VYPR

CWE-94

Improper Control of Generation of Code ('Code Injection')

BaseDraftLikelihood: Medium

Description

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-242 · CAPEC-35 · CAPEC-77

CVEs mapped to this weakness (4,701)

page 10 of 236
  • CVE-2025-68897CriDec 29, 2025
    risk 0.64cvss 9.9epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode if-as-shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through <= 1.2.

  • CVE-2025-42880CriDec 9, 2025
    risk 0.64cvss 9.9epss 0.04

    Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,…

  • CVE-2025-14324CriDec 9, 2025
    risk 0.64cvss 9.8epss 0.00

    JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

  • CVE-2025-6389CriNov 25, 2025
    risk 0.64cvss 9.8epss 0.43

    The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func().…

  • CVE-2025-12813CriNov 11, 2025
    risk 0.64cvss 9.8epss 0.01

    The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for…

  • CVE-2025-42887CriNov 11, 2025
    risk 0.64cvss 9.9epss 0.01

    Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,…

  • CVE-2025-32222CriNov 6, 2025
    risk 0.64cvss 9.9epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.This issue affects Widget Logic: from n/a through <= 6.0.5.

  • CVE-2025-50739CriOct 30, 2025
    risk 0.64cvss 9.8epss 0.01

    iib0011 omni-tools v0.4.0 is vulnerable to remote code execution via unsafe JSON deserialization.

  • CVE-2025-46581CriOct 14, 2025
    risk 0.64cvss 9.8epss 0.01

    ZTE's ZXCDN product is affected by a Struts remote code execution (RCE) vulnerability. An unauthenticated attacker can remotely execute commands with non-root privileges.

  • CVE-2025-42922CriSep 9, 2025
    risk 0.64cvss 9.9epss 0.01

    SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system.

  • CVE-2024-52786CriAug 22, 2025
    risk 0.64cvss 9.8epss 0.01

    An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL.

  • CVE-2025-48169CriAug 20, 2025
    risk 0.64cvss 9.9epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine code-engine allows Remote Code Inclusion.This issue affects Code Engine: from n/a through <= 0.3.3.

  • CVE-2025-49887CriAug 14, 2025
    risk 0.64cvss 9.9epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce product-xml-feeds-for-woocommerce allows Remote Code Inclusion.This issue affects Product XML Feed Manager for WooCommerce: from n/a through <= 2.9.3.

  • CVE-2025-55346CriAug 14, 2025
    risk 0.64cvss 9.8epss 0.17

    User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.

  • CVE-2025-52385CriAug 13, 2025
    risk 0.64cvss 9.8epss 0.01

    An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module

  • CVE-2025-42957CriAug 12, 2025
    risk 0.64cvss 9.9epss 0.02

    SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a…

  • CVE-2025-42950CriAug 12, 2025
    risk 0.64cvss 9.9epss 0.01

    SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability…

  • CVE-2025-46059CriJul 29, 2025
    risk 0.64cvss 9.8epss 0.01

    langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message. NOTE: this is disputed by the…

  • CVE-2025-29631CriJul 25, 2025
    risk 0.64cvss 9.8epss 0.02

    Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through vulnerable methods that do not sanitize input before passing content to the operating system for execution. The…

  • CVE-2025-53867CriJul 17, 2025
    risk 0.64cvss 9.8epss 0.01

    Island Lake WebBatch before 2025C allows Remote Code Execution via a crafted URL.