Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-48614

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-06 Jul, 2026 | 16:46
Updated At-06 Jul, 2026 | 17:39
Rejected At-
Credits

An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:06 Jul, 2026 | 16:46
Updated At:06 Jul, 2026 | 17:39
Rejected At:
▼CVE Numbering Authority (CNA)

An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server.

Affected Products
Vendor
WebPros
Product
Plesk
Default Status
unaffected
Versions
Affected
  • From 0 before 18.0.78 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-94CWE-94 Code Injection
Type: CWE
CWE ID: CWE-94
Description: CWE-94 Code Injection
Metrics
VersionBase scoreBase severityVector
3.19.9CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.9
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://support.plesk.com/hc/en-us/articles/41171817973143-Vulnerability-in-Plesk-XML-API
N/A
Hyperlink: https://support.plesk.com/hc/en-us/articles/41171817973143-Vulnerability-in-Plesk-XML-API
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:06 Jul, 2026 | 18:16
Updated At:06 Jul, 2026 | 19:17

An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives, resulting in arbitrary file write as root and full privilege escalation on the underlying server.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.9CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 9.9
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-94Secondarysupport@hackerone.com
CWE ID: CWE-94
Type: Secondary
Source: support@hackerone.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://support.plesk.com/hc/en-us/articles/41171817973143-Vulnerability-in-Plesk-XML-APIsupport@hackerone.com
N/A
Hyperlink: https://support.plesk.com/hc/en-us/articles/41171817973143-Vulnerability-in-Plesk-XML-API
Source: support@hackerone.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

134Records found

CVE-2026-47365
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.9||CRITICAL
EPSS-0.41% / 33.11%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 02:27
Updated-12 Jun, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account.

Action-Not Available
Vendor-WebPros
Product-WordPress-Toolkit
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2026-44962
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-10||CRITICAL
EPSS-0.69% / 48.51%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 15:41
Updated-29 May, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation.

Action-Not Available
Vendor-WebPros
Product-Plesk
CWE ID-CWE-643
Improper Neutralization of Data within XPath Expressions ('XPath Injection')
CVE-2026-29202
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-0.83% / 53.43%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 18:51
Updated-13 May, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.

Action-Not Available
Vendor-WebPros
Product-cPanel (CloudLinux 6, CentOS 6)cPanelWP Squared
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-32999
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-9.1||CRITICAL
EPSS-0.31% / 23.35%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 04:01
Updated-28 May, 2026 | 13:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.

Action-Not Available
Vendor-WebPros
Product-Comet Backup
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-54823
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.43% / 34.55%
||
7 Day CHG~0.00%
Published-25 Jun, 2026 | 13:12
Updated-25 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Widget Options plugin <= 4.2.3 - Remote Code Execution (RCE) vulnerability

Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions.

Action-Not Available
Vendor-MarketingFire
Product-Widget Options
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-46512
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.9||CRITICAL
EPSS-Not Assigned
Published-16 Jul, 2026 | 18:15
Updated-17 Jul, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frogman: Dialplan template parameters interpolated into extensions_custom.conf without escaping

Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fm_dialplan_apply accepted template parameters including greeting, dest, url, extension, code, and file, and Tools/DialplanApply.php wrote Dialplan/Templates.php output to extensions_custom.conf while only Dialplan/TemplateBase.php:38-42 sanitized contextName(), allowing a PERM_WRITE caller using confirm:true to inject arbitrary Asterisk directives such as System(), Set(SHELL(...)), Goto, or Macro. This issue is fixed in version 1.6.2.

Action-Not Available
Vendor-mwtcmi
Product-frogman
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-9135
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.9||CRITICAL
EPSS-Not Assigned
Published-17 Jul, 2026 | 18:48
Updated-17 Jul, 2026 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Policies Component Dynamic CodeInput Fields Bypass Custom Component Validation

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.

Action-Not Available
Vendor-IBM Corporation
Product-Langflow OSS
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-49774
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.28% / 19.94%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 09:02
Updated-16 Jun, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress RD Station plugin <= 5.6.0 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0.

Action-Not Available
Vendor-Filipe Nasc
Product-RD Station
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-52427
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.73% / 49.93%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 14:22
Updated-11 May, 2026 | 22:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Event Tickets with Ticket Scanner plugin <= 2.3.11 - Remote Code Execution (RCE) vulnerability

Deserialization of Untrusted Data vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Server Side Include (SSI) Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.3.11.

Action-Not Available
Vendor-vollstartVollstartsaso_nikolov
Product-event_tickets_with_ticket_scannerEvent Tickets with Ticket Scannerevent_tickets_with_ticket_scanner
CWE ID-CWE-82
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-23619
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-1.06% / 60.87%
||
7 Day CHG~0.00%
Published-26 Jan, 2023 | 10:42
Updated-10 Mar, 2025 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina

Modelina is a library for generating data models based on inputs such as AsyncAPI, OpenAPI, or JSON Schema documents. Versions prior to 1.0.0 are vulnerable to Code injection. This issue affects anyone who is using the default presets and/or does not handle the functionality themself. This issue has been partially mitigated in version 1.0.0, with the maintainer's GitHub Security Advisory (GHSA) noting "It is impossible to fully guard against this, because users have access to the original raw information. However, as of version 1, if you only access the constrained models, you will not encounter this issue. Further similar situations are NOT seen as a security issue, but intended behavior." The suggested workaround from the maintainers is "Fully custom presets that change the entire rendering process which can then escape the user input."

Action-Not Available
Vendor-lfprojectsasyncapi
Product-modelinamodelina
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-22731
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-1.33% / 67.93%
||
7 Day CHG~0.00%
Published-17 Jan, 2023 | 21:31
Updated-10 Mar, 2025 | 21:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Control of Generation of Code in Twig rendered views in shopware

Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin.

Action-Not Available
Vendor-shopwareshopware
Product-shopwareplatform
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2020-8180
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.9||CRITICAL
EPSS-1.67% / 74.13%
||
7 Day CHG~0.00%
Published-08 Jun, 2020 | 13:08
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator.

Action-Not Available
Vendor-n/aNextcloud GmbH
Product-talkNextcloud Talk
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-23645
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.97% / 58.10%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 06:30
Updated-28 Apr, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MainWP Code Snippets Extension Plugin <= 4.0.2 - Subscriber+ Arbitrary PHP Code Injection/Execution Vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in MainWP MainWP Code Snippets Extension allows Code Injection.This issue affects MainWP Code Snippets Extension: from n/a through 4.0.2.

Action-Not Available
Vendor-mainwpMainWP
Product-code_snippets_extensionMainWP Code Snippets Extension
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-48322
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9.6||CRITICAL
EPSS-0.50% / 39.17%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:04
Updated-15 Jul, 2026 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ColdFusion | Improper Control of Generation of Code ('Code Injection') (CWE-94)

ColdFusion is affected by an Improper Control of Generation of Code ('Code Injection') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

Action-Not Available
Vendor-Adobe Inc.
Product-coldfusionColdFusion 2025ColdFusion 2023
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-46442
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.4||CRITICAL
EPSS-0.82% / 53.11%
||
7 Day CHG~0.00%
Published-08 Jun, 2026 | 15:30
Updated-11 Jun, 2026 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured — the common deployment case — Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2.

Action-Not Available
Vendor-flowiseaiFlowiseAI
Product-flowiseFlowise
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-46850
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-9.9||CRITICAL
EPSS-0.52% / 40.76%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 19:27
Updated-22 Jun, 2026 | 15:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The supported version that is affected is 2026.2.0+9.6.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise MySQL Shell. While the vulnerability is in MySQL Shell, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Shell. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-mysql_shellMySQL Shell
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-45558
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.9||CRITICAL
EPSS-0.44% / 35.53%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 14:01
Updated-10 Jun, 2026 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field config injection in section save

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and the PUT / global / defaults variants) accept a JSON option field that is not validated, not escaped, and is rendered verbatim into the generated HAProxy configuration via the section.j2, global.j2, and defaults.j2 Ansible templates. Because Roxy-WI then pushes the generated config to the load balancer and runs systemctl reload haproxy, an authenticated user with role ≤ 3 (user) can inject arbitrary HAProxy directives into the config that runs on every load balancer their group manages — including option external-check + external-check command /bin/bash -c '…', which gives remote code execution on the load balancer as the haproxy user on every health-check tick. At time of publication, there are no publicly available patches.

