CWE-74: Injection

A host header injection vulnerability in SysPass 3.2x allows attackers to inject malicious JavaScript from arbitrary domains, which executes in victim...

This critical vulnerability allows remote attackers to execute arbitrary operating system commands on affected D-Link NAS devices by manipulating the ...

CVE-2023-46304 is a remote code execution vulnerability in Vtiger CRM 7.5.0 where authenticated attackers can write arbitrary PHP code to config.inc.p...

CVE-2024-28181 is an authorization bypass vulnerability in turbo_boost-commands Ruby gem that allows attackers to invoke restricted methods on Command...

CVE-2024-28114 is a Server-Side Template Injection vulnerability in Peering Manager that allows remote code execution. Attackers can execute arbitrary...

This CVE describes a Host Header Injection vulnerability in Pimcore's Admin Classic Bundle that allows attackers to manipulate invitation email links....

This CVE describes a JNDI injection vulnerability in IBM Operational Decision Manager that allows remote attackers to execute arbitrary code by passin...

This CVE describes a command injection vulnerability in Cocos Engine's GitHub Actions workflow that allowed attackers to execute arbitrary commands on...

CVE-2021-41232 is an LDAP injection vulnerability in Thunderdome planning poker tool that allows attackers to manipulate LDAP queries when LDAP authen...

CVE-2021-39175 is a cross-site scripting (XSS) vulnerability in HedgeDoc that allows unauthenticated attackers to inject malicious JavaScript into sli...

This CVE describes a host header injection vulnerability in FUEL CMS versions 1.5.0 through fuel/modules/fuel/config/fuel_constants.php and fuel/modul...

CVE-2021-29501 is an injection vulnerability in the Ticketer cog for Red Discord Bot that allows Discord users to expose sensitive information through...

Horilla HRMS versions before 1.5.0 contain a critical file upload vulnerability that allows authenticated users to upload malicious HTML files disguis...

This critical vulnerability in H3C Magic routers allows authenticated attackers on the local network to execute arbitrary commands via command injecti...

This critical vulnerability in H3C Magic routers allows authenticated attackers on the local network to execute arbitrary commands via command injecti...

This critical vulnerability allows remote attackers to execute arbitrary commands on affected H3C Magic routers via command injection in the FCGI_Wiza...

This critical vulnerability in H3C Magic routers allows attackers to execute arbitrary commands via a command injection flaw in the wizard configurati...

This critical vulnerability in H3C Magic routers allows authenticated attackers on the local network to execute arbitrary commands via command injecti...

This critical vulnerability in H3C Magic routers allows authenticated attackers on the local network to execute arbitrary commands via command injecti...

A critical command injection vulnerability in H3C Magic router series allows attackers to execute arbitrary commands via the /api/login/auth endpoint....

This critical vulnerability in H3C Magic routers allows authenticated attackers on the local network to execute arbitrary commands via command injecti...

This critical vulnerability in H3C Magic NX30 Pro routers allows attackers on the local network to execute arbitrary commands via a command injection ...

This critical vulnerability in H3C Magic NX30 Pro and Magic NX400 routers allows authenticated attackers on the local network to execute arbitrary com...

This critical vulnerability in H3C Magic routers allows attackers within the local network to execute arbitrary commands via a command injection flaw ...

This critical vulnerability in H3C Magic routers allows authenticated attackers on the local network to execute arbitrary commands via command injecti...

CVE-2023-28637 is a remote code execution vulnerability in DataEase's AWS Redshift data source due to insufficient input sanitization. Attackers can e...

TAO Open Source Assessment Platform v3.3.0 RC02 contains an HTML injection vulnerability in the userFirstName parameter that allows attackers to injec...

This vulnerability allows authenticated attackers to execute arbitrary code on Emissary workflow engine servers by exploiting a class loading mechanis...

CVE-2024-23333 is a path injection vulnerability in LDAP Account Manager (LAM) that allows authenticated attackers to write arbitrary PHP code to web-...

This critical vulnerability in Eluktronics Control Center allows local attackers to execute arbitrary commands through a PowerShell script handler. Th...

This critical vulnerability in exelban stats allows local attackers to execute arbitrary commands through command injection in the XPC Service compone...

This CVE describes a privilege escalation vulnerability in macOS where an application can exploit an injection flaw to gain elevated privileges. It af...

This CVE describes a privilege escalation vulnerability in macOS where an application could exploit an injection flaw to gain elevated privileges. The...

This HTML injection vulnerability in Grocy's API key management component allows attackers to inject arbitrary HTML content into QR code detail popups...

A remote code execution vulnerability in juzawebCMS allows attackers to execute arbitrary code by uploading a malicious file to the custom plugin func...

CVE-2023-27635 is a command injection vulnerability in debmany (part of debian-goodies) that allows attackers to execute arbitrary shell commands via ...

This vulnerability in fish shell versions 3.1.0-3.3.1 allows arbitrary code execution when users navigate to directories containing malicious git conf...

IBM Planning Analytics 2.0 is vulnerable to CSV injection, allowing remote attackers to execute arbitrary commands on the system by exploiting imprope...

This macOS vulnerability allows malicious applications to inject code and gain root privileges through improper input validation. It affects macOS Big...

This vulnerability allows local privilege escalation on Android 11 devices by bypassing font file injection restrictions in RemoteViews.java. Attacker...

Ghost CMS versions 0.7.2 through 6.19.0 contain a vulnerability where malicious themes can execute arbitrary code on the server. This allows attackers...

This CVE describes a control character injection vulnerability in MongoDB Shell (mongosh) where an attacker controlling a MongoDB cluster can craft ma...

A stored HTML injection vulnerability in FreeScout's email reception module allows unauthenticated attackers to inject malicious HTML content into ema...

PAX A920 payment terminals have a bootloader downgrade vulnerability due to improper version checking. Attackers with physical USB access can install ...

This vulnerability allows remote attackers to read arbitrary files from the osTicket server filesystem by crafting malicious HTML in ticket content an...

Plenti static site generator versions before 0.7.2 have an arbitrary file write vulnerability in the /postLocal endpoint when serving websites. This a...

This vulnerability allows attackers to read sensitive local files through prompt injection in the Devika AI assistant. It affects systems running Devi...

This vulnerability in Woodpecker CI/CD allows any user to create malicious workflows that can lead to host takeover of the agent executing the workflo...

CVE-2024-29896 is an injection vulnerability in Astro-Shield's automated CSP header generation feature. When enabled with user-controllable content, i...

The Feed Me plugin 4.6.1 for Craft CMS contains a denial of service vulnerability where remote attackers can submit crafted strings to Feed-Me Name an...