Rarely applications have the requirement of dynamically running user supplied server-side code. In order to implement this requirement, programming languages provide APIs for dynamic interpretation of strings as code.

Let the backend code is similar to the following snippet;

                            
var cscpOptions = new Dictionary() { { "CompilerVersion", "v4.5" } };
var cscp = new CSharpCodeProvider(cscpOptions);
var cpOptions = new[] { "mscorlib.dll", "System.Core.dll" };
var params = new CompilerParameters(cpOptions, "user.exe", true);
params.GenerateExecutable = true;
var codeStr = Request["code"];
CompilerResults results = cscp.CompileAssemblyFromSource(params, codeStr);
                 
            

The above code executes a C# code as string provided by the user at the backend. Here a malicious user can send any code that runs Operating System commands on the target system, steal information such as database credentials or database itself, etc.