Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-13749

Summary
Assigner-SNOWFLAKE
Assigner Org ID-412d305a-227d-44f9-a262-a31ba44f2aea
Published At-29 Jun, 2026 | 16:02
Updated At-29 Jun, 2026 | 16:19
Rejected At-
Credits

Snowflake CLI Arbitrary Code Execution via Snowpark Annotation Processor Template Injection

Improper neutralization in the Snowpark annotation processor callback template in Snowflake CLI versions prior to 3.19 allowed arbitrary code execution during application bundling or deployment. An attacker could exploit this by supplying crafted project content that is interpolated into generated Python code, causing Snowflake CLI to execute attacker-controlled code in the local context of the user running the CLI. Successful exploitation requires the victim to run the relevant bundling or deployment workflow against attacker-controlled project content, and any resulting code runs with the privileges of that local execution context. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:SNOWFLAKE
Assigner Org ID:412d305a-227d-44f9-a262-a31ba44f2aea
Published At:29 Jun, 2026 | 16:02
Updated At:29 Jun, 2026 | 16:19
Rejected At:
▼CVE Numbering Authority (CNA)
Snowflake CLI Arbitrary Code Execution via Snowpark Annotation Processor Template Injection

Improper neutralization in the Snowpark annotation processor callback template in Snowflake CLI versions prior to 3.19 allowed arbitrary code execution during application bundling or deployment. An attacker could exploit this by supplying crafted project content that is interpolated into generated Python code, causing Snowflake CLI to execute attacker-controlled code in the local context of the user running the CLI. Successful exploitation requires the victim to run the relevant bundling or deployment workflow against attacker-controlled project content, and any resulting code runs with the privileges of that local execution context. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.

Affected Products
Vendor
Snowflake
Product
Snowflake CLI
Default Status
unaffected
Versions
Affected
  • From 2.4.0 before 3.19.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-94Improper Control of Generation of Code ('Code Injection')
Type: CWE
CWE ID: CWE-94
Description: Improper Control of Generation of Code ('Code Injection')
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://community.snowflake.com/s/article/Snowflake-CLI-Vulnerability-Advisory
N/A
Hyperlink: https://community.snowflake.com/s/article/Snowflake-CLI-Vulnerability-Advisory
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:412d305a-227d-44f9-a262-a31ba44f2aea
Published At:29 Jun, 2026 | 16:16
Updated At:30 Jun, 2026 | 16:08

Improper neutralization in the Snowpark annotation processor callback template in Snowflake CLI versions prior to 3.19 allowed arbitrary code execution during application bundling or deployment. An attacker could exploit this by supplying crafted project content that is interpolated into generated Python code, causing Snowflake CLI to execute attacker-controlled code in the local context of the user running the CLI. Successful exploitation requires the victim to run the relevant bundling or deployment workflow against attacker-controlled project content, and any resulting code runs with the privileges of that local execution context. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

snowflake
snowflake
>>snowflake_cli>>Versions from 2.4.0(inclusive) to 3.19.0(exclusive)
cpe:2.3:a:snowflake:snowflake_cli:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-94Secondary412d305a-227d-44f9-a262-a31ba44f2aea
CWE ID: CWE-94
Type: Secondary
Source: 412d305a-227d-44f9-a262-a31ba44f2aea
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://community.snowflake.com/s/article/Snowflake-CLI-Vulnerability-Advisory412d305a-227d-44f9-a262-a31ba44f2aea
Vendor Advisory
Hyperlink: https://community.snowflake.com/s/article/Snowflake-CLI-Vulnerability-Advisory
Source: 412d305a-227d-44f9-a262-a31ba44f2aea
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

138Records found

CVE-2024-26362
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.57% / 43.13%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 00:00
Updated-17 Jun, 2025 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HTML injection vulnerability in Enpass Password Manager Desktop Client 6.9.2 for Windows and Linux allows attackers to run arbitrary HTML code via creation of crafted note.

Action-Not Available
Vendor-enpassn/aenpassMicrosoft CorporationLinux Kernel Organization, Inc
Product-password_managerlinux_kernelwindowsn/adesktop_application
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2019-0542
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-3.18% / 86.49%
||
7 Day CHG+0.03%
Published-09 Jan, 2019 | 15:00
Updated-04 Aug, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.

