VYPR

CWE-94

Improper Control of Generation of Code ('Code Injection')

BaseDraftLikelihood: Medium

Description

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-242 · CAPEC-35 · CAPEC-77

CVEs mapped to this weakness (4,701)

page 19 of 236
  • CVE-2009-0901HigJul 29, 2009
    risk 0.61cvss 8.8epss 0.42

    The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does…

  • CVE-2026-45261CriMay 28, 2026
    risk 0.60cvss epss 0.01

    GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by…

  • CVE-2026-9264CriMay 22, 2026
    risk 0.60cvss 9.3epss 0.00

    A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window,…

  • CVE-2020-36875CriJan 9, 2026
    risk 0.60cvss epss 0.01

    AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of…

  • CVE-2025-34433CriDec 19, 2025
    risk 0.60cvss epss 0.01

    AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is…

  • CVE-2025-13658CriDec 2, 2025
    risk 0.60cvss epss 0.01

    A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.

  • CVE-2020-36870CriNov 7, 2025
    risk 0.60cvss epss 0.01

    Various Ruijie Gateway EG and NBR models firmware versions 11.1(6)B9P1 < 11.9(4)B12P1 contain a code execution vulnerability in the EWEB management system that can be abused via front-end functionality. Attackers can exploit front-end code when features such as guest…

  • CVE-2025-61774CriOct 6, 2025
    risk 0.60cvss epss 0.01

    PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to remote code execution via dependency confusion. Two pieces of code use`--extra-index-url`. But when `--extra-index-url`…

  • CVE-2025-34124HigJul 16, 2025
    risk 0.60cvss epss 0.00

    A buffer overflow vulnerability exists in Heroes of Might and Magic III Complete 4.0.0.0, HD Mod 3.808 build 9, and Demo 1.0.0.0 via malicious .h3m map files that exploit object sprite name parsing logic. The vulnerability occurs during in-game map loading when a crafted object…

  • CVE-2025-30085CriJun 11, 2025
    risk 0.60cvss epss 0.00

    Remote code execution vulnerability in RSForm!pro component 3.0.0 - 3.3.14 for Joomla was discovered. The issue occurs within the submission export feature and requires administrative access to the export feature.

  • CVE-2025-3579CriApr 15, 2025
    risk 0.60cvss epss 0.01

    In versions prior to Aidex 1.7, an authenticated malicious user, taking advantage of an open registry, could execute unauthorised commands within the system. This includes executing operating system (Unix) commands, interacting with internal services such as PHP or MySQL, and…

  • CVE-2024-45480CriMar 25, 2025
    risk 0.60cvss epss 0.00

    An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system.

  • CVE-2024-39844CriJul 3, 2024
    risk 0.60cvss 9.8epss 0.04

    In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.

  • CVE-2022-42699CriDec 6, 2022
    risk 0.60cvss 9.1epss 0.01

    Auth. Remote Code Execution vulnerability in Easy WP SMTP plugin <= 1.5.1 on WordPress.

  • CVE-2013-0810HigSep 11, 2013
    risk 0.60cvss 8.1epss 0.60

    Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, and Windows Server 2008 SP2 allow remote attackers to execute arbitrary code via a crafted screensaver in a theme file, aka "Windows Theme File Remote Code Execution Vulnerability."

  • CVE-2010-0248HigJan 22, 2010
    risk 0.60cvss 8.1epss 0.53

    Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object…

  • CVE-2026-39465CriJun 15, 2026
    risk 0.59cvss 9.1epss 0.01

    Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.

  • CVE-2026-11393CriJun 8, 2026
    risk 0.59cvss 9.0epss 0.00

    Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local…

  • CVE-2026-9311CriJun 1, 2026
    risk 0.59cvss 9.0epss 0.00

    IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls.

  • CVE-2026-32999CriMay 28, 2026
    risk 0.59cvss 9.0epss 0.00

    Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices.