
CVSS Score-9.8||CRITICAL
EPSS-0.15% / 36.05%
||
7 Day CHG~0.00%
Published-29 Oct, 2023 | 07:56
Updated-09 Sep, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pull malicious images may cause process to be hijacked

When malicious images are pulled by isula pull, attackers can execute arbitrary code.

Action-Not Available
Vendor-openEuler (OpenAtom Foundation)
Product-isulaiSuladisulad
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-665
Improper Initialization
CVE-2020-11546
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-91.83% / 99.68%
||
7 Day CHG~0.00%
Published-14 Jul, 2020 | 19:16
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.

Action-Not Available
Vendor-superwebmailern/a
Product-superwebmailern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-11079
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-5.69% / 90.05%
||
7 Day CHG~0.00%
Published-28 May, 2020 | 18:40
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
command injection fix in node-dns-sync

node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.

Action-Not Available
Vendor-node-dns-sync_projectskoranga
Product-node-dns-syncnode-dns-sync
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-46010
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.27% / 50.56%
||
7 Day CHG~0.00%
Published-24 Oct, 2023 | 00:00
Updated-11 Sep, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary commands via the admin_safe.php component.

Action-Not Available
Vendor-seacmsn/a
Product-seacmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-11851
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-3.89% / 87.80%
||
7 Day CHG~0.00%
Published-17 Nov, 2020 | 01:02
Updated-04 Aug, 2024 | 11:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in the execution of arbitrary code.

Action-Not Available
Vendor-Micro Focus International Limited
Product-arcsight_loggerArcSight Logger
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-1609
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-92.94% / 99.76%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 15:52
Updated-02 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The School Management < 9.9.7 - Unauthenticated RCE via REST api

The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

Action-Not Available
Vendor-weblizarUnknown
Product-school_managementschool-management-pro
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-26818
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 49.27%
||
7 Day CHG-0.23%
Published-03 Apr, 2025 | 00:00
Updated-07 Apr, 2025 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netwrix Password Secure through 9.2 allows command injection.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-30461
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.25% / 99.80%
||
7 Day CHG~0.00%
Published-29 May, 2021 | 13:02
Updated-03 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.

Action-Not Available
Vendor-voipmonitorn/a
Product-voipmonitorn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-10948
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-18.07% / 94.92%
||
7 Day CHG~0.00%
Published-01 Apr, 2020 | 20:11
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests.

Action-Not Available
Vendor-alienform2_projectn/a
Product-alienform2n/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-20601
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 62.86%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 22:43
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet.

Action-Not Available
Vendor-thinkcmfn/a
Product-thinkcmfn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-10035
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.2||CRITICAL
EPSS-0.78% / 72.70%
||
7 Day CHG~0.00%
Published-04 Nov, 2024 | 11:48
Updated-08 Nov, 2024 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code Injection in BG-TEK's CoslatV3

Improper Control of Generation of Code ('Code Injection') vulnerability in BG-TEK Informatics Security Technologies CoslatV3 allows Command Injection.This issue affects CoslatV3: through 3.1069. NOTE: The vendor was contacted and it was learned that the product is not supported.

Action-Not Available
Vendor-bg-tekBG-TEK Informatics Security Technologiesbg-tek
Product-coslatCoslatV3coslatv3_firmware
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-29465
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.3||HIGH
EPSS-3.68% / 87.45%
||
7 Day CHG~0.00%
Published-22 Apr, 2021 | 00:25
Updated-03 Aug, 2024 | 22:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote file overwrite on discord-recon can result in DoS and Remote Code Execution

Discord-Recon is a bot for the Discord chat service. Versions of Discord-Recon 0.0.3 and prior contain a vulnerability in which a remote attacker is able to overwrite any file on the system with the command results. This can result in remote code execution when the user overwrite important files on the system. As a workaround, bot maintainers can edit their `setting.py` file then add `<` and `>` into the `RCE` variable inside of it to fix the issue without an update. The vulnerability is patched in version 0.0.4.

Action-Not Available
Vendor-discordDEMON1A
Product-discord-reconDiscord-Recon
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-43234
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 49.23%
||
7 Day CHG~0.00%
Published-26 Sep, 2023 | 00:00
Updated-24 Sep, 2024 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DedeBIZ v6.2.11 was discovered to contain multiple remote code execution (RCE) vulnerabilities at /admin/file_manage_control.php via the $activepath and $filename parameters.

Action-Not Available
Vendor-dedebizn/a
Product-dedebizn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-1015
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-9.8||CRITICAL
EPSS-2.10% / 83.37%
||
7 Day CHG~0.00%
Published-29 Jan, 2024 | 13:46
Updated-02 Jun, 2025 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3

Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher. An attacker could send different commands from the operating system to the system via the web configuration functionality of the device.