Action-Not Available
Vendor-roxy-wi
Product-roxy-wi
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-42898
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.9||CRITICAL
EPSS-1.19% / 64.53%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 16:59
Updated-19 Jun, 2026 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-dynamics_365Microsoft Dynamics 365 (on-premises) version 9.1
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-41512
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.9||CRITICAL
EPSS-0.59% / 44.14%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 13:52
Updated-11 May, 2026 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote code execution via JavaScript injection in `BrowserAutomation::PlaywrightService`

ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomation::PlaywrightService`. This issue has been patched in version 1.4.1.

Action-Not Available
Vendor-0din-aiMozilla Corporation
Product-0din_scannerai-scanner
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-40783
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.54% / 41.83%
||
7 Day CHG~0.00%
Published-17 Jun, 2026 | 09:51
Updated-17 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability

Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions.

Action-Not Available
Vendor-Creative Themes
Product-Blocksy Companion Pro
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-40342
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.69% / 48.75%
||
7 Day CHG~0.00%
Published-17 Apr, 2026 | 19:22
Updated-27 Apr, 2026 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Firebird: Path Traversal + Arbitrary File Write Leads to Remote Code Execution

Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

Action-Not Available
Vendor-firebirdsqlFirebirdSQL
Product-firebirdfirebird
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-427
Uncontrolled Search Path Element
CWE ID-CWE-73
External Control of File Name or Path
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-39440
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.36% / 28.65%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 12:11
Updated-23 Apr, 2026 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.

Action-Not Available
Vendor-Funnelforms LLC
Product-FunnelFormsPro
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-33309
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-1.42% / 69.77%
||
7 Day CHG~0.00%
Published-24 Mar, 2026 | 12:49
Updated-25 Mar, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Langflow has an Arbitrary File Write (RCE) via v2 API

Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix.

Action-Not Available
Vendor-langflowlangflow-ai
Product-langflowlangflow
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-73
External Control of File Name or Path
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-33873
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-1.43% / 69.95%
||
7 Day CHG~0.00%
Published-27 Mar, 2026 | 20:04
Updated-03 Apr, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Langflow has Authenticated Code Execution in Agentic Assistant Validation

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.

Action-Not Available
Vendor-langflowlangflow-ai
Product-langflowlangflow
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-32525
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.29% / 21.31%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:15
Updated-29 Apr, 2026 | 09:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress JetFormBuilder plugin <= 3.5.6.1 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1.

Action-Not Available
Vendor-jetmonsters
Product-JetFormBuilder
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-30887
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.39% / 30.98%
||
7 Day CHG~0.00%
Published-09 Mar, 2026 | 22:40
Updated-12 Mar, 2026 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.

Action-Not Available
Vendor-hackerbayOneUptime
Product-oneuptimeoneuptime
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-27554
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.9||CRITICAL
EPSS-0.76% / 51.10%
||
7 Day CHG~0.00%
Published-01 Mar, 2025 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ToDesktop before 2024-10-03, as used by Cursor before 2024-10-03 and other applications, allows remote attackers to execute arbitrary commands on the build server (e.g., read secrets from the desktopify config.prod.json file), and consequently deploy updates to any app, via a postinstall script in package.json. No exploitation occurred.

Action-Not Available
Vendor-ToDesktop
Product-ToDesktop
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-39915
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.55% / 42.40%
||
7 Day CHG~0.00%
Published-15 Jul, 2024 | 19:33
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated remote code execution in Thruk

Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called. The vulnerability can be exploited by an authorized user with network access. This issue has been addressed in version 3.16. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-snithruk
Product-Thrukthruk
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-39932
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.9||CRITICAL
EPSS-17.18% / 96.74%
||
7 Day CHG~0.00%
Published-04 Jul, 2024 | 00:00
Updated-02 Aug, 2024 | 04:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gogs through 0.13.0 allows argument injection during the previewing of changes.

Action-Not Available
Vendor-n/agogs
Product-n/agogs
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-27577
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.4||CRITICAL
EPSS-10.16% / 95.13%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 22:19
Updated-04 Mar, 2026 | 14:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
n8n: Expression Sandbox Escape Leads to RCE

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.

