VYPR

CWE-94

Improper Control of Generation of Code ('Code Injection')

BaseDraftLikelihood: Medium

Description

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-242 · CAPEC-35 · CAPEC-77

CVEs mapped to this weakness (4,701)

page 18 of 236
  • CVE-2018-1133HigMay 25, 2018
    risk 0.63cvss 8.8epss 0.32

    An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.

  • CVE-2018-1270CriApr 6, 2018
    risk 0.63cvss 9.8epss 0.77

    Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker)…

  • CVE-2009-1547HigOct 14, 2009
    risk 0.63cvss 8.8epss 0.37

    Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via a crafted data stream header that triggers memory corruption, aka "Data Stream Header Corruption Vulnerability."

  • CVE-2025-5333CriJul 6, 2025
    risk 0.62cvss epss 0.01

    Remote attackers can execute arbitrary code in the context of the vulnerable service process.

  • CVE-2025-49132CriJun 20, 2025
    risk 0.62cvss 10.0epss 0.13

    Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute…

  • CVE-2026-8931CriJun 1, 2026
    risk 0.61cvss epss 0.01

    A critical Remote Code Execution (RCE) vulnerability exists in Disig Web Signer versions 2.0.3 through 2.5.3.

  • CVE-2026-45058CriMay 28, 2026
    risk 0.61cvss epss 0.00

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync…

  • CVE-2026-30960CriMar 10, 2026
    risk 0.61cvss epss 0.00

    rssn is a scientific computing library for Rust, combining a high-performance symbolic computation engine with numerical methods support and physics simulations functionalities. The vulnerability exists in the JIT (Just-In-Time) compilation engine, which is fully exposed via the…

  • CVE-2025-11548CriOct 14, 2025
    risk 0.61cvss epss 0.00

    A remote, unauthenticated privilege escalation in ibi WebFOCUS allows an attacker to gain administrative access to the application which may lead to unauthenticated Remote Code Execution

  • CVE-2025-30057CriAug 27, 2025
    risk 0.61cvss epss 0.01

    In UHCRTFDoc, the filename parameter can be exploited to execute arbitrary code via command injection into the system() call in the ConvertToPDF function.

  • CVE-2025-30056CriAug 27, 2025
    risk 0.61cvss epss 0.00

    The RunCommand function accepts any parameter, which is then passed for execution in the shell. This allows an attacker to execute arbitrary code on the system.

  • CVE-2025-2313CriAug 27, 2025
    risk 0.61cvss epss 0.00

    In the Print.pl service, the "uhcPrintServerPrint" function allows execution of arbitrary code via the "CopyCounter" parameter.

  • CVE-2025-3114CriApr 9, 2025
    risk 0.61cvss epss 0.01

    Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows…

  • CVE-2024-12372CriDec 18, 2024
    risk 0.61cvss epss 0.01

    A denial-of-service and possible remote code execution vulnerability exists in the Rockwell Automation Power Monitor 1000. The vulnerability results in corruption of the heap memory which may compromise the integrity of the system, potentially allowing for remote code execution…

  • CVE-2024-7093CriAug 1, 2024
    risk 0.61cvss epss 0.01

    Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message…

  • CVE-2024-36456CriJul 15, 2024
    risk 0.61cvss epss 0.01

    This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file.

  • CVE-2018-1275CriApr 11, 2018
    risk 0.61cvss 9.8epss 0.58

    Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker)…

  • CVE-2018-6889HigFeb 12, 2018
    risk 0.61cvss 8.8epss 0.07

    An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction.

  • CVE-2014-9463HigSep 15, 2017
    risk 0.61cvss 8.8epss 0.15

    functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.

  • CVE-2009-2493HigJul 29, 2009
    risk 0.61cvss 8.8epss 0.43

    The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2;…