CWE-94
Improper Control of Generation of Code ('Code Injection')
BaseDraftLikelihood: Medium
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (3,775)
page 10 of 189| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-9321 | Cri | 0.64 | 9.8 | 0.00 | Sep 23, 2025 | The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code. | |
| CVE-2025-42922 | Cri | 0.64 | 9.9 | 0.00 | Sep 9, 2025 | SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system. | |
| CVE-2024-52786 | Cri | 0.64 | 9.8 | 0.01 | Aug 22, 2025 | An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL. | |
| CVE-2025-48169 | Cri | 0.64 | 9.9 | 0.00 | Aug 20, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine code-engine allows Remote Code Inclusion.This issue affects Code Engine: from n/a through <= 0.3.3. | |
| CVE-2025-8723 | Cri | 0.64 | 9.8 | 0.02 | Aug 19, 2025 | The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution. | |
| CVE-2025-49887 | Cri | 0.64 | 9.9 | 0.00 | Aug 14, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce product-xml-feeds-for-woocommerce allows Remote Code Inclusion.This issue affects Product XML Feed Manager for WooCommerce: from n/a through <= 2.9.3. | |
| CVE-2025-55346 | Cri | 0.64 | 9.8 | 0.00 | Aug 14, 2025 | User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request. | |
| CVE-2025-52385 | Cri | 0.64 | 9.8 | 0.01 | Aug 13, 2025 | An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module | |
| CVE-2025-42957 | Cri | 0.64 | 9.9 | 0.00 | Aug 12, 2025 | SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | |
| CVE-2025-42950 | Cri | 0.64 | 9.9 | 0.00 | Aug 12, 2025 | SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | |
| CVE-2025-46059 | Cri | 0.64 | 9.8 | 0.00 | Jul 29, 2025 | langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message. NOTE: this is disputed by the Supplier because the code-execution issue was introduced by user-written code that does not adhere to the LangChain security practices. | |
| CVE-2025-29631 | Cri | 0.64 | 9.8 | 0.01 | Jul 25, 2025 | Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through vulnerable methods that do not sanitize input before passing content to the operating system for execution. The vulnerability may allow an attacker to execute arbitrary operating system commands on a target Home Kit. | |
| CVE-2025-53867 | Cri | 0.64 | 9.8 | 0.02 | Jul 17, 2025 | Island Lake WebBatch before 2025C allows Remote Code Execution via a crafted URL. | |
| CVE-2025-5396 | Cri | 0.64 | 9.8 | 0.02 | Jul 17, 2025 | The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackup_ajax_handle() function not having a capability check, nor validating user supplied input passed directly to call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things. On WordPress sites running the Alone theme versions 7.8.4 and older, this can be chained with CVE-2025-5394 to install the Bears Backup plugin and achieve the same impact. | |
| CVE-2025-5392 | Cri | 0.64 | 9.8 | 0.02 | Jul 11, 2025 | The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things. | |
| CVE-2025-48140 | Cri | 0.64 | 9.9 | 0.00 | Jun 9, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI metalpriceapi allows Code Injection.This issue affects MetalpriceAPI: from n/a through <= 1.1.4. | |
| CVE-2025-49013 | Cri | 0.64 | 9.9 | 0.02 | Jun 9, 2025 | WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of `${{ github.event.review.body }}` and other user controlled variables directly inside shell script contexts in GitHub Actions workflows. This introduces a code injection vulnerability: a malicious actor submitting a crafted pull request review containing shell metacharacters or commands could execute arbitrary shell code on the GitHub Actions runner. This can lead to arbitrary command execution with the permissions of the workflow, potentially compromising CI infrastructure, secrets, and build outputs. Developers who maintain or contribute to the repos WilderForge/WilderForge, WilderForge/ExampleMod, WilderForge/WilderWorkspace, WilderForge/WildermythGameProvider, WilderForge/AutoSplitter, WilderForge/SpASM, WilderForge/thrixlvault, WilderForge/MassHash, and/or WilderForge/DLC_Disabler; as well as users who fork any of the above repositories and reuse affected GitHub Actions workflows, are affected. End users of any the above software and users who only install pre-built releases or artifacts are not affected. This vulnerability does not impact runtime behavior of the software or compiled outputs unless those outputs were produced during exploitation of this vulnerability. A current workaround is to disable GitHub Actions in affected repositories, or remove the affected workflows. | |
| CVE-2025-32363 | Cri | 0.64 | 9.8 | 0.02 | May 14, 2025 | mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data. | |
| CVE-2025-32583 | Cri | 0.64 | 9.9 | 0.00 | Apr 17, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post pdf2post allows Remote Code Inclusion.This issue affects PDF 2 Post: from n/a through <= 2.4.0. | |
| CVE-2025-31330 | Cri | 0.64 | 9.9 | 0.00 | Apr 8, 2025 | SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. |