VYPR

CWE-94

Improper Control of Generation of Code ('Code Injection')

BaseDraftLikelihood: Medium

Description

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-242 · CAPEC-35 · CAPEC-77

CVEs mapped to this weakness (4,701)

page 20 of 236
  • CVE-2026-46621criMay 27, 2026
    risk 0.59cvss epss 0.00

    ### Summary A Server-Side Code Injection vulnerability exists in the Yamcs script evaluation engine for Python algorithms. The application dynamically compiles and evaluates user-controlled algorithm text using Jython (via the JSR-223 ScriptEngine API) without enforcing a secure…

  • CVE-2026-46562criMay 27, 2026
    risk 0.59cvss epss 0.01

    # Remote Code Execution via Mission Database algorithm override ## Summary The Nashorn `ScriptEngine` used to evaluate user-supplied algorithm text in `MdbOverrideApi.updateAlgorithm` is constructed without a `ClassFilter`, allowing a user with the `ChangeMissionDatabase`…

  • CVE-2026-44632criMay 27, 2026
    risk 0.59cvss epss 0.00

    ### Summary A Server-Side Code Injection vulnerability exists in the Yamcs algorithm evaluation engine (`org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory`). The application dynamically compiles and evaluates user-controlled algorithm text without enforcing a secure…

  • CVE-2026-22314CriMay 20, 2026
    risk 0.59cvss 9.0epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users' systems. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49;…

  • CVE-2026-2586CriMay 19, 2026
    risk 0.59cvss 9.1epss 0.01

    An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application…

  • CVE-2026-40466HigApr 24, 2026
    risk 0.59cvss 8.8epss 0.05

    Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery…

  • CVE-2026-30479CriApr 9, 2026
    risk 0.59cvss 9.1epss 0.00

    A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable.

  • CVE-2025-71058CriApr 7, 2026
    risk 0.59cvss 9.1epss 0.00

    Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a…

  • CVE-2026-2701CriApr 2, 2026
    risk 0.59cvss 9.1epss 0.49

    Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.

  • CVE-2026-32573CriMar 25, 2026
    risk 0.59cvss 9.1epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.7.

  • CVE-2026-25447CriMar 25, 2026
    risk 0.59cvss 9.1epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through <= 2.3.9.

  • CVE-2026-3584CriMar 20, 2026
    risk 0.59cvss 9.8epss 0.07

    The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined…

  • CVE-2026-32367CriMar 13, 2026
    risk 0.59cvss 9.1epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Yannick Lefebvre Modal Dialog modal-dialog allows Remote Code Inclusion.This issue affects Modal Dialog: from n/a through <= 3.5.16.

  • CVE-2026-21671CriMar 12, 2026
    risk 0.59cvss 9.1epss 0.01

    A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication.

  • CVE-2026-27984CriMar 5, 2026
    risk 0.59cvss 9.0epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3.

  • CVE-2025-68015CriJan 22, 2026
    risk 0.59cvss 9.0epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection.This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.5.

  • CVE-2025-67944CriJan 22, 2026
    risk 0.59cvss 9.1epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.1.8.

  • CVE-2026-0491CriJan 13, 2026
    risk 0.59cvss 9.1epss 0.00

    SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This…

  • CVE-2025-66078CriDec 18, 2025
    risk 0.59cvss 9.1epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through <= 5.2.3.

  • CVE-2025-47588CriNov 6, 2025
    risk 0.59cvss 9.1epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through <= 4.5.9.