Action-Not Available
Vendor-n8nn8n-io
Product-n8nn8n
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-31984
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-83.00% / 99.64%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 19:53
Updated-21 Jan, 2025 | 16:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki Platform: Remote code execution through space title and Solr space facet

XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. As a workaround, manually apply the patch to the `Main.SolrSpaceFacet` page.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platformxwiki
CWE ID-CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-31465
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-75.58% / 99.47%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 19:12
Updated-09 Jan, 2025 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki Platform: Remote code execution from account via SearchSuggestSourceSheet

XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.20, 15.5.4, and 15.9-rc-1, any user with edit right on any page can execute any code on the server by adding an object of type `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. As a workaround, manually apply the patch to the document `XWiki.SearchSuggestSourceSheet`.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platformxwiki
CWE ID-CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-23211
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-3.46% / 87.72%
||
7 Day CHG~0.00%
Published-28 Jan, 2025 | 15:24
Updated-08 May, 2025 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tandoor Recipes - SSTI - Remote Code Execution

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24.

Action-Not Available
Vendor-tandoorTandoorRecipes
Product-recipesrecipes
CWE ID-CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-55662
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.76% / 51.25%
||
7 Day CHG~0.00%
Published-12 Dec, 2024 | 17:25
Updated-30 Apr, 2025 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XWiki allows remote code execution through the extension sheet

XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-96
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CVE-2022-24817
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.9||CRITICAL
EPSS-1.04% / 60.25%
||
7 Day CHG~0.00%
Published-06 May, 2022 | 00:00
Updated-23 Apr, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper kubeconfig validation allows arbitrary code execution

Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller’s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0

Action-Not Available
Vendor-fluxcdfluxcd
Product-kustomize-controllerflux2helm-controllerflux2
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-24663
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.9||CRITICAL
EPSS-2.05% / 79.03%
||
7 Day CHG~0.00%
Published-16 Feb, 2022 | 16:38
Updated-31 Jan, 2025 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution by Subscriber+ users via WordPress shortcode

PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user.

Action-Not Available
Vendor-php_everywhere_projectAlexander Fuchs
Product-php_everywherePHP Everywhere
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-24664
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.9||CRITICAL
EPSS-1.65% / 73.86%
||
7 Day CHG~0.00%
Published-16 Feb, 2022 | 16:38
Updated-31 Jan, 2025 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution by by Contributor+ users via WordPress metabox

PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress metaboxes, which could be used by any user able to edit posts.

Action-Not Available
Vendor-php_everywhere_projectAlexander Fuchs
Product-php_everywherePHP Everywhere
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2022-24665
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.9||CRITICAL
EPSS-2.60% / 83.60%
||
7 Day CHG~0.00%
Published-16 Feb, 2022 | 16:38
Updated-31 Jan, 2025 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution by by Contributor+ users via WordPress gutenberg block

PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via a WordPress gutenberg block by any user able to edit posts.

Action-Not Available
Vendor-php_everywhere_projectAlexander Fuchs
Product-php_everywherePHP Everywhere
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-27044
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.30% / 21.48%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Total Poll Lite plugin <= 4.12.0 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Remote Code Inclusion.This issue affects Total Poll Lite: from n/a through <= 4.12.0.

Action-Not Available
Vendor-TotalSuite
Product-Total Poll Lite
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-32613
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.55% / 42.47%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 20:07
Updated-23 Apr, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled the ability to invoke commands, access files, etc. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable echo entirely.

Action-Not Available
Vendor-spinnakerThe Linux Foundation
Product-spinnakerspinnaker
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-45798
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.77% / 51.43%
||
7 Day CHG~0.00%
Published-17 Sep, 2024 | 18:08
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple Poisoned Pipeline Execution (PPE) vulnerabilities

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts.

Action-Not Available
Vendor-espressifarduino
Product-arduino-esp32arduino_core
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-27952
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-0.50% / 39.29%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 01:38
Updated-02 Mar, 2026 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Agenta has Python Sandbox Escape, Leading to Remote Code Execution (RCE)

Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities — including `sys.modules` — thereby providing access to unfiltered system-level functionality like `os.system`. This vulnerability affects the Agenta self-hosted platform (API server), not the SDK when used as a standalone Python library. The custom code evaluator runs server-side within the API process. The issue is fixed in v0.48.1 by removing `numpy` from the sandbox allowlist. In later versions (v0.60+), the RestrictedPython sandbox was removed entirely and replaced with a different execution model.

