🌐
Snyk
snyk.io › blog › code-injection-python-prevention-examples
Code injection in Python: examples and prevention | Snyk
December 6, 2023 - These vulnerabilities often occur when an application mishandles user input. For example, insecure use of functions like eval() in Python without proper validation can lead to code injection.
🌐
Semgrep
semgrep.dev › write rules › secure coding › python › code injection in python
Code Injection in Python | Semgrep
The _xxsubinterpreters.run_string is an internal Python function that interprets the string as Python code. This causes a code injection vulnerability when unverified user data reaches run_string.
Discussions
[Security Vulnerability] CWE - 94 Code Injection in python_executor Class Due to Unvalidated exec() Usage
Description The provided Python code contains a significant security vulnerability of type CWE - 94: Code Injection. The vulnerability exists because the code uses the exec() function to execute us... More on github.com
🌐 github.com
0
April 21, 2025
Code Injection Vulnerability Caused by eval() in function_message Function
This code is vulnerable to CWE - 94: Code Injection due to the use of the eval() function. The function_message function processes a string msg. When msg starts with "Running " and matches a specific regular expression, the function extracts the function_name and function_args. For certain function_name values, it uses eval() to execute the function_args string as a Python ... More on github.com
🌐 github.com
5
May 8, 2025
SQL injection in 2024 - The vulnerability that won't go away
Seeing as I fixed a SQL injection vulnerability in our code base literally last week, I feel safe in saying it's still a thing. More on reddit.com
🌐 r/programming
97
118
December 4, 2024
Injection Attacks Against Flask [blog]

The first point about template injection almost seemed like it was going somewhere, but actually feels like a no brainer to avoid, since every flask/jinja tutorial under the sun is going to tell you to use curly-brace placeholders in your templates, and not python's built-in substitution operators/methods.

When I think vulnerabilities, I think of something inherently flawed with the design and implementation of something that can be easily exploited, even when used perfectly as intended. For example, if there was a way for someone to inject code into the template even when used with all common sense template syntax and loading techniques.

Since Jinja/Flask were designed to handle untrusted input sanitization well, this is more of a "gotcha" than a "vulnerability." If you use the tools available to you appropriately, it's not a problem. If you misuse or don't use the tools available to you, you risk accidentally creating vulnerabilities unnecessarily. That sort of goes without saying.

