CWE-94: Code Injection

OrangeHRM versions 5.0 through 5.7 contain a command injection vulnerability in the mail configuration workflow. Unauthenticated attackers can exploit...

The WP All Import WordPress plugin contains a critical remote code execution vulnerability that allows authenticated users with import capabilities (t...

The Elastic Theme Editor WordPress plugin allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files through a dy...

This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to execute arbitrary code through the Better Find and R...

A remote code execution vulnerability in iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code through a crafted HTML page targeting t...

This vulnerability allows remote attackers to execute arbitrary code on BusinessNext CRMnext systems through the comments input parameter. It affects ...

This vulnerability allows a low-privileged remote attacker with web management access to inject and execute arbitrary commands as root on affected sys...

CVE-2025-54374 is a one-click remote code execution vulnerability in Eidos Personal Data Management framework. Attackers can embed malicious eidos: UR...

Claude Code versions before 1.0.111 contain a code injection vulnerability that allows arbitrary code execution when users start the application in un...

Dolibarr ERP & CRM version 21.0.1 contains a remote code execution vulnerability in the User module configuration via the computed field parameter. Th...

CVE-2025-57439 is a critical remote code execution vulnerability in Creacast Creabox Manager 4.4.4 where authenticated attackers can inject arbitrary ...

This CVE describes a server-side template injection vulnerability in PPress CMS version 0.0.9 that allows attackers to execute arbitrary code on the s...

This vulnerability allows authenticated attackers with Subscriber-level access or higher to execute arbitrary PHP code on WordPress sites using the WP...

CVE-2025-58176 is a one-click remote code execution vulnerability in Dive MCP Host Desktop Application versions 0.9.0 through 0.9.3. Attackers can exp...

This vulnerability allows remote code execution in Craft CMS when attackers have a compromised security key and can create arbitrary files in the /sto...

This CVE describes a code injection vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code over th...

This vulnerability allows authenticated users in Bolt CMS 3.7.0 and earlier to achieve remote code execution through a chain of flaws. Attackers can i...

This vulnerability allows authenticated users of Ansible Automation Platform's EDA component to inject malicious Jinja2 templates via Git branch or re...

This vulnerability allows authenticated domain users to execute arbitrary code on Veeam Backup Servers through improper input validation. It affects o...

This vulnerability in XWiki allows users with edit rights on any page (including their own profile) to execute arbitrary code with programming rights ...

This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to execute arbitrary code on servers running vulnerable...

This vulnerability allows authenticated attackers to execute arbitrary commands on pfSense firewalls through the OpenVPN widget. Attackers can inject ...

A remote code execution vulnerability exists in Moodle's Dropbox repository feature, allowing authenticated teachers and managers to execute arbitrary...

This vulnerability allows authenticated attackers to execute arbitrary code on LRQA Nettitude PoshC2 servers by exploiting a flaw in the upload_file f...

PerfreeBlog 4.0.11 contains an arbitrary file upload vulnerability in the attach component that allows regular users to upload malicious files and exe...

This vulnerability allows attackers to execute arbitrary code remotely by injecting malicious parameters into JDBC URLs used by insightsoftware Hive J...

This CVE describes a remote code execution vulnerability in insightsoftware Spark JDBC where attackers can inject malicious parameters into JDBC URLs,...

This vulnerability allows attackers with Item/Configure permission in Jenkins to bypass sandbox protection in the Templating Engine Plugin, enabling a...

This vulnerability in KNIME Business Hub's ingress-nginx component allows authenticated attackers to potentially execute arbitrary code within the Kub...

This vulnerability allows authenticated WordPress users with Contributor-level access or higher to execute arbitrary code on the server through unsafe...

This vulnerability in Dify Tools' Vanna module allows attackers to inject malicious queries through unsanitized user inputs, potentially leading to re...

SuperAGI's latest version contains a critical remote code execution vulnerability in the agent template update API. Attackers can inject malicious cod...

This vulnerability in BerriAI/litellm allows remote code execution by exploiting improper input validation in the 'post_call_rules' configuration. Att...

This vulnerability in kedro 0.19.8 allows remote code execution when users download micro packages via the pull_package() API. Attackers can craft mal...

This vulnerability allows attackers to execute arbitrary code on servers running vulnerable versions of binary-husky/gpt_academic through prompt injec...

This vulnerability allows remote code execution on servers running vulnerable versions of the gpt_academic manim plugin. Attackers can inject maliciou...

Plenti versions up to 0.7.16 are vulnerable to remote code execution via the /postLocal endpoint. Attackers can upload .svelte files with malicious Ja...

GeoVision GV-ASWeb versions 6.1.2.0 and below contain an authenticated remote code execution vulnerability in the Notification Settings feature. An at...

PHPJabbers Restaurant Booking System v3.0 has a CSV injection vulnerability that allows attackers to execute arbitrary code on the server. The vulnera...

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of deep-diver LLM-As-Chatbot. The issue ex...

A WebAssembly code generation bug in Mozilla products could allow attackers to cause crashes and potentially execute arbitrary code. This affects Fire...

CVE-2024-23921 is a critical remote code execution vulnerability in ChargePoint Home Flex charging stations that allows network-adjacent attackers to ...

This vulnerability allows remote attackers to execute arbitrary code on Android devices via Bluetooth Low Energy (BLE) without user interaction. It af...

This vulnerability in Android's Bluetooth GATT server allows remote attackers within Bluetooth range to execute arbitrary code without user interactio...

This vulnerability allows attackers to elevate privileges on Windows systems by exploiting the Windows Search Service. It affects Windows systems with...

This vulnerability allows authenticated WordPress users with subscriber-level access or higher to upload arbitrary files through the Post Saint plugin...

This vulnerability allows remote attackers to execute arbitrary code on TOTOLINK A3002R routers via the formWsc function in the /bin/boa web server. A...

This is a post-authentication code injection vulnerability in Sophos Firewall's User Portal that allows authenticated users to execute arbitrary code ...

A vulnerability in CodeAstro Complaint Management System v1.0 allows remote attackers to escalate privileges through the mess-view.php component. This...

CVE-2024-55661 is a remote code execution vulnerability in Laravel Pulse monitoring tool. Authenticated users with dashboard access can execute arbitr...