CWE-94
Improper Control of Generation of Code ('Code Injection')
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (4,701)
page 12 of 236| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-54724 | Cri | 0.64 | 9.8 | 0.01 | Jan 9, 2025 | PHPYun before 7.0.2 is vulnerable to code execution through backdoor-restricted arbitrary file writing and file inclusion. | ||
| CVE-2024-56278 | Cri | 0.64 | 9.1 | 0.02 | Jan 7, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders Inc., WP Ultimate Exporter wp-ultimate-exporter allows PHP Remote File Inclusion.This issue affects WP Ultimate Exporter: from n/a through <= 2.9.1. | ||
| CVE-2024-48453 | Cri | 0.64 | 9.8 | 0.01 | Dec 4, 2024 | An issue in INOVANCE AM401_CPU1608TPTN allows a remote attacker to execute arbitrary code via the ExecuteUserProgramUpgrade function | ||
| CVE-2024-51367 | Cri | 0.64 | 9.8 | 0.01 | Nov 21, 2024 | An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file. | ||
| CVE-2024-48694 | Cri | 0.64 | 9.8 | 0.01 | Nov 19, 2024 | File Upload vulnerability in Xi'an Daxi Information technology OfficeWeb365 v.8.6.1.0 and v7.18.23.0 allows a remote attacker to execute arbitrary code via the pw/savedraw component. | ||
| CVE-2024-50636 | Cri | 0.64 | 9.8 | 0.01 | Nov 11, 2024 | PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, which allows the execution of arbitrary Python code embedded within .PYM files. Attackers can craft a malicious .PYM file containing a Python reverse shell payload and exploit the function to achieve Remote… | ||
| CVE-2024-10035 | Cri | 0.64 | 9.8 | 0.01 | Nov 4, 2024 | Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security… | ||
| CVE-2024-51427 | Cri | 0.64 | 9.8 | 0.01 | Oct 30, 2024 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. NOTE: this is disputed by third parties because the impact is limited to function calls. | ||
| CVE-2024-51424 | Cri | 0.64 | 9.8 | 0.01 | Oct 30, 2024 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. NOTE: this is disputed by third parties because the impact is limited to function calls. | ||
| CVE-2024-48138 | Cri | 0.64 | 9.8 | 0.01 | Oct 29, 2024 | A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template. | ||
| CVE-2024-48204 | Cri | 0.64 | 9.8 | 0.01 | Oct 25, 2024 | SQL injection vulnerability in Hanzhou Haobo network management system 1.0 allows a remote attacker to execute arbitrary code via a crafted script. | ||
| CVE-2024-48514 | Cri | 0.64 | 9.8 | 0.01 | Oct 24, 2024 | php-heic-to-jpg <= 1.0.5 is vulnerable to code injection (fixed in 1.0.6). An attacker who can upload heic images is able to execute code on the remote server via the file name. As a result, the CIA is no longer guaranteed. This affects php-heic-to-jpg 1.0.5 and below. | ||
| CVE-2024-45874 | Cri | 0.64 | 9.8 | 0.01 | Oct 7, 2024 | A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe. | ||
| CVE-2024-45873 | Cri | 0.64 | 9.8 | 0.01 | Oct 7, 2024 | A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe. | ||
| CVE-2024-45186 | Cri | 0.64 | 9.8 | 0.01 | Oct 2, 2024 | FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials. | ||
| CVE-2024-35515 | Cri | 0.64 | 9.8 | 0.01 | Sep 18, 2024 | Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code. | ||
| CVE-2024-45798 | Cri | 0.64 | 9.9 | 0.01 | Sep 17, 2024 | arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow… | ||
| CVE-2024-7104 | Cri | 0.64 | 9.8 | 0.01 | Sep 16, 2024 | Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows Code Injection. This issue affects ww.Winsure: before 4.6.2. | ||
| CVE-2024-45623 | Cri | 0.64 | 9.8 | 0.01 | Sep 2, 2024 | D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary that handles PHP HTTP GET requests for the Apache HTTP Server (httpd). NOTE: This vulnerability only affects products that are no… | ||
| CVE-2024-21552 | Cri | 0.64 | 9.8 | 0.01 | Jul 22, 2024 | All versions of `SuperAGI` are vulnerable to Arbitrary Code Execution due to unsafe use of the ‘eval’ function. An attacker could induce the LLM output to exploit this vulnerability and gain arbitrary code execution on the SuperAGI application server. |
- risk 0.64cvss 9.8epss 0.01
PHPYun before 7.0.2 is vulnerable to code execution through backdoor-restricted arbitrary file writing and file inclusion.
- risk 0.64cvss 9.1epss 0.02
Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders Inc., WP Ultimate Exporter wp-ultimate-exporter allows PHP Remote File Inclusion.This issue affects WP Ultimate Exporter: from n/a through <= 2.9.1.
- risk 0.64cvss 9.8epss 0.01
An issue in INOVANCE AM401_CPU1608TPTN allows a remote attacker to execute arbitrary code via the ExecuteUserProgramUpgrade function
- risk 0.64cvss 9.8epss 0.01
An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file.
- risk 0.64cvss 9.8epss 0.01
File Upload vulnerability in Xi'an Daxi Information technology OfficeWeb365 v.8.6.1.0 and v7.18.23.0 allows a remote attacker to execute arbitrary code via the pw/savedraw component.
- risk 0.64cvss 9.8epss 0.01
PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, which allows the execution of arbitrary Python code embedded within .PYM files. Attackers can craft a malicious .PYM file containing a Python reverse shell payload and exploit the function to achieve Remote…
- risk 0.64cvss 9.8epss 0.01
Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security…
- risk 0.64cvss 9.8epss 0.01
An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. NOTE: this is disputed by third parties because the impact is limited to function calls.
- risk 0.64cvss 9.8epss 0.01
An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. NOTE: this is disputed by third parties because the impact is limited to function calls.
- risk 0.64cvss 9.8epss 0.01
A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template.
- risk 0.64cvss 9.8epss 0.01
SQL injection vulnerability in Hanzhou Haobo network management system 1.0 allows a remote attacker to execute arbitrary code via a crafted script.
- risk 0.64cvss 9.8epss 0.01
php-heic-to-jpg <= 1.0.5 is vulnerable to code injection (fixed in 1.0.6). An attacker who can upload heic images is able to execute code on the remote server via the file name. As a result, the CIA is no longer guaranteed. This affects php-heic-to-jpg 1.0.5 and below.
- risk 0.64cvss 9.8epss 0.01
A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe.
- risk 0.64cvss 9.8epss 0.01
A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe.
- risk 0.64cvss 9.8epss 0.01
FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials.
- risk 0.64cvss 9.8epss 0.01
Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.
- risk 0.64cvss 9.9epss 0.01
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow…
- risk 0.64cvss 9.8epss 0.01
Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows Code Injection. This issue affects ww.Winsure: before 4.6.2.
- risk 0.64cvss 9.8epss 0.01
D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary that handles PHP HTTP GET requests for the Apache HTTP Server (httpd). NOTE: This vulnerability only affects products that are no…
- risk 0.64cvss 9.8epss 0.01
All versions of `SuperAGI` are vulnerable to Arbitrary Code Execution due to unsafe use of the ‘eval’ function. An attacker could induce the LLM output to exploit this vulnerability and gain arbitrary code execution on the SuperAGI application server.