More on reddit.com
🌐 r/flask
4
16
December 8, 2015
Videos
21:20
🌐 YouTube
Hacking with Python 1 - SQL Injection - YouTube
May 14, 2020
04:49
🌐 YouTube
HSCTF - Python Remote Code Execution (A Simple Conversation) - YouTube
June 9, 2019
11.3K
🌐 m.youtube.com
Build SQL Injection Scanner with Python
15:26
🌐 YouTube
Preventing SQL Injection in Python - YouTube
May 28, 2024
534
🌐 youtube.com
Mastering SQL Injection Prevention in Python | Secure Your ...
View all
View all
🌐
PortSwigger
portswigger.net › kb › issues › 00100f10_python-code-injection
Python code injection - PortSwigger
Server-side code injection vulnerabilities arise when an application incorporates user-controllable data into a string that is dynamically evaluated by a code interpreter. If the user data is not strictly validated, an attacker can use crafted ...
🌐
StackHawk
stackhawk.com › stackhawk, inc. › vulnerabilities and remediation › preventing command injection in python: a guide to security
Preventing Command Injection in Python: A Guide to Security
January 13, 2025 - So in this post we will get you familiar with command injection via concrete examples—more precisely, command injection in Python. Command injection sends malicious data into an application that can lead to grave damage when dynamically evaluated by the code ...
🌐
https://probely.com
probely.com › vulnerabilities › python-code-injection
Python code injection - Probely
A Python code injection vulnerability allows the attacker to execute arbitrary Python code into the application. In the worst-case scenario, the attacker will be able to fully administrate the server, which will enable him to extract sensitive ...
🌐
Acunetix
acunetix.com › vulnerabilities › web › python-code-injection
Python code injection - Vulnerabilities
This script is vulnerable to Python code injection. The user input appears to be placed into a dynamically evaluated Python code statement, allowing a... Code Evaluation (Python)
🌐
SecureFlag
knowledge-base.secureflag.com › vulnerabilities › code_injection › os_command_injection_python.html
OS Command Injection in Python | SecureFlag Security Knowledge Base
August 5, 2025 - The following snippet contains a Flask web application written in Python that executes the nslookup command to resolve the host supplied by the user. @app.route("/dns") def page(): hostname = request.values.get(hostname) cmd = 'nslookup ' + hostname return subprocess.check_output(cmd, shell=True) Since the hostname is simply appended to the command and executed on a subshell with shell=True, an attacker could stack another command using ; in the file_path GET parameter to inject additional commands.
🌐
Snyk
snyk.io › blog › command-injection-python-prevention-examples
Command injection in Python: examples and prevention | Snyk
December 21, 2023 - When an application processes these inputs without proper validation and uses them directly to execute system commands, it becomes vulnerable to command injection attacks. ... # Vulnerability: Directly using user-controlled input to execute ...
Find elsewhere
🌐
GitHub
github.com › GAIR-NLP › factool › issues › 50
[Security Vulnerability] CWE - 94 Code Injection in python_executor Class Due to Unvalidated exec() Usage · Issue #50 · GAIR-NLP/factool
April 21, 2025 - In summary, the lack of input validation in the use of the exec() function makes this code highly vulnerable to code injection attacks.
Author   ybdesire
🌐
Aikido
aikido.dev › home › articles › top 10 python security vulnerabilities developers should avoid
Python Security Vulnerabilities | Top Issues
January 29, 2026 - CRLF Injection in urllib3 – urllib3 (used by Requests under the hood) had a vulnerability allowing CRLF injection in HTTP headers if an attacker controlled part of the request URL or method (e.g., newline characters in a header could be inserted). This could be abused to smuggle headers or split responses, potentially leading to session hijacking or manipulating web caches. (Multiple CVEs, e.g., CVE-2019-9740 for Python’s builtin urllib, were assigned to such issues.)
🌐
Medium
medium.com › @vikas.taank_40391 › understanding-code-injection-vulnerability-in-python-7090a106c597
Understanding Code Injection Vulnerability in Python. | by Vikas Taank | Medium
April 10, 2024 - This happens when an inout is evaluated and not sanitized or properly validated by the programmers and poses a risk of code injection by the attacker gaining and accessing the system in illegitimate ways. This can result in to data theft, data corruption , unauthorized access to resources and some malicious actions executed by the attacker the jeopardize the system. Python applications can be vulnerable to code injection in several ways, including:
🌐
Codefinity
codefinity.com › courses › v2 › b0d62b1f-23c5-4fab-b255-22ea10550611 › 91942e5a-357a-4fa5-97b1-27570591f52d › f52fda3e-76e6-408c-8639-a033651bf172
Learn Code Injection Risks | Understanding Python Vulnerabilities
Code injection is a critical security risk in Python applications, occurring when untrusted data is interpreted as code and executed by your program. This vulnerability can allow attackers to execute arbitrary commands, steal sensitive data, ...
🌐
Bright Security
brightsec.com › blog › code-injection-example
Code Injection Example: A Guide to Discovering and Preventing attacks - Bright Security
March 25, 2025 - Python code injection appears when user input is processed by Python that allows the attacker to inject malicious Python code into the input field with the language itself processing that same code.
🌐
Blogger
sethsec.blogspot.com › 2016 › 11 › exploiting-python-code-injection-in-web.html
Exploiting Python Code Injection in Web Applications
November 20, 2016 - Although you would be hard pressed to find an article online that talks about python eval() without warning that it is unsafe, eval() is the most likely culprit here. When you have the following two conditions, the vulnerability exists: Application accepts user input (e.g., GET/POST param, cookie value) Application passes that user controlled input to eval in an unsafe way (without sanitization or other protection mechanisms). Here is a simplified version of what the vulnerable code could look like:
🌐
Tigerstrike
tigerstrike.io › scanners › code-injection-python
Code Injection - Python Scanner | Security Testing | TigerStrike
December 21, 2025 - Python powers many web applications, data pipelines, and automation systems. Code injection can compromise entire infrastructure, access sensitive data, pivot to connected systems, and establish persistent access. The pickle vulnerability is particularly insidious because developers often don't ...
🌐
Medium
medium.com › @snyksec › code-injection-in-python-examples-and-prevention-680b44f3d9ae
Code injection in Python: examples and prevention | by Snyk | Medium
December 7, 2023 - These vulnerabilities often occur when an application mishandles user input. For example, insecure use of functions like eval() in Python without proper validation can lead to code injection.
🌐
Armur
armur.ai › blogs › posts › code_injection_in_python
Code Injection in Python: Examples and Prevention | Armur
Command injection happens when an attacker is able to execute arbitrary system commands on the host operating system via a vulnerable application. This can lead to unauthorized access and control over the system.
🌐
Semgrep
semgrep.dev › write rules › secure coding › python › command injection in python
Command Injection in Python | Semgrep
The subprocess module allows you to start new processes, connect to their input/output/error pipes, and obtain their return codes. Methods such as Popen, run, call, check_call, check_output are intended for running commands provided as an argument. Allowing user input in a command that is passed as an argument to one of these methods can create an opportunity for a command injection vulnerability.
🌐
GitHub
github.com › letta-ai › letta › issues › 2613
Code Injection Vulnerability Caused by eval() in function_message Function · Issue #2613 · letta-ai/letta
May 8, 2025 - This code is vulnerable to CWE - 94: Code Injection due to the use of the eval() function. The function_message function processes a string msg. When msg starts with "Running " and matches a specific regular expression, the function extracts ...
Author   ybdesire
🌐
GitLab
docs.gitlab.com › user › application_security › dast › browser › checks › 94.3
Server-side code injection (Python) | GitLab Docs
The target application was found vulnerable to code injection. A malicious actor could inject arbitrary Python code to be executed on the server.
Related queries
python code injection payloads
python injection cheat sheet
python eval exploit
python command injection
python input injection
python input vulnerability
python script sql injection
python exploits