CWE-94: Code Injection

The Uix Slideshow WordPress plugin allows unauthenticated attackers to execute arbitrary shortcodes due to improper input validation. This vulnerabili...

This vulnerability allows arbitrary code execution in applications using vulnerable versions of the dom-iterator package. Attackers can inject malicio...

The WP Photo Album Plus WordPress plugin contains an arbitrary shortcode execution vulnerability that allows unauthenticated attackers to execute arbi...

This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes through the FOX Currency Switcher Professional plugin. A...

This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes in the Paid Membership Subscriptions plugin. Attackers c...

The Tickera WordPress plugin allows unauthenticated attackers to execute arbitrary shortcodes due to improper input validation. This vulnerability aff...

This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes through the Enable Shortcodes plugin. Attackers can pote...

This vulnerability allows attackers to inject and execute arbitrary code on WordPress sites using the Meta Data and Taxonomies Filter (MDTF) plugin. I...

This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes through the Uix Shortcodes plugin. All WordPress sites u...

The Special Text Boxes WordPress plugin allows unauthenticated attackers to execute arbitrary shortcodes through comments. This vulnerability affects ...

The MDTF WordPress plugin allows unauthenticated attackers to execute arbitrary shortcodes due to improper input validation. This affects all WordPres...

The Simple Spoiler WordPress plugin versions 1.2 to 1.3 allow unauthenticated attackers to execute arbitrary shortcodes via comments. This vulnerabili...

This vulnerability allows unauthenticated attackers to execute arbitrary WordPress shortcodes through the FOX – Currency Switcher Professional for W...

CVE-2024-45390 is a code injection vulnerability in the @blakeembrey/template JavaScript library that allows attackers to execute arbitrary code when ...

This vulnerability in Microsoft Edge (Chromium-based) allows remote attackers to execute arbitrary code on affected systems by tricking users into vis...

This vulnerability allows remote attackers to execute arbitrary code on systems running Microsoft Message Queuing (MSMQ) by sending specially crafted ...

This vulnerability allows remote attackers to execute arbitrary code on WordPress sites running the vulnerable Analytics Stats Counter Statistics Plug...

The Easy PHP Settings WordPress plugin allows authenticated attackers with Administrator privileges to inject arbitrary PHP code into wp-config.php vi...

Chartbrew versions before 4.8.1 contain a remote code execution vulnerability in MongoDB dataset queries. Attackers can execute arbitrary code on the ...

This vulnerability in Moodle's backup restore functionality allows authenticated privileged users to upload specially crafted backup files that bypass...

This vulnerability allows authenticated attackers with Shop Manager or higher WordPress roles to execute arbitrary PHP code on the server. The flaw ex...

The Lucky Wheel Giveaway WordPress plugin contains a remote code execution vulnerability in all versions up to 1.0.22. Authenticated attackers with Ad...

A remote code execution vulnerability in ChestnutCMS v1.5.8 and earlier allows attackers to execute arbitrary code through the template creation funct...

CVE-2021-47778 is a PHP code injection vulnerability in GetSimple CMS My SMTP Contact Plugin 1.1.2 that allows authenticated administrators to execute...

This CVE describes a code injection vulnerability in Shopware's map() function where PHP Closures can bypass allow-list validation. It affects Shopwar...

Signal K Server versions before 2.19.0 allow authenticated administrators to install npm packages from arbitrary sources via the appstore interface. T...

This vulnerability allows authenticated WordPress administrators to execute arbitrary PHP code on servers running the Lucky Wheel for WooCommerce plug...

The Advanced Ads WordPress plugin up to version 2.0.14 contains a remote code execution vulnerability via the 'change-ad__content' shortcode parameter...

This vulnerability in Microsoft Purview allows authenticated attackers to execute arbitrary code remotely by exploiting improper input validation in p...

CVE-2023-53883 is a remote code execution vulnerability in Webedition CMS v2.9.8.8 that allows authenticated attackers to execute arbitrary system com...

PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability where administrative users can inject malicious PHP code through meta...

A Remote Code Execution vulnerability in REDAXO CMS 5.20.0 allows authenticated administrators to inject PHP code into templates, which executes when ...

This vulnerability allows remote code execution in ClipBucket v5 video sharing platform. Attackers can inject malicious PHP code through the 'type' pa...

The atec Debug plugin for WordPress has a remote code execution vulnerability that allows authenticated attackers with Administrator privileges to exe...

The Easy Timer WordPress plugin allows authenticated attackers with Editor-level permissions or higher to execute arbitrary code on the server through...

This vulnerability allows authenticated administrator users in FreshRSS versions 1.26.1 and below to execute arbitrary code on the server by modifying...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in SugarCRM's API module that allows attackers to make unauthorized requests fro...

This vulnerability allows remote attackers to execute arbitrary code on WordPress sites using the Alone theme. Attackers can inject malicious code tha...

This vulnerability in IBM QRadar Suite and Cloud Pak for Security allows privileged users to execute arbitrary code when creating case management scri...

FreeScout versions before 1.8.178 contain a code injection vulnerability in the php_path parameter. Administrators can exploit this to execute arbitra...

SQL injection vulnerabilities in ASPECT software allow attackers to execute arbitrary SQL commands when session administrator credentials are compromi...

This vulnerability allows authenticated attackers to execute arbitrary code on Ivanti Endpoint Manager Mobile (EPMM) systems by sending specially craf...

This vulnerability allows remote attackers to execute arbitrary code on D-Link DIR-832x routers via a specific function (0x41dda8). It affects users o...

A command injection vulnerability in the Nmap diagnostic tool within Extron SMP/SME admin web consoles allows authenticated attackers to execute arbit...

This CVE describes a code injection vulnerability in Apache Kylin where attackers with admin access can modify JDBC connection configurations to execu...

This vulnerability allows authenticated attackers with administrator privileges or explicit Automation Scripting access to execute arbitrary system co...

This vulnerability allows authenticated WordPress administrators to execute arbitrary code on servers running the Borderless plugin. Attackers with ad...

OpenCart 4.0.2.3 contains a Server-Side Template Injection vulnerability in the Theme Editor function that allows authenticated attackers to execute a...

This vulnerability in Rank Math SEO WordPress plugin allows attackers to inject arbitrary code into .htaccess files, potentially leading to remote cod...

This vulnerability in Joplin note-taking app allows attackers to achieve remote code execution on Windows systems by exploiting unfiltered URI schemes...