Action-Not Available
Vendor-xtermjshttps://xtermjs.org/Red Hat, Inc.
Product-openshift_container_platformxterm.jsxterm.js
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-24469
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.50% / 39.17%
||
7 Day CHG~0.00%
Published-05 Feb, 2024 | 00:00
Updated-26 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the delete_post .php.

Action-Not Available
Vendor-flusityn/aflushcms
Product-flusityn/aflushcms
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-21672
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-8.3||HIGH
EPSS-1.36% / 68.42%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 05:00
Updated-02 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H allows an unauthenticated attacker to remotely expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release * Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release * Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives).

Action-Not Available
Vendor-Atlassian
Product-confluence_data_centerconfluence_serverConfluence ServerConfluence Data Center
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-11699
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-8.8||HIGH
EPSS-0.68% / 47.91%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 13:34
Updated-03 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefoxFirefox ESRThunderbirdfirefoxfirefox_esrthunderbird
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-50178
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.25% / 15.77%
||
7 Day CHG~0.00%
Published-22 Jun, 2026 | 15:20
Updated-26 Jun, 2026 | 02:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option (located in client/src/client.ts). This setting instructs VS Code to trust all rendered content it receives, which enables active elements such as command: URIs. However, the background Angular Language Server process fails to escape or sanitize brackets, raw links, and control characters from JSDoc strings before forwarding the hover Markdown content (located in server/src/handlers/hover.ts and server/src/text_render.ts). An attacker can leverage this behavior by crafting a project TypeScript or JavaScript file (or a third-party npm package dependency) containing a malicious JSDoc tooltip with an embedded active command link. When a developer hovers over the target symbol to render the tooltip and clicks the malicious link, the IDE executes the command sequence directly on the developer's host machine. Prior to 21.2.4, This vulnerability is fixed in 21.2.4.

Action-Not Available
Vendor-angularangular
Product-angular_language_serviceangularAngular.ng-template
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-11697
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-8.8||HIGH
EPSS-0.76% / 50.83%
||
7 Day CHG~0.00%
Published-26 Nov, 2024 | 13:33
Updated-03 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

When handling keypress events, an attacker may have been able to trick a user into bypassing the "Open Executable File?" confirmation dialog. This could have led to malicious code execution. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdFirefoxFirefox ESRThunderbirdfirefoxfirefox_esrthunderbird
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2018-7801
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-8.8||HIGH
EPSS-6.25% / 92.70%
||
7 Day CHG~0.00%
Published-24 Dec, 2018 | 16:00
Updated-05 Aug, 2024 | 06:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable access with maximum privileges when a remote code execution is performed.

Action-Not Available
Vendor-
Product-evlink_parkingevlink_parking_firmwareEVLink Parking v3.2.0-12_v1 and earlier
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-0896
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.1||HIGH
EPSS-1.39% / 68.94%
||
7 Day CHG~0.00%
Published-09 Mar, 2022 | 11:20
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Neutralization of Special Elements Used in a Template Engine in microweber/microweber

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.

Action-Not Available
Vendor-Microweber (‘Microweber Academy’ Foundation)
Product-microwebermicroweber/microweber
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-0755
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-8.8||HIGH
EPSS-0.74% / 50.28%
||
7 Day CHG~0.00%
Published-23 Jan, 2024 | 13:48
Updated-22 May, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.

Action-Not Available
Vendor-Mozilla CorporationDebian GNU/Linux
Product-firefox_esrfirefoxdebian_linuxthunderbirdThunderbirdFirefoxFirefox ESR
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-29629
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.47% / 37.22%
||
7 Day CHG~0.00%
Published-25 Jul, 2025 | 00:00
Updated-25 Feb, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 use weak default credentials for secure shell access. This may result in attackers gaining access to exposed Gardyn Home Kits.

