CWE-94
Improper Control of Generation of Code ('Code Injection')
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (4,701)
page 13 of 236| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-25077 | Cri | 0.64 | 9.8 | 0.00 | Jul 10, 2024 | An issue was discovered on Renesas SmartBond DA14691, DA14695, DA14697, and DA14699 devices. The Nonce used for on-the-fly decryption of flash images is stored in an unsigned header, allowing its value to be modified without invalidating the signature used for secureboot image… | ||
| CVE-2024-39071 | Cri | 0.64 | 9.8 | 0.01 | Jul 9, 2024 | Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php. | ||
| CVE-2024-39165 | Cri | 0.64 | 9.8 | 0.01 | Jul 4, 2024 | QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp… | ||
| CVE-2024-39017 | Cri | 0.64 | 9.8 | 0.01 | Jul 1, 2024 | agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||
| CVE-2024-39015 | Cri | 0.64 | 9.8 | 0.01 | Jul 1, 2024 | cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | ||
| CVE-2024-5826 | Cri | 0.64 | 9.8 | 0.01 | Jun 27, 2024 | In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec`… | ||
| CVE-2024-39669 | Cri | 0.64 | 9.8 | 0.01 | Jun 27, 2024 | In the Console in Soffid IAM before 3.5.39, necessary checks were not applied to some Java objects. A malicious agent could possibly execute arbitrary code in the Sync Server and compromise security. | ||
| CVE-2024-5683 | Cri | 0.64 | 9.8 | 0.01 | Jun 24, 2024 | Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion. This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5. | ||
| CVE-2024-37124 | Cri | 0.64 | 9.8 | 0.01 | Jun 19, 2024 | Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file in the PC where the product is installed. | ||
| CVE-2024-36575 | Cri | 0.64 | 9.8 | 0.01 | Jun 17, 2024 | A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor. | ||
| CVE-2024-4264 | Cri | 0.64 | 9.8 | 0.01 | May 18, 2024 | A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is… | ||
| CVE-2023-48643 | Cri | 0.64 | 9.8 | 0.01 | May 16, 2024 | Shrubbery tac_plus 2.x, 3.x. and 4.x through F4.0.4.28 allows unauthenticated Remote Command Execution. The product allows users to configure authorization checks as shell commands through the tac_plus.cfg configuration file. These are executed when a client sends an… | ||
| CVE-2024-3955 | Cri | 0.64 | 9.8 | 0.01 | May 2, 2024 | URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os.system" function in "cbpi/controller/system_controller.py" without prior validation allowing to execute arbitrary code.This issue… | ||
| CVE-2024-22633 | Cri | 0.64 | 9.8 | 0.01 | Apr 26, 2024 | Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hprinter parameter. This vulnerability is triggered via a crafted POST request. | ||
| CVE-2024-22632 | Cri | 0.64 | 9.8 | 0.01 | Apr 26, 2024 | Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hmsg parameter. This vulnerability is triggered via a crafted POST request. | ||
| CVE-2024-24707 | Cri | 0.64 | 9.9 | 0.01 | Apr 3, 2024 | Improper Control of Generation of Code ('Code Injection') vulnerability in Cwicly Builder, SL. Cwicly allows Code Injection.This issue affects Cwicly: from n/a through 1.4.0.2. | ||
| CVE-2024-31390 | Cri | 0.64 | 9.9 | 0.01 | Apr 3, 2024 | : Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Breakdance allows : Code Injection.This issue affects Breakdance: from n/a through 1.7.2. | ||
| CVE-2024-31380 | Cri | 0.64 | 9.9 | 0.01 | Apr 3, 2024 | Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This issue affects Oxygen Builder: from n/a through 4.9. | ||
| CVE-2024-25918 | Cri | 0.64 | 9.9 | 0.01 | Apr 3, 2024 | Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8. | ||
| CVE-2024-31032 | Cri | 0.64 | 9.8 | 0.01 | Mar 29, 2024 | An issue in Huashi Private Cloud CDN Live Streaming Acceleration Server hgateway-sixport v.1.1.2 allows a remote attacker to execute arbitrary code via the manager/ipping.php component. |
- risk 0.64cvss 9.8epss 0.00
An issue was discovered on Renesas SmartBond DA14691, DA14695, DA14697, and DA14699 devices. The Nonce used for on-the-fly decryption of flash images is stored in an unsigned header, allowing its value to be modified without invalidating the signature used for secureboot image…
- risk 0.64cvss 9.8epss 0.01
Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php.
- risk 0.64cvss 9.8epss 0.01
QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp…
- risk 0.64cvss 9.8epss 0.01
agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- risk 0.64cvss 9.8epss 0.01
cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
- risk 0.64cvss 9.8epss 0.01
In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec`…
- risk 0.64cvss 9.8epss 0.01
In the Console in Soffid IAM before 3.5.39, necessary checks were not applied to some Java objects. A malicious agent could possibly execute arbitrary code in the Sync Server and compromise security.
- risk 0.64cvss 9.8epss 0.01
Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion. This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5.
- risk 0.64cvss 9.8epss 0.01
Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file in the PC where the product is installed.
- risk 0.64cvss 9.8epss 0.01
A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor.
- risk 0.64cvss 9.8epss 0.01
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is…
- risk 0.64cvss 9.8epss 0.01
Shrubbery tac_plus 2.x, 3.x. and 4.x through F4.0.4.28 allows unauthenticated Remote Command Execution. The product allows users to configure authorization checks as shell commands through the tac_plus.cfg configuration file. These are executed when a client sends an…
- risk 0.64cvss 9.8epss 0.01
URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os.system" function in "cbpi/controller/system_controller.py" without prior validation allowing to execute arbitrary code.This issue…
- risk 0.64cvss 9.8epss 0.01
Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hprinter parameter. This vulnerability is triggered via a crafted POST request.
- risk 0.64cvss 9.8epss 0.01
Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hmsg parameter. This vulnerability is triggered via a crafted POST request.
- risk 0.64cvss 9.9epss 0.01
Improper Control of Generation of Code ('Code Injection') vulnerability in Cwicly Builder, SL. Cwicly allows Code Injection.This issue affects Cwicly: from n/a through 1.4.0.2.
- risk 0.64cvss 9.9epss 0.01
: Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Breakdance allows : Code Injection.This issue affects Breakdance: from n/a through 1.7.2.
- risk 0.64cvss 9.9epss 0.01
Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This issue affects Oxygen Builder: from n/a through 4.9.
- risk 0.64cvss 9.9epss 0.01
Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8.
- risk 0.64cvss 9.8epss 0.01
An issue in Huashi Private Cloud CDN Live Streaming Acceleration Server hgateway-sixport v.1.1.2 allows a remote attacker to execute arbitrary code via the manager/ipping.php component.