Action-Not Available
Vendor-se-elektronicSE-elektronic GmbH
Product-e-ddc3.3_firmwaree-ddc3.3E-DDC3.3
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-29772
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.6||MEDIUM
EPSS-0.25% / 48.06%
||
7 Day CHG~0.00%
Published-26 Aug, 2021 | 19:25
Updated-17 Sep, 2024 | 02:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM API Connect 5.0.0.0 through 5.0.8.11 could allow a user to potentially inject code due to unsanitized user input. IBM X-Force ID: 202774.

Action-Not Available
Vendor-IBM Corporation
Product-api_connectAPI Connect
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-6899
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.3||MEDIUM
EPSS-0.06% / 18.14%
||
7 Day CHG~0.00%
Published-17 Dec, 2023 | 12:31
Updated-21 Nov, 2024 | 14:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
rmountjoy92 DashMachine Config save_config code injection

A vulnerability classified as problematic was found in rmountjoy92 DashMachine 0.5-4. Affected by this vulnerability is an unknown functionality of the file /settings/save_config of the component Config Handler. The manipulation of the argument value_template leads to code injection. The exploit has been disclosed to the public and may be used. The identifier VDB-248257 was assigned to this vulnerability.

Action-Not Available
Vendor-rmountjoy92rmountjoy92
Product-dashmachineDashMachine
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-21784
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 64.24%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 15:29
Updated-04 Aug, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

phpwcms 1.9.13 is vulnerable to Code Injection via /phpwcms/setup/setup.php.

Action-Not Available
Vendor-phpwcmsn/a
Product-phpwcmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-6851
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.24% / 46.93%
||
7 Day CHG~0.00%
Published-16 Dec, 2023 | 11:00
Updated-02 Aug, 2024 | 08:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
kalcaddle KodExplorer ZIP Archive app.php unzipList code injection

A vulnerability was found in kalcaddle KodExplorer up to 4.51.03. It has been rated as critical. This issue affects the function unzipList of the file plugins/zipView/app.php of the component ZIP Archive Handler. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.52.01 is able to address this issue. The patch is named 5cf233f7556b442100cf67b5e92d57ceabb126c6. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-248219.

Action-Not Available
Vendor-kodcloudkalcaddle
Product-kodexplorerKodExplorer
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-6886
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.7||MEDIUM
EPSS-0.06% / 17.63%
||
7 Day CHG~0.00%
Published-17 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 08:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
xnx3 wangmarket Role Management Page code injection

A vulnerability was found in xnx3 wangmarket 6.1. It has been rated as critical. Affected by this issue is some unknown functionality of the component Role Management Page. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-248246 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-wang.marketxnx3
Product-wangmarketwangmarket
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-26731
Matching Score-4
Assigner-Nozomi Networks Inc.
ShareView Details
Matching Score-4
Assigner-Nozomi Networks Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.33% / 55.39%
||
7 Day CHG~0.00%
Published-24 Oct, 2022 | 00:00
Updated-07 May, 2025 | 15:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
spx_restservice modifyUserb_func Command Injection and Multiple Stack-Based Buffer Overflows

Command injection and multiple stack-based buffer overflows vulnerabilities in the modifyUserb_func function of spx_restservice allow an authenticated attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Action-Not Available
Vendor-lannerincLanner Inc
Product-iac-ast2500a_firmwareiac-ast2500aIAC-AST2500A
CWE ID-CWE-121
Stack-based Buffer Overflow
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-26727
Matching Score-4
Assigner-Nozomi Networks Inc.
ShareView Details
Matching Score-4
Assigner-Nozomi Networks Inc.
CVSS Score-10||CRITICAL
EPSS-0.49% / 64.46%
||
7 Day CHG~0.00%
Published-24 Oct, 2022 | 00:00
Updated-07 May, 2025 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
spx_restservice SubNet_handler_func Multiple Command Injections and Stack-Based Buffer Overflows

Multiple command injections and stack-based buffer overflows vulnerabilities in the SubNet_handler_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Action-Not Available
Vendor-lannerincLanner Inc
Product-iac-ast2500a_firmwareiac-ast2500aIAC-AST2500A
CWE ID-CWE-121
Stack-based Buffer Overflow
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-6188
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-4.7||MEDIUM
EPSS-0.12% / 31.49%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 17:31
Updated-04 Sep, 2024 | 19:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GetSimpleCMS theme-edit.php code injection

A vulnerability was found in GetSimpleCMS 3.3.16/3.4.0a. It has been rated as critical. This issue affects some unknown processing of the file /admin/theme-edit.php. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-245735.