Action-Not Available
Vendor-Gardyn
Product-Home Kit Firmware
CWE ID-CWE-1392
Use of Default Credentials
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-49241
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.15% / 4.88%
||
7 Day CHG~0.00%
Published-22 Jun, 2026 | 15:16
Updated-26 Jun, 2026 | 03:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Angular: Multiple Remote Code Execution Vulnerabilities in Angular Language Service VS Code Extension

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom TypeScript SDK paths typescript.tsdk and js/ts.tsdk.path directly from workspace configurations (.vscode/settings.json) without verifying VS Code Workspace Trust state or asking for user consent (located in client/src/client.ts). The client-side extension then passes the parsed settings path as a command-line argument (--tsdk) to the background Node.js language server process. During server initialization, the background language server resolves and dynamically imports (via standard Node.js require()) the module library tsserverlibrary.js relative to the workspace-specified custom directory path. An attacker can exploit this behavior by committing a repository containing a local malicious tsserverlibrary.js script inside a custom folder, and a crafted .vscode/settings.json file pointing to that folder. When a developer opens the repository folder in VS Code, the extension automatically attempts to initialize and load the server, which dynamically resolves, loads, and executes the malicious script silently in the background. This vulnerability is fixed in 21.2.4.

Action-Not Available
Vendor-angularangular
Product-angular_language_serviceangular
CWE ID-CWE-427
Uncontrolled Search Path Element
CWE ID-CWE-494
Download of Code Without Integrity Check
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-49493
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.6||HIGH
EPSS-0.33% / 24.54%
||
7 Day CHG~0.00%
Published-05 Jun, 2026 | 17:49
Updated-09 Jun, 2026 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Markdown Preview Enhanced Arbitrary Code Execution via Bitfield interpretJS()

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.

Action-Not Available
Vendor-shd101wyy
Product-Markdown Preview Enhanced
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-51313
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.56% / 42.27%
||
7 Day CHG~0.00%
Published-20 Feb, 2025 | 00:00
Updated-23 Apr, 2025 | 13:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PHPJabbers Restaurant Booking System v3.0 is vulnerable to CSV Injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on Languages section Labels any parameters field in System Options that is used to construct CSV file.

Action-Not Available
Vendor-n/aPHPJabbers Ltd.
Product-restaurant_booking_systemn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-44827
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.56% / 42.59%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 16:33
Updated-19 May, 2026 | 03:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Diffusers: None.py Trust Remote Code Bypass

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hugging Face Hub repositories. The _resolve_custom_pipeline_and_cls function in pipeline_loading_utils.py performs string interpolation on the custom_pipeline parameter using f"{custom_pipeline}.py". When custom_pipeline is not supplied by the user, it defaults to None, which Python interpolates as the literal string "None.py". If an attacker publishes a Hub repository containing a file named None.py with a class that subclasses DiffusionPipeline, the file is automatically downloaded and executed during a standard DiffusionPipeline.from_pretrained() call with no additional keyword arguments. The trust_remote_code check in DiffusionPipeline.download() is bypassed because it evaluates custom_pipeline is not None as False (since the kwarg was never supplied), while the downstream code path that actually loads the module resolves the None value into a valid filename. An attacker can achieve silent arbitrary code execution by publishing a malicious model repository with a None.py file and a standard-looking model_index.json that references a legitimate pipeline class name, requiring only that a victim calls from_pretrained on the repository. This vulnerability is fixed in 0.38.0.

Action-Not Available
Vendor-huggingfacehuggingface
Product-diffusersdiffusers
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2006-3730
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-63.82% / 99.12%
||
7 Day CHG+0.25%
Published-19 Jul, 2006 | 23:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Integer overflow in Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a 0x7fffffff argument to the setSlice method on a WebViewFolderIcon ActiveX object, which leads to an invalid memory copy.

Action-Not Available
Vendor-n/aMicrosoft Corporation
Product-internet_explorerwindows_xpien/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-46242
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.7||CRITICAL
EPSS-0.38% / 30.11%
||
7 Day CHG~0.00%
Published-07 Nov, 2023 | 19:08
Updated-12 Sep, 2024 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code injection in XWiki Platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users are advised to upgrade. There are no known workarounds for for this vulnerability.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2023-45590
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-9.4||CRITICAL
EPSS-1.52% / 71.59%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 14:24
Updated-17 Jan, 2025 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper control of generation of code ('code injection') in Fortinet FortiClientLinux version 7.2.0, 7.0.6 through 7.0.10 and 7.0.3 through 7.0.4 allows attacker to execute unauthorized code or commands via tricking a FortiClientLinux user into visiting a malicious website

Action-Not Available
Vendor-Fortinet, Inc.
Product-forticlientFortiClientLinuxforticlient
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-47162
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-0.22% / 12.29%
||
7 Day CHG-0.05%
Published-11 Jun, 2026 | 18:32
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name

Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495.

