CWE-94

CX-Supervisor (Versions 3.42 and prior) can execute code that has been injected into a project file. An attacker could exploit this to execute code under the privileges of the application.

MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php.

Vanilla 2.6.x before 2.6.4 allows remote code execution.

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php.

upload_template() in system/changeskin.php in DocCms 2016.5.12 allows remote attackers to execute arbitrary PHP code via a template file.

An issue was discovered in Netdata 1.10.0. JSON injection exists via the api/v1/data tqx parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c.