Action-Not Available
Vendor-get-simplen/a
Product-getsimplecmsGetSimpleCMS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-26729
Matching Score-4
Assigner-Nozomi Networks Inc.
ShareView Details
Matching Score-4
Assigner-Nozomi Networks Inc.
CVSS Score-10||CRITICAL
EPSS-0.36% / 57.39%
||
7 Day CHG~0.00%
Published-24 Oct, 2022 | 00:00
Updated-07 May, 2025 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
spx_restservice Login_handler_func Command Injection and Multiple Stack-Based Buffer Overflows

Command injection and multiple stack-based buffer overflows vulnerabilities in the Login_handler_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Action-Not Available
Vendor-lannerincLanner Inc
Product-iac-ast2500a_firmwareiac-ast2500aIAC-AST2500A
CWE ID-CWE-121
Stack-based Buffer Overflow
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-6395
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.41% / 60.71%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 14:33
Updated-13 Feb, 2025 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mock: privilege escalation for users that can access mock configuration

The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary code with root user privileges. This weakness stems from the absence of proper sandboxing during the expansion and execution of Jinja2 templates, which may be included in certain configuration parameters. While the Mock documentation advises treating users added to the mock group as privileged, certain build systems invoking mock on behalf of users might inadvertently permit less privileged users to define configuration tags. These tags could then be passed as parameters to mock during execution, potentially leading to the utilization of Jinja2 templates for remote privilege escalation and the execution of arbitrary code as the root user on the build server.

Action-Not Available
Vendor-rpm-software-managementn/aRed Hat, Inc.Fedora Project
Product-mockextra_packages_for_enterprise_linuxfedoraRed Hat Enterprise Linux 6Extra Packages for Enterprise LinuxmockFedora
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-26120
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-78.84% / 99.01%
||
7 Day CHG~0.00%
Published-22 Feb, 2021 | 01:38
Updated-03 Aug, 2024 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring.

Action-Not Available
Vendor-smartyn/aDebian GNU/Linux
Product-smartydebian_linuxn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-10257
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.34% / 79.25%
||
7 Day CHG~0.00%
Published-09 Mar, 2020 | 23:41
Updated-04 Aug, 2024 | 10:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.

Action-Not Available
Vendor-themerexn/a
Product-meals_and_wheels-food_truckplumbing-repair\,_building_\&_construction_wordpress_themepartiso_electioncampaignwellspring_water_filter_systemsyottis-simple_portfoliokargo-freight_transportrosalinda-vegetarian_\&_health_coachcoinpress-cryptocurrency_magazine_\&_blog_wordpress_themefc_united-footballimpacto_patronus_multi-landingrare_radionazareth-churchozeum-museumchainpressbriny-diving_wordpress_themeyolox-startup_magazine_\&_blog_wordpress_themerhodos-creative_corporate_wordpress_themepixefynelson-barbershop_\+_tattoo_salonnetmix-broadband_\&_telecomtacticool-shooting_range_wordpress_themevixus-startup_\/_mobile_applicationrenewal-plastic_surgeon_clinictornadosmystik-esotericskatelyn-gutenberg_wordpress_blog_themeheaven_11-multiskin_property_themealdo-gutenberg_wordpress_blog_themekids_carehelion-agency_\&portfolioprider-pride_festhobo_digital_nomad_blogbuzz_stone-magazine_\&_blogchit_club-board_gamesright_wayespecio-food_gutenberg_themevapestercorredo_sport_eventblabberaddonsrumble-single_fighter_boxer\,_news\,_gym\,_storetediss-soft_play_area\,_cafe_\&_child_care_centerlingvico-language_learning_schooljustitia-multiskin_lawyer_thememodern_housewife-housewife_and_family_blogpiqes-creative_startup_\&_agency_wordpress_themetantum-rent_a_car\,_rent_a_bike\,_rent_a_scooter_multiskin_themegloss_blogskydiving_and_flying_companykratz-digital_agencymaxify-startup_blogdronex-aerial_photography_servicessavejulia_personal_fundraising_campaignbonkozoo_zoosamadhi-buddhistyungen-digital\/marketing_agencybugster-pests_controltopper_theme_and_skinsamuliscientia-public_libraryvihara-ashram\,_buddhistgridironhallelujah-churchn/a
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-26728
Matching Score-4
Assigner-Nozomi Networks Inc.
ShareView Details
Matching Score-4
Assigner-Nozomi Networks Inc.
CVSS Score-10||CRITICAL
EPSS-0.64% / 69.56%
||
7 Day CHG~0.00%
Published-24 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
spx_restservice KillDupUsr_func Command Injection and Stack-Based Buffer Overflow

Command injection and stack-based buffer overflow vulnerabilities in the KillDupUsr_func function of spx_restservice allow an attacker to execute arbitrary code with the same privileges as the server user (root). This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Action-Not Available
Vendor-lannerincLanner Inc
Product-iac-ast2500a_firmwareiac-ast2500aIAC-AST2500A
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-121
Stack-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2007-5565
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.72% / 71.66%
||
7 Day CHG~0.00%
Published-18 Oct, 2007 | 21:00
Updated-17 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHP remote file inclusion vulnerability in includes/functions.php in phpSCMS 0.0.1-Alpha1 allows remote attackers to execute arbitrary PHP code via a URL in the dir parameter. NOTE: this issue is disputed by CVE because the identified code is in a function that is not accessible via direct request

