VYPR

CWE-94

Improper Control of Generation of Code ('Code Injection')

BaseDraftLikelihood: Medium

Description

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-242 · CAPEC-35 · CAPEC-77

CVEs mapped to this weakness (4,701)

page 12 of 236
  • CVE-2024-54724CriJan 9, 2025
    risk 0.64cvss 9.8epss 0.01

    PHPYun before 7.0.2 is vulnerable to code execution through backdoor-restricted arbitrary file writing and file inclusion.

  • CVE-2024-56278CriJan 7, 2025
    risk 0.64cvss 9.1epss 0.02

    Improper Control of Generation of Code ('Code Injection') vulnerability in Smackcoders Inc., WP Ultimate Exporter wp-ultimate-exporter allows PHP Remote File Inclusion.This issue affects WP Ultimate Exporter: from n/a through <= 2.9.1.

  • CVE-2024-48453CriDec 4, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in INOVANCE AM401_CPU1608TPTN allows a remote attacker to execute arbitrary code via the ExecuteUserProgramUpgrade function

  • CVE-2024-51367CriNov 21, 2024
    risk 0.64cvss 9.8epss 0.01

    An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file.

  • CVE-2024-48694CriNov 19, 2024
    risk 0.64cvss 9.8epss 0.01

    File Upload vulnerability in Xi'an Daxi Information technology OfficeWeb365 v.8.6.1.0 and v7.18.23.0 allows a remote attacker to execute arbitrary code via the pw/savedraw component.

  • CVE-2024-50636CriNov 11, 2024
    risk 0.64cvss 9.8epss 0.01

    PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, which allows the execution of arbitrary Python code embedded within .PYM files. Attackers can craft a malicious .PYM file containing a Python reverse shell payload and exploit the function to achieve Remote…

  • CVE-2024-10035CriNov 4, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security…

  • CVE-2024-51427CriOct 30, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. NOTE: this is disputed by third parties because the impact is limited to function calls.

  • CVE-2024-51424CriOct 30, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. NOTE: this is disputed by third parties because the impact is limited to function calls.

  • CVE-2024-48138CriOct 29, 2024
    risk 0.64cvss 9.8epss 0.01

    A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template.

  • CVE-2024-48204CriOct 25, 2024
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in Hanzhou Haobo network management system 1.0 allows a remote attacker to execute arbitrary code via a crafted script.

  • CVE-2024-48514CriOct 24, 2024
    risk 0.64cvss 9.8epss 0.01

    php-heic-to-jpg <= 1.0.5 is vulnerable to code injection (fixed in 1.0.6). An attacker who can upload heic images is able to execute code on the remote server via the file name. As a result, the CIA is no longer guaranteed. This affects php-heic-to-jpg 1.0.5 and below.

  • CVE-2024-45874CriOct 7, 2024
    risk 0.64cvss 9.8epss 0.01

    A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe.

  • CVE-2024-45873CriOct 7, 2024
    risk 0.64cvss 9.8epss 0.01

    A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe.

  • CVE-2024-45186CriOct 2, 2024
    risk 0.64cvss 9.8epss 0.01

    FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials.

  • CVE-2024-35515CriSep 18, 2024
    risk 0.64cvss 9.8epss 0.01

    Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.

  • CVE-2024-45798CriSep 17, 2024
    risk 0.64cvss 9.9epss 0.01

    arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow…

  • CVE-2024-7104CriSep 16, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows Code Injection. This issue affects ww.Winsure: before 4.6.2.

  • CVE-2024-45623CriSep 2, 2024
    risk 0.64cvss 9.8epss 0.01

    D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary that handles PHP HTTP GET requests for the Apache HTTP Server (httpd). NOTE: This vulnerability only affects products that are no…

  • CVE-2024-21552CriJul 22, 2024
    risk 0.64cvss 9.8epss 0.01

    All versions of `SuperAGI` are vulnerable to Arbitrary Code Execution due to unsafe use of the ‘eval’ function. An attacker could induce the LLM output to exploit this vulnerability and gain arbitrary code execution on the SuperAGI application server.