CWE-94
Improper Control of Generation of Code ('Code Injection')
BaseDraftLikelihood: Medium
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (3,775)
page 11 of 189| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-27429 | Cri | 0.64 | 9.9 | 0.00 | Apr 8, 2025 | SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | |
| CVE-2024-13645 | Cri | 0.64 | 9.8 | 0.01 | Apr 4, 2025 | The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |
| CVE-2025-30911 | Cri | 0.64 | 9.9 | 0.00 | Apr 1, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Command Injection.This issue affects RTMKit: from n/a through <= 1.5.4. | |
| CVE-2025-28893 | Cri | 0.64 | 9.9 | 0.00 | Mar 26, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Govind Visual Text Editor visual-text-editor allows Remote Code Inclusion.This issue affects Visual Text Editor: from n/a through <= 1.2.1. | |
| CVE-2024-48818 | Cri | 0.64 | 9.8 | 0.02 | Mar 25, 2025 | An issue in IIT Bombay, Mumbai, India Bodhitree of cs101 version allows a remote attacker to execute arbitrary code. | |
| CVE-2024-57061 | Cri | 0.64 | 9.8 | 0.01 | Mar 19, 2025 | An issue in Termius Version 9.9.0 through v.9.16.0 allows a physically proximate attacker to execute arbitrary code via the insecure Electron Fuses configuration. | |
| CVE-2025-27554 | Cri | 0.64 | 9.9 | 0.01 | Mar 1, 2025 | ToDesktop before 2024-10-03, as used by Cursor before 2024-10-03 and other applications, allows remote attackers to execute arbitrary commands on the build server (e.g., read secrets from the desktopify config.prod.json file), and consequently deploy updates to any app, via a postinstall script in package.json. No exploitation occurred. | |
| CVE-2024-54756 | Cri | 0.64 | 9.8 | 0.02 | Feb 20, 2025 | A remote code execution (RCE) vulnerability in the ZScript function of ZDoom Team GZDoom v4.13.1 allows attackers to execute arbitrary code via supplying a crafted PK3 file containing a malicious ZScript source file. | |
| CVE-2024-57401 | Cri | 0.64 | 9.8 | 0.04 | Feb 20, 2025 | SQL Injection vulnerability in Uniclare Student portal v.2 and before allows a remote attacker to execute arbitrary code via the Forgot Password function. | |
| CVE-2025-25467 | Cri | 0.64 | 9.8 | 0.00 | Feb 18, 2025 | Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file. | |
| CVE-2025-1302 | Cri | 0.64 | 9.8 | 0.90 | Feb 15, 2025 | Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884). | |
| CVE-2025-24677 | Cri | 0.64 | 9.9 | 0.00 | Feb 4, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in wpspin Post/Page Copying Tool postpage-import-export-with-custom-fields-taxonomies allows Remote Code Inclusion.This issue affects Post/Page Copying Tool: from n/a through <= 2.0.3. | |
| CVE-2024-54724 | Cri | 0.64 | 9.8 | 0.00 | Jan 9, 2025 | PHPYun before 7.0.2 is vulnerable to code execution through backdoor-restricted arbitrary file writing and file inclusion. | |
| CVE-2024-48453 | Cri | 0.64 | 9.8 | 0.04 | Dec 4, 2024 | An issue in INOVANCE AM401_CPU1608TPTN allows a remote attacker to execute arbitrary code via the ExecuteUserProgramUpgrade function | |
| CVE-2024-51367 | Cri | 0.64 | 9.8 | 0.00 | Nov 21, 2024 | An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file. | |
| CVE-2024-48694 | Cri | 0.64 | 9.8 | 0.02 | Nov 19, 2024 | File Upload vulnerability in Xi'an Daxi Information technology OfficeWeb365 v.8.6.1.0 and v7.18.23.0 allows a remote attacker to execute arbitrary code via the pw/savedraw component. | |
| CVE-2024-50636 | Cri | 0.64 | 9.8 | 0.07 | Nov 11, 2024 | PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, which allows the execution of arbitrary Python code embedded within .PYM files. Attackers can craft a malicious .PYM file containing a Python reverse shell payload and exploit the function to achieve Remote Command Execution (RCE). This vulnerability arises because PyMOL treats .PYM files as Python scripts without properly validating or restricting the commands within the script, enabling attackers to run unauthorized commands in the context of the user running the application. | |
| CVE-2024-51427 | Cri | 0.64 | 9.8 | 0.02 | Oct 30, 2024 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. NOTE: this is disputed by third parties because the impact is limited to function calls. | |
| CVE-2024-51424 | Cri | 0.64 | 9.8 | 0.02 | Oct 30, 2024 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. NOTE: this is disputed by third parties because the impact is limited to function calls. | |
| CVE-2024-48138 | Cri | 0.64 | 9.8 | 0.03 | Oct 29, 2024 | A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template. |