Action-Not Available
Vendor-VimRed Hat, Inc.
Product-vimvimRed Hat OpenShift Container Platform 4Red Hat Enterprise Linux 7Red Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 6
CWE ID-CWE-140
Improper Neutralization of Delimiters
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-45495
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-0.99% / 58.16%
||
7 Day CHG~0.00%
Published-18 May, 2026 | 17:03
Updated-19 Jun, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-edge_chromiumMicrosoft Edge (Chromium-based)
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-35
Path Traversal: '.../...//'
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-42833
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-8.8||HIGH
EPSS-0.92% / 55.82%
||
7 Day CHG~0.00%
Published-10 Jan, 2024 | 22:03
Updated-11 Jun, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A correctness issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14, Safari 17, iOS 17 and iPadOS 17. Processing web content may lead to arbitrary code execution.

Action-Not Available
Vendor-Apple Inc.
Product-macossafariipadosiphone_osSafarimacOSiOS and iPadOS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-42890
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-8.8||HIGH
EPSS-3.21% / 86.61%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 00:27
Updated-13 Feb, 2025 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, watchOS 10.2, iOS 17.2 and iPadOS 17.2, tvOS 17.2. Processing web content may lead to arbitrary code execution.

Action-Not Available
Vendor-Apple Inc.
Product-iphone_oswatchosipadostvossafarimacosiOS and iPadOStvOSmacOSSafariwatchOS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-41450
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.35% / 68.16%
||
7 Day CHG~0.00%
Published-28 Sep, 2023 | 00:00
Updated-23 Sep, 2024 | 21:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter.

Action-Not Available
Vendor-phpkobon/a
Product-ajaxnewstickern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-43892
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.26% / 17.38%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 17:43
Updated-13 May, 2026 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AntSword: Incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection

AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16.

Action-Not Available
Vendor-AntSwordProject
Product-antSword
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-44513
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.86% / 54.21%
||
7 Day CHG+0.18%
Published-14 May, 2026 | 16:26
Updated-30 Jun, 2026 | 12:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.

Action-Not Available
Vendor-huggingfacehuggingfaceRed Hat, Inc.
Product-diffusersdiffusersRed Hat AI Inference ServerRed Hat OpenShift AI (RHOAI)Red Hat Enterprise Linux AI (RHEL AI) 3
CWE ID-CWE-358
Improperly Implemented Security Check for Standard
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-40221
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-0.53% / 41.15%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 19:59
Updated-02 Aug, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Socomec MOD3GP-SY-120K Code Injection

The absence of filters when loading some sections in the web application of the vulnerable device allows potential attackers to inject malicious code that will be interpreted when a legitimate user accesses the web section (MAIL SERVER) where the information is displayed. Injection can be done on parameter MAIL_RCV. When a legitimate user attempts to review NOTIFICATION/MAIL SERVER, the injected code will be executed.

Action-Not Available
Vendor-socomecSocomecsocomec
Product-modulys_gp_firmwaremodulys_gpMODULYS GP (MOD3GP-SY-120K)modulys_gp_firmware
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-44346
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.32% / 23.95%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 17:22
Updated-02 Jun, 2026 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39.

Action-Not Available
Vendor-bentomlbentoml
Product-bentomlBentoML
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-38877
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.88% / 54.71%
||
7 Day CHG~0.00%
Published-28 Sep, 2023 | 00:00
Updated-23 Sep, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.

Action-Not Available
Vendor-economizzern/a
Product-economizzern/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-42603
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.25% / 16.26%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 16:11
Updated-11 May, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and executes code directly from the attacker's fork, enabling RCE with write permissions. This vulnerability is fixed in 2.1.2.

Action-Not Available
Vendor-OWASP-BLT
Product-BLT
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CVE-2024-7520
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-8.8||HIGH
EPSS-0.60% / 44.44%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 12:38
Updated-24 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A type confusion bug in WebAssembly could be leveraged by an attacker to potentially achieve code execution. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdfirefox_esrFirefox ESRThunderbirdFirefoxfirefoxthunderbirdfirefox_esr
CWE ID-CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-41486
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.9||HIGH
EPSS-0.47% / 37.52%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 21:46
Updated-18 May, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ray: Remote Code Execution via Parquet Arrow Extension Type Deserialization

Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0.