Action-Not Available
Vendor-agentatechAgenta-AI
Product-agentaagenta-api
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-27574
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.50% / 39.73%
||
7 Day CHG~0.00%
Published-21 Feb, 2026 | 10:13
Updated-24 Feb, 2026 | 18:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE

OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape via a well-known one-liner that grants full access to the underlying process. Because the probe runs with host networking and holds all cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) in its environment variables, and monitor creation is available to the lowest role (ProjectMember) with open registration enabled by default, any anonymous user can achieve full cluster compromise in about 30 seconds. This issue has been fixed in version 10.0.5.

Action-Not Available
Vendor-hackerbayOneUptime
Product-oneuptimeoneuptime
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-25918
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-0.68% / 48.28%
||
7 Day CHG~0.00%
Published-03 Apr, 2024 | 12:11
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress InstaWP Connect plugin <= 0.1.0.8 - Remote Code Execution vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8.

Action-Not Available
Vendor-instawpInstaWPinstawp
Product-instawp_connectInstaWP Connectinstawp_connect
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2019-10758
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.9||CRITICAL
EPSS-84.84% / 99.69%
||
7 Day CHG~0.00%
Published-24 Dec, 2019 | 21:08
Updated-27 Oct, 2025 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-06-10||Apply updates per vendor instructions.

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

Action-Not Available
Vendor-n/aMongoDB, Inc.
Product-mongo-expressmongo-expressmongo-express
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2019-10431
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-9.9||CRITICAL
EPSS-2.70% / 84.22%
||
7 Day CHG~0.00%
Published-01 Oct, 2019 | 13:45
Updated-04 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.

Action-Not Available
Vendor-Jenkins
Product-script_securityJenkins Script Security Plugin
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-32829
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-2.90% / 85.39%
||
7 Day CHG~0.00%
Published-17 Aug, 2021 | 16:00
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Post-authentication Remote Code Execution (RCE) in ZStack REST API

ZStack is open source IaaS(infrastructure as a service) software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs. Affected versions of ZStack REST API are vulnerable to post-authentication Remote Code Execution (RCE) via bypass of the Groovy shell sandbox. The REST API exposes the GET zstack/v1/batch-queries?script endpoint which is backed up by the BatchQueryAction class. Messages are represented by the APIBatchQueryMsg, dispatched to the QueryFacadeImpl facade and handled by the BatchQuery class. The HTTP request parameter script is mapped to the APIBatchQueryMsg.script property and evaluated as a Groovy script in BatchQuery.query the evaluation of the user-controlled Groovy script is sandboxed by SandboxTransformer which will apply the restrictions defined in the registered (sandbox.register()) GroovyInterceptor. Even though the sandbox heavily restricts the receiver types to a small set of allowed types, the sandbox is non effective at controlling any code placed in Java annotations and therefore vulnerable to meta-programming escapes. This issue leads to post-authenticated remote code execution. For more details see the referenced GHSL-2021-065. This issue is patched in versions 3.8.21, 3.10.8, and 4.1.0.

Action-Not Available
Vendor-zstackzstackio
Product-rest_apizstack
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-32834
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.95% / 57.09%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 01:50
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary Groovy script evaluation in Eclipse Keti

Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious Groovy scripts which will escape the configured Groovy sandbox. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-ketiketi
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2024-33644
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.9||CRITICAL
EPSS-1.12% / 62.41%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 08:14
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Customify Site Library plugin <= 0.0.9 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in WPCustomify Customify Site Library allows Code Injection.This issue affects Customify Site Library: from n/a through 0.0.9.

Action-Not Available
Vendor-WPCustomifywpcustomify
Product-Customify Site Librarycustomify_site_library
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-3105
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-9.9||CRITICAL
EPSS-2.78% / 84.74%
||
7 Day CHG~0.00%
Published-15 Jun, 2024 | 08:42
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 -Authenticated (Contributor+) Remote Code Execution

The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.

Action-Not Available
Vendor-webcrafticThemeisle
Product-Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scriptswoody_ad_snippets
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found