VYPR

CWE-94

Improper Control of Generation of Code ('Code Injection')

BaseDraftLikelihood: Medium

Description

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-242 · CAPEC-35 · CAPEC-77

CVEs mapped to this weakness (4,701)

page 5 of 236
  • CVE-2026-24871CriJan 27, 2026
    risk 0.65cvss epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in pilgrimage233 Minecraft-Rcon-Manage.This issue affects Minecraft-Rcon-Manage: before 3.0.

  • CVE-2025-49372CriNov 6, 2025
    risk 0.65cvss 10.0epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through <= 1.0.7.

  • CVE-2025-60206CriOct 22, 2025
    risk 0.65cvss 10.0epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Beplusthemes Alone alone allows Code Injection.This issue affects Alone: from n/a through <= 7.8.3.

  • CVE-2022-31491CriAug 22, 2025
    risk 0.65cvss 10.0epss 0.01

    Voltronic Power ViewPower through 1.04-24215, ViewPower Pro through 2.0-22165, and PowerShield Netguard before 1.04-23292 allows a remote attacker to run arbitrary code via an unspecified web interface related to detection of a managed UPS shutting down. An unauthenticated…

  • CVE-2025-53577CriAug 20, 2025
    risk 0.65cvss 10.0epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS global-dns allows Remote Code Inclusion.This issue affects Global DNS: from n/a through <= 3.1.0.

  • CVE-2025-50567CriAug 19, 2025
    risk 0.65cvss 10.0epss 0.01

    Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading…

  • CVE-2012-10032HigAug 5, 2025
    risk 0.65cvss epss 0.01

    Maxthon3 version 3.2.2 build 1000 and prior are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw…

  • CVE-2013-10035HigJul 31, 2025
    risk 0.65cvss epss 0.01

    A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and…

  • CVE-2025-34128HigJul 16, 2025
    risk 0.65cvss epss 0.01

    A buffer overflow vulnerability exists in the X360 VideoPlayer ActiveX control (VideoPlayer.ocx) version 2.6 when handling overly long arguments to the ConvertFile() method. An attacker can exploit this vulnerability by supplying crafted input to cause memory corruption and…

  • CVE-2025-42967CriJul 8, 2025
    risk 0.65cvss 9.9epss 0.01

    SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on…

  • CVE-2025-49302CriJul 4, 2025
    risk 0.65cvss 10.0epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe easy-stripe allows Remote Code Inclusion.This issue affects Easy Stripe: from n/a through <= 1.1.

  • CVE-2025-6512CriJun 23, 2025
    risk 0.65cvss 10.0epss 0.00

    On a client with a non-admin user, a script can be integrated into a report. The reports could later be executed on the BRAIN2 server with administrator rights.

  • CVE-2025-29902CriJun 13, 2025
    risk 0.65cvss 10.0epss 0.01

    Remote code execution that allows unauthorized users to execute arbitrary code on the server machine.

  • CVE-2025-48123CriJun 9, 2025
    risk 0.65cvss 10.0epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows Code Injection.This issue affects…

  • CVE-2025-32583CriApr 17, 2025
    risk 0.65cvss 9.9epss 0.12

    Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post pdf2post allows Remote Code Inclusion.This issue affects PDF 2 Post: from n/a through <= 2.4.0.

  • CVE-2025-30580CriApr 1, 2025
    risk 0.65cvss 10.0epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in kellydiek DigiWidgets Image Editor digiwidgets-image-editor allows Remote Code Inclusion.This issue affects DigiWidgets Image Editor: from n/a through <= 1.10.

  • CVE-2025-26936CriMar 10, 2025
    risk 0.65cvss 10.0epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in FRESHFACE Fresh Framework fresh-framework allows Code Injection.This issue affects Fresh Framework: from n/a through <= 1.70.0.

  • CVE-2025-26970CriMar 3, 2025
    risk 0.65cvss 10.0epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in FRESHFACE Ark Theme Core ark-core allows Code Injection.This issue affects Ark Theme Core: from n/a through < 1.71.0.

  • CVE-2024-53944CriFeb 27, 2025
    risk 0.65cvss 9.8epss 0.39

    An issue was discovered on Tuoshi/Dionlink LT15D 4G Wi-Fi devices through M7628NNxlSPv2xUI_v1.0.1802.10.08_P4 and LT21B devices through M7628xUSAxUIv2_v1.0.1481.15.02_P0. A unauthenticated remote attacker with network access can exploit a command injection vulnerability. The…

  • CVE-2023-28354CriJan 9, 2025
    risk 0.65cvss 9.8epss 0.01

    An issue was discovered in Opsview Monitor Agent 6.8. An unauthenticated remote attacker can call check_nrpe against affected targets, specifying known NRPE plugins, which in default installations are configured to accept command control characters and pass them to command-line…