CWE-94
Improper Control of Generation of Code ('Code Injection')
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (4,701)
page 8 of 236| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-67887 | Cri | 0.64 | 9.8 | 0.02 | May 8, 2026 | 1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for… | ||
| CVE-2026-36458 | Cri | 0.64 | 9.8 | 0.00 | May 7, 2026 | ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered. | ||
| CVE-2025-63706 | Cri | 0.64 | 9.8 | 0.02 | May 7, 2026 | NPM package next-npm-version1.0.1 is vulnerable to Command injection. | ||
| CVE-2026-8094 | Cri | 0.64 | 9.8 | 0.00 | May 7, 2026 | Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2. | ||
| CVE-2026-38431 | Cri | 0.64 | 9.8 | 0.00 | May 5, 2026 | ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered. | ||
| CVE-2026-42994 | Cri | 0.64 | 9.8 | 0.00 | May 1, 2026 | Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident. | ||
| CVE-2026-38992 | — | Cri | 0.64 | 9.8 | 0.00 | Apr 29, 2026 | Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator. | |
| CVE-2026-39087 | Cri | 0.64 | 9.8 | 0.00 | Apr 23, 2026 | ntfy before 2.22.0 allows SSRF because of an unanchored regular expression. | ||
| CVE-2026-39440 | — | Cri | 0.64 | 9.9 | 0.00 | Apr 23, 2026 | Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1. | |
| CVE-2026-32613 | Cri | 0.64 | 9.9 | 0.01 | Apr 20, 2026 | Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike… | ||
| CVE-2026-30993 | Cri | 0.64 | 9.8 | 0.01 | Apr 15, 2026 | Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input. | ||
| CVE-2026-39842 | Cri | 0.64 | 9.9 | 0.01 | Apr 15, 2026 | OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's… | ||
| CVE-2025-61260 | — | Cri | 0.64 | 9.8 | 0.07 | Apr 14, 2026 | A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex… | |
| CVE-2026-31048 | — | Cri | 0.64 | 9.8 | 0.01 | Apr 13, 2026 | An issue in the pickle protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message. | |
| CVE-2026-25776 | Cri | 0.64 | 9.8 | 0.00 | Apr 8, 2026 | Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script. | ||
| CVE-2024-36057 | Cri | 0.64 | 9.8 | 0.02 | Apr 7, 2026 | Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data… | ||
| CVE-2026-30643 | Cri | 0.64 | 9.8 | 0.01 | Apr 1, 2026 | An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload. | ||
| CVE-2024-40489 | Cri | 0.64 | 9.8 | 0.01 | Apr 1, 2026 | There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests. | ||
| CVE-2026-3300 | Cri | 0.64 | 9.8 | 0.41 | Mar 31, 2026 | The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code… | ||
| CVE-2026-30313 | Cri | 0.64 | 9.8 | 0.01 | Mar 30, 2026 | DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as… |
- risk 0.64cvss 9.8epss 0.02
1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for…
- risk 0.64cvss 9.8epss 0.00
ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.
- risk 0.64cvss 9.8epss 0.02
NPM package next-npm-version1.0.1 is vulnerable to Command injection.
- risk 0.64cvss 9.8epss 0.00
Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2.
- risk 0.64cvss 9.8epss 0.00
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered.
- risk 0.64cvss 9.8epss 0.00
Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.
- risk 0.64cvss 9.8epss 0.00
Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator.
- risk 0.64cvss 9.8epss 0.00
ntfy before 2.22.0 allows SSRF because of an unanchored regular expression.
- risk 0.64cvss 9.9epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.
- risk 0.64cvss 9.9epss 0.01
Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike…
- risk 0.64cvss 9.8epss 0.01
Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.
- risk 0.64cvss 9.9epss 0.01
OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's…
- risk 0.64cvss 9.8epss 0.07
A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex…
- risk 0.64cvss 9.8epss 0.01
An issue in the pickle protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message.
- risk 0.64cvss 9.8epss 0.00
Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script.
- risk 0.64cvss 9.8epss 0.02
Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data…
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload.
- risk 0.64cvss 9.8epss 0.01
There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests.
- risk 0.64cvss 9.8epss 0.41
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code…
- risk 0.64cvss 9.8epss 0.01
DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as…