VYPR

CWE-94

Improper Control of Generation of Code ('Code Injection')

BaseDraftLikelihood: Medium

Description

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-242 · CAPEC-35 · CAPEC-77

CVEs mapped to this weakness (4,701)

page 22 of 236
  • CVE-2024-3319CriMay 15, 2024
    risk 0.59cvss 9.1epss 0.01

    An issue was identified in the Identity Security Cloud (ISC) Transform preview and IdentityProfile preview API endpoints that allowed an authenticated administrator to execute user-defined templates as part of attribute transforms which could allow remote code execution on the…

  • CVE-2024-4605HigMay 14, 2024
    risk 0.59cvss 8.8epss 0.01

    The Breakdance plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.7.1 via post meta data. This is due to the plugin storing custom data in metadata without an underscore prefix. This makes it possible for lower privileged users,…

  • CVE-2024-33294CriMay 6, 2024
    risk 0.59cvss 9.1epss 0.01

    An issue in Library System using PHP/MySQli with Source Code V1.0 allows a remote attacker to execute arbitrary code via the _FAILE variable in the student_edit_photo.php component.

  • CVE-2024-31266CriApr 25, 2024
    risk 0.59cvss 9.1epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in AlgolPlus Advanced Order Export For WooCommerce allows Code Injection.This issue affects Advanced Order Export For WooCommerce: from n/a through 3.4.4.

  • CVE-2024-22144CriApr 25, 2024
    risk 0.59cvss 9.0epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows Code Injection.This issue affects Anti-Malware Security and Brute-Force Firewall: from n/a through 4.21.96.

  • CVE-2023-39157CriDec 31, 2023
    risk 0.59cvss 9.0epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.10.

  • CVE-2023-51420CriDec 29, 2023
    risk 0.59cvss 9.1epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in Soft8Soft LLC Verge3D Publishing and E-Commerce.This issue affects Verge3D Publishing and E-Commerce: from n/a through 4.5.2.

  • CVE-2023-45751CriDec 29, 2023
    risk 0.59cvss 9.1epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in POSIMYTH Nexter Extension.This issue affects Nexter Extension: from n/a through 2.0.3.

  • CVE-2023-40606CriDec 29, 2023
    risk 0.59cvss 9.1epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in Kanban for WordPress Kanban Boards for WordPress.This issue affects Kanban Boards for WordPress: from n/a through 2.5.21.

  • CVE-2018-8346HigAug 15, 2018
    risk 0.59cvss 8.8epss 0.19

    A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. This CVE ID is unique from…

  • CVE-2018-8344HigAug 15, 2018
    risk 0.59cvss 8.8epss 0.22

    A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008,…

  • CVE-2017-7465CriJun 27, 2018
    risk 0.59cvss 9.0epss 0.03

    It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of…

  • CVE-2018-1028HigApr 12, 2018
    risk 0.59cvss 8.8epss 0.19

    A remote code execution vulnerability exists when the Office graphics component improperly handles specially crafted embedded fonts, aka "Microsoft Office Graphics Remote Code Execution Vulnerability." This affects Word, Microsoft Office, Microsoft SharePoint, Excel, Microsoft…

  • CVE-2017-2968CriFeb 15, 2017
    risk 0.59cvss 9.1epss 0.03

    Adobe Campaign versions 16.4 Build 8724 and earlier have a code injection vulnerability.

  • CVE-2015-8761CriJan 8, 2016
    risk 0.59cvss 9.0epss 0.01

    The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the "Import value sets" permission to execute arbitrary PHP code via the exported values list in a ctools import.

  • CVE-2012-0175HigJul 10, 2012
    risk 0.59cvss 8.8epss 0.26

    The Shell in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted name for a (1) file or (2) directory, aka "Command…

  • CVE-2026-45132CriJun 1, 2026
    risk 0.58cvss 10.0epss 0.00

    CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposes sensitive credentials (Personal Access Token and SSH signing key) to fork-controlled code due to unsafe checkout and credential…

  • CVE-2026-45131CriJun 1, 2026
    risk 0.58cvss 10.0epss 0.00

    CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub…

  • CVE-2026-43898CriMay 28, 2026
    risk 0.58cvss 10.0epss 0.00

    SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values…

  • CVE-2026-44262CriMay 12, 2026
    risk 0.58cvss 9.4epss 0.06

    Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to…