Action-Not Available
Vendor-anyscaleray-project
Product-rayray
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-41094
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-0.84% / 53.42%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 16:58
Updated-19 Jun, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Data Formulator Remote Code Execution Vulnerability

Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-data_formulatorMicrosoft Data Formulator
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-40316
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.41% / 32.98%
||
7 Day CHG~0.00%
Published-15 Apr, 2026 | 22:49
Updated-21 May, 2026 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage.py makemigrations, which imports Django model modules including attacker-controlled website/models.py at runtime. Any module-level Python code in the attacker's models.py is executed during import, enabling arbitrary code execution in the privileged CI environment with access to GITHUB_TOKEN and repository secrets. The attack is triggerable by any external contributor who can open a pull request, provided a maintainer applies the regenerate-migrations label, potentially leading to secret exfiltration, repository compromise, and supply chain attacks. A patch for this issue is expected to be released in version 2.1.1.

Action-Not Available
Vendor-owaspOWASP-BLT
Product-owasp_bltBLT
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CVE-2023-33131
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.8||HIGH
EPSS-5.72% / 92.10%
||
7 Day CHG~0.00%
Published-13 Jun, 2023 | 23:26
Updated-28 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Outlook Remote Code Execution Vulnerability

Microsoft Outlook Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-officeoffice_long_term_servicing_channeloutlookoutlook_rtMicrosoft Outlook 2013 Service Pack 1Microsoft Office 2019Microsoft 365 Apps for EnterpriseMicrosoft Office LTSC 2021Microsoft Outlook 2016Microsoft Outlook 2013
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-3910
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-8.8||HIGH
EPSS-2.00% / 78.33%
||
7 Day CHG~0.00%
Published-12 Mar, 2026 | 21:30
Updated-14 Mar, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-03-27||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Microsoft CorporationApple Inc.Linux Kernel Organization, IncGoogle LLC
Product-linux_kernelchromewindowsmacosChromeChromium V8
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-30130
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.42% / 69.51%
||
7 Day CHG~0.00%
Published-12 May, 2023 | 00:00
Updated-24 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.

Action-Not Available
Vendor-craftcmsn/a
Product-craft_cmsn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-33479
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.53% / 40.97%
||
7 Day CHG~0.00%
Published-23 Mar, 2026 | 14:05
Updated-24 Mar, 2026 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch.

Action-Not Available
Vendor-wwbnWWBN
Product-avideoAVideo
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-33943
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.79% / 51.71%
||
7 Day CHG+0.05%
Published-27 Mar, 2026 | 21:15
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.

Action-Not Available
Vendor-capricorn86capricorn86Red Hat, Inc.
Product-happy_domhappy-domRed Hat Ansible Automation Platform 2Red Hat OpenShift Container Platform 4
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-33310
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.43% / 34.45%
||
7 Day CHG~0.00%
Published-24 Mar, 2026 | 13:17
Updated-25 Mar, 2026 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Intake has a Command Injection via shell() Expansion in Parameter Defaults

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(<command>), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.

Action-Not Available
Vendor-intakeintake
Product-intakeintake
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-33336
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.11% / 62.05%
||
7 Day CHG~0.00%
Published-24 Mar, 2026 | 15:16
Updated-27 Mar, 2026 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim's machine. Version 2.2.0 patches the issue. ## Root cause Two misconfigurations combine to create this vulnerability: 1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.). 2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by: - `<a href="https://...">` links (without `target="_blank"`) - `window.location` assignments - HTTP redirects - `<meta http-equiv="refresh">` tags ## Attack scenario 1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project). 2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `<a href="https://evil.example/exploit">Click here for the updated design spec</a>` 3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: `frontend/src/views/project/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output. 4. The victim uses Vikunja Desktop and clicks the link. 5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `https://evil.example/exploit` in the same renderer process. 6. The attacker's page now executes in a context with `nodeIntegration: true` and runs: `require('child_process').exec('id > /tmp/pwned');` 7. Arbitrary commands execute as the victim's OS user. ## Impact Full remote code execution on the victim's desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient. ## Proof of concept 1. Set up a Vikunja instance with two users sharing a project. 2. As the attacker user, edit a project description to include: `<a href="https://attacker.example/poc.html">Meeting notes</a>` 3. Host poc.html with: `<script>require('child_process').exec('calc.exe')</script>` 4. As the victim, open the project in Vikunja Desktop and click the link. 5. calc.exe (or any other command) executes on the victim's machine. ## Credits This vulnerability was found using [GitHub Security Lab Taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows).