Action-Not Available
Vendor-phpscmsn/a
Product-phpscmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-6248
Matching Score-4
Assigner-Automotive Security Research Group (ASRG)
ShareView Details
Matching Score-4
Assigner-Automotive Security Research Group (ASRG)
CVSS Score-10||CRITICAL
EPSS-3.21% / 86.53%
||
7 Day CHG~0.00%
Published-21 Nov, 2023 | 21:49
Updated-17 Oct, 2024 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Data leakage and arbitrary remote code execution in Syrus cloud devices

The Syrus4 IoT gateway utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. The MQTT server also leaks the location, video and diagnostic data from each connected device. An attacker who knows the IP address of the server is able to connect and perform the following operations: * Get location data of the vehicle the device is connected to * Send CAN bus messages via the ECU module ( https://syrus.digitalcomtech.com/docs/ecu-1 https://syrus.digitalcomtech.com/docs/ecu-1 ) * Immobilize the vehicle via the safe-immobilizer module ( https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization https://syrus.digitalcomtech.com/docs/system-tools#safe-immobilization ) * Get live video through the connected video camera * Send audio messages to the driver ( https://syrus.digitalcomtech.com/docs/system-tools#apx-tts https://syrus.digitalcomtech.com/docs/system-tools#apx-tts )

Action-Not Available
Vendor-digitalcomtechDigital Communications Technologiesdigitalcomtech
Product-syrus_4g_iot_telematics_gatewaysyrus_4g_iot_telematics_gateway_firmwareSyrus4 IoT Telematics Gatewaysyrus_4g_iot_telematics_gateway_firmware
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2023-41630
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.46% / 80.08%
||
7 Day CHG~0.00%
Published-17 Oct, 2023 | 00:00
Updated-16 Sep, 2024 | 18:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

eSST Monitoring v2.147.1 was discovered to contain a remote code execution (RCE) vulnerability via the Gii code generator component.

Action-Not Available
Vendor-esstn/a
Product-esst_monitoringn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-5604
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-5.46% / 89.82%
||
7 Day CHG~0.00%
Published-27 Nov, 2023 | 16:22
Updated-05 Jun, 2025 | 14:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Asgaros Forum < 2.7.1 - Unauthenticated Arbitrary File Upload

The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution.

Action-Not Available
Vendor-asgarosUnknownasgaros
Product-asgaros_forumAsgaros Forumasgaros_forum
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-6126
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 35.02%
||
7 Day CHG~0.00%
Published-14 Nov, 2023 | 15:51
Updated-08 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code Injection in salesagility/suitecrm

Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

Action-Not Available
Vendor-SalesAgility Ltd.
Product-suitecrmsalesagility/suitecrm
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-25283
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-7.44% / 91.39%
||
7 Day CHG~0.00%
Published-27 Feb, 2021 | 00:00
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks.

Action-Not Available
Vendor-saltstackn/aDebian GNU/LinuxFedora Project
Product-debian_linuxfedorasaltn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-6016
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-10||CRITICAL
EPSS-73.65% / 98.76%
||
7 Day CHG~0.00%
Published-16 Nov, 2023 | 16:06
Updated-02 Aug, 2024 | 08:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
H2O Remote Code Execution via POJO Model Import

An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO model import feature.

Action-Not Available
Vendor-h2oh2oai
Product-h2oh2oai/h2o-3
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-24776
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.36% / 79.40%
||
7 Day CHG~0.00%
Published-06 Mar, 2023 | 00:00
Updated-06 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Funadmin v3.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component \controller\Addon.php.

Action-Not Available
Vendor-funadminn/a
Product-funadminn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-23390
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.31% / 78.99%
||
7 Day CHG~0.00%
Published-12 Jul, 2021 | 15:15
Updated-17 Sep, 2024 | 04:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary Code Execution

The package total4 before 0.0.43 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.

Action-Not Available
Vendor-totaljsn/a
Product-total4total4
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-25578
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.05% / 76.63%
||
7 Day CHG~0.00%
Published-18 Mar, 2022 | 22:25
Updated-03 Aug, 2024 | 04:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

taocms v3.0.2 allows attackers to execute code injection via arbitrarily editing the .htaccess file.

Action-Not Available
Vendor-taogogon/a
Product-taocmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
  • Previous
  • 1
  • 2
  • ...
  • 5
  • 6
  • 7
  • ...
  • 14
  • 15
  • Next
Details not found