CWE-94
Improper Control of Generation of Code ('Code Injection')
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (4,701)
page 10 of 236| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-68897 | Cri | 0.64 | 9.9 | 0.00 | Dec 29, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode if-as-shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through <= 1.2. | ||
| CVE-2025-42880 | Cri | 0.64 | 9.9 | 0.04 | Dec 9, 2025 | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,… | ||
| CVE-2025-14324 | Cri | 0.64 | 9.8 | 0.00 | Dec 9, 2025 | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | ||
| CVE-2025-6389 | Cri | 0.64 | 9.8 | 0.43 | Nov 25, 2025 | The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func().… | ||
| CVE-2025-12813 | Cri | 0.64 | 9.8 | 0.01 | Nov 11, 2025 | The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for… | ||
| CVE-2025-42887 | Cri | 0.64 | 9.9 | 0.01 | Nov 11, 2025 | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,… | ||
| CVE-2025-32222 | Cri | 0.64 | 9.9 | 0.00 | Nov 6, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.This issue affects Widget Logic: from n/a through <= 6.0.5. | ||
| CVE-2025-50739 | — | Cri | 0.64 | 9.8 | 0.01 | Oct 30, 2025 | iib0011 omni-tools v0.4.0 is vulnerable to remote code execution via unsafe JSON deserialization. | |
| CVE-2025-46581 | Cri | 0.64 | 9.8 | 0.01 | Oct 14, 2025 | ZTE's ZXCDN product is affected by a Struts remote code execution (RCE) vulnerability. An unauthenticated attacker can remotely execute commands with non-root privileges. | ||
| CVE-2025-42922 | Cri | 0.64 | 9.9 | 0.01 | Sep 9, 2025 | SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system. | ||
| CVE-2024-52786 | Cri | 0.64 | 9.8 | 0.01 | Aug 22, 2025 | An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL. | ||
| CVE-2025-48169 | Cri | 0.64 | 9.9 | 0.00 | Aug 20, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine code-engine allows Remote Code Inclusion.This issue affects Code Engine: from n/a through <= 0.3.3. | ||
| CVE-2025-49887 | Cri | 0.64 | 9.9 | 0.00 | Aug 14, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce product-xml-feeds-for-woocommerce allows Remote Code Inclusion.This issue affects Product XML Feed Manager for WooCommerce: from n/a through <= 2.9.3. | ||
| CVE-2025-55346 | — | Cri | 0.64 | 9.8 | 0.17 | Aug 14, 2025 | User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request. | |
| CVE-2025-52385 | Cri | 0.64 | 9.8 | 0.01 | Aug 13, 2025 | An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module | ||
| CVE-2025-42957 | Cri | 0.64 | 9.9 | 0.02 | Aug 12, 2025 | SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a… | ||
| CVE-2025-42950 | Cri | 0.64 | 9.9 | 0.01 | Aug 12, 2025 | SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability… | ||
| CVE-2025-46059 | Cri | 0.64 | 9.8 | 0.01 | Jul 29, 2025 | langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message. NOTE: this is disputed by the… | ||
| CVE-2025-29631 | Cri | 0.64 | 9.8 | 0.02 | Jul 25, 2025 | Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through vulnerable methods that do not sanitize input before passing content to the operating system for execution. The… | ||
| CVE-2025-53867 | Cri | 0.64 | 9.8 | 0.01 | Jul 17, 2025 | Island Lake WebBatch before 2025C allows Remote Code Execution via a crafted URL. |
- risk 0.64cvss 9.9epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode if-as-shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through <= 1.2.
- risk 0.64cvss 9.9epss 0.04
Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,…
- risk 0.64cvss 9.8epss 0.00
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
- risk 0.64cvss 9.8epss 0.43
The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func().…
- risk 0.64cvss 9.8epss 0.01
The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for…
- risk 0.64cvss 9.9epss 0.01
Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,…
- risk 0.64cvss 9.9epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.This issue affects Widget Logic: from n/a through <= 6.0.5.
- risk 0.64cvss 9.8epss 0.01
iib0011 omni-tools v0.4.0 is vulnerable to remote code execution via unsafe JSON deserialization.
- risk 0.64cvss 9.8epss 0.01
ZTE's ZXCDN product is affected by a Struts remote code execution (RCE) vulnerability. An unauthenticated attacker can remotely execute commands with non-root privileges.
- risk 0.64cvss 9.9epss 0.01
SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system.
- risk 0.64cvss 9.8epss 0.01
An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL.
- risk 0.64cvss 9.9epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine code-engine allows Remote Code Inclusion.This issue affects Code Engine: from n/a through <= 0.3.3.
- risk 0.64cvss 9.9epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce product-xml-feeds-for-woocommerce allows Remote Code Inclusion.This issue affects Product XML Feed Manager for WooCommerce: from n/a through <= 2.9.3.
- risk 0.64cvss 9.8epss 0.17
User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.
- risk 0.64cvss 9.8epss 0.01
An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module
- risk 0.64cvss 9.9epss 0.02
SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a…
- risk 0.64cvss 9.9epss 0.01
SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability…
- risk 0.64cvss 9.8epss 0.01
langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message. NOTE: this is disputed by the…
- risk 0.64cvss 9.8epss 0.02
Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through vulnerable methods that do not sanitize input before passing content to the operating system for execution. The…
- risk 0.64cvss 9.8epss 0.01
Island Lake WebBatch before 2025C allows Remote Code Execution via a crafted URL.