Action-Not Available
Vendor-vikunjago-vikunja
Product-vikunjavikunja
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-1011
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.63% / 45.67%
||
7 Day CHG+0.04%
Published-04 Feb, 2025 | 13:58
Updated-13 Apr, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A bug in WebAssembly code generation could result in a crash

A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. This vulnerability was fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.

Action-Not Available
Vendor-Mozilla Corporation
Product-firefoxthunderbirdThunderbirdFirefox
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-31225
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.40% / 32.43%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 00:00
Updated-13 May, 2026 | 13:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace, it does not block access to dangerous built-in functions. A remote attacker can exploit this by submitting a specially crafted query string containing Python code that imports modules (e.g., os) and executes arbitrary system commands, leading to complete compromise of the server.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-39160
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-1.73% / 74.83%
||
7 Day CHG~0.00%
Published-25 Aug, 2021 | 18:10
Updated-04 Aug, 2024 | 01:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code injection in nbgitpuller

nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.

Action-Not Available
Vendor-jupyterhubjupyterhub
Product-nbgitpullernbgitpuller
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-26322
Matching Score-4
Assigner-Xiaomi Technology Co., Ltd.
ShareView Details
Matching Score-4
Assigner-Xiaomi Technology Co., Ltd.
CVSS Score-8.8||HIGH
EPSS-0.73% / 49.89%
||
7 Day CHG~0.00%
Published-28 Aug, 2024 | 07:59
Updated-12 Sep, 2024 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GetApps application has code execution vulnerability

A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.

Action-Not Available
Vendor-Xiaomi
Product-getappsGetApps applicationgetapps_application
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-40348
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.74% / 74.98%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 04:32
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to the installation setup. This can lead to the ability of an attacker to use --option to append arbitrary code to a root-owned file that eventually will be executed by the system. This is fixed in Uyuni spacewalk-admin 4.3.2-1.

Action-Not Available
Vendor-uyuni-projectspacewalk_projectn/a
Product-uyunispacewalkn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-25755
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.1||HIGH
EPSS-0.82% / 52.66%
||
7 Day CHG+0.18%
Published-19 Feb, 2026 | 14:41
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jsPDF has PDF Object Injection via Unsanitized Input in addJS Method

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.

Action-Not Available
Vendor-parallparallaxRed Hat, Inc.
Product-jspdfjsPDFRed Hat Advanced Cluster Security for Kubernetes 4.8Red Hat Advanced Cluster Security for Kubernetes 4.9
CWE ID-CWE-116
Improper Encoding or Escaping of Output
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-24747
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.69% / 48.45%
||
7 Day CHG+0.07%
Published-27 Jan, 2026 | 21:13
Updated-30 Jun, 2026 | 12:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files

PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue.

Action-Not Available
Vendor-pytorchThe Linux FoundationRed Hat, Inc.
Product-pytorchpytorchRed Hat OpenShift AI 2.25Red Hat OpenShift AI (RHOAI)
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2017-18113
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-8.8||HIGH
EPSS-1.80% / 75.86%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 02:35
Updated-17 Oct, 2024 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix.

Action-Not Available
Vendor-Atlassian
Product-data_centerjiraJira ServerJira Data Centerjira_serverjira_data_center
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-3725
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-1.05% / 60.17%
||
7 Day CHG~0.00%
Published-30 Nov, 2021 | 09:30
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection in ohmyzsh/ohmyzsh

Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection. Impacted areas: - Functions pop_past and pop_future in dirhistory plugin.

Action-Not Available
Vendor-planetargonohmyzsh
Product-oh_my_zshohmyzsh/ohmyzsh
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-23523
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.7||CRITICAL
EPSS-6.30% / 92.75%
||
7 Day CHG~0.00%
Published-16 Jan, 2026 | 16:29
Updated-09 Feb, 2026 | 20:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dive allows One-click Remote Code Execution through Deep Links for MCP Install

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.

Action-Not Available
Vendor-openagentplatformOpenAgentPlatform
Product-diveDive
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found