VYPR

CWE-94

Improper Control of Generation of Code ('Code Injection')

BaseDraftLikelihood: Medium

Description

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-242 · CAPEC-35 · CAPEC-77

CVEs mapped to this weakness (4,701)

page 11 of 236
  • CVE-2025-5396CriJul 17, 2025
    risk 0.64cvss 9.8epss 0.01

    The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackup_ajax_handle() function not having a capability check, nor validating user supplied input passed directly to call_user_func(). This…

  • CVE-2025-5392CriJul 11, 2025
    risk 0.64cvss 9.8epss 0.01

    The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible…

  • CVE-2025-48140CriJun 9, 2025
    risk 0.64cvss 9.9epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI metalpriceapi allows Code Injection.This issue affects MetalpriceAPI: from n/a through <= 1.1.4.

  • CVE-2025-49013CriJun 9, 2025
    risk 0.64cvss 9.9epss 0.01

    WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of `${{ github.event.review.body }}` and other user controlled variables directly inside shell…

  • CVE-2025-32363CriMay 14, 2025
    risk 0.64cvss 9.8epss 0.01

    mediDOK before 2.5.18.43 allows remote attackers to achieve remote code execution on a target system via deserialization of untrusted data.

  • CVE-2025-2421CriMay 2, 2025
    risk 0.64cvss 9.8epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows Code Injection. This issue affects SambaBox: before 5.1.

  • CVE-2025-1782CriApr 14, 2025
    risk 0.64cvss 9.9epss 0.00

    In HylaFAX Enterprise Web Interface and AvantFAX, the language form element is not properly sanitized before being used and can be misused to include an arbitrary file in the PHP code allowing an attacker to do anything as the web server user. This flaw requires the attacker…

  • CVE-2025-31330CriApr 8, 2025
    risk 0.64cvss 9.9epss 0.01

    SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability…

  • CVE-2025-27429CriApr 8, 2025
    risk 0.64cvss 9.9epss 0.01

    SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a…

  • CVE-2024-13645CriApr 4, 2025
    risk 0.64cvss 9.8epss 0.01

    The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable…

  • CVE-2025-30911CriApr 1, 2025
    risk 0.64cvss 9.9epss 0.02

    Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Command Injection.This issue affects RTMKit: from n/a through <= 1.5.4.

  • CVE-2025-28893CriMar 26, 2025
    risk 0.64cvss 9.9epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in Govind Visual Text Editor visual-text-editor allows Remote Code Inclusion.This issue affects Visual Text Editor: from n/a through <= 1.2.1.

  • CVE-2024-48818CriMar 25, 2025
    risk 0.64cvss 9.8epss 0.01

    An issue in IIT Bombay, Mumbai, India Bodhitree of cs101 version allows a remote attacker to execute arbitrary code.

  • CVE-2024-57061CriMar 19, 2025
    risk 0.64cvss 9.8epss 0.01

    An issue in Termius Version 9.9.0 through v.9.16.0 allows a physically proximate attacker to execute arbitrary code via the insecure Electron Fuses configuration.

  • CVE-2025-27554CriMar 1, 2025
    risk 0.64cvss 9.9epss 0.01

    ToDesktop before 2024-10-03, as used by Cursor before 2024-10-03 and other applications, allows remote attackers to execute arbitrary commands on the build server (e.g., read secrets from the desktopify config.prod.json file), and consequently deploy updates to any app, via a…

  • CVE-2024-54756CriFeb 20, 2025
    risk 0.64cvss 9.8epss 0.03

    A remote code execution (RCE) vulnerability in the ZScript function of ZDoom Team GZDoom v4.13.1 allows attackers to execute arbitrary code via supplying a crafted PK3 file containing a malicious ZScript source file.

  • CVE-2024-57401CriFeb 20, 2025
    risk 0.64cvss 9.8epss 0.01

    SQL Injection vulnerability in Uniclare Student portal v.2 and before allows a remote attacker to execute arbitrary code via the Forgot Password function.

  • CVE-2025-25467CriFeb 18, 2025
    risk 0.64cvss 9.8epss 0.01

    Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file.

  • CVE-2024-12366CriFeb 11, 2025
    risk 0.64cvss 9.8epss 0.01

    PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of the natural language processing by the LLM.

  • CVE-2025-24677CriFeb 4, 2025
    risk 0.64cvss 9.9epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in wpspin Post/Page Copying Tool postpage-import-export-with-custom-fields-taxonomies allows Remote Code Inclusion.This issue affects Post/Page Copying Tool: from n/a through <= 2.0.3.