CWE-94
Improper Control of Generation of Code ('Code Injection')
BaseDraftLikelihood: Medium
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (3,775)
page 9 of 189| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-69902 | Cri | 0.64 | 9.8 | 0.00 | Mar 16, 2026 | A command injection vulnerability in the minimal_wrapper.py component of kubectl-mcp-server v1.2.0 allows attackers to execute arbitrary commands via injecting arbitrary shell metacharacters. | |
| CVE-2026-32640 | Cri | 0.64 | 9.8 | 0.00 | Mar 16, 2026 | SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through to direct access inside the sandbox. If the objects you've passed in as names to SimpleEval have modules or other disallowed / dangerous objects available as attrs. Additionally, dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call. The latest version 1.0.5 has this issue fixed. This vulnerability is fixed in 1.0.5. | |
| CVE-2026-21669 | Cri | 0.64 | 9.9 | 0.00 | Mar 12, 2026 | A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. | |
| CVE-2019-25468 | Cri | 0.64 | 9.8 | 0.00 | Mar 11, 2026 | NetGain EM Plus 10.1.68 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious parameters to the script_test.jsp endpoint. Attackers can send POST requests with shell commands embedded in the 'content' parameter to execute code and retrieve command output. | |
| CVE-2026-22390 | Cri | 0.64 | 9.9 | 0.00 | Mar 5, 2026 | Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code Injection.This issue affects Builderall Builder for WordPress: from n/a through <= 3.0.1. | |
| CVE-2025-67979 | Cri | 0.64 | 9.9 | 0.00 | Feb 20, 2026 | Improper Control of Generation of Code ('Code Injection') vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Code Injection.This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.1. | |
| CVE-2025-70830 | Cri | 0.64 | 9.9 | 0.00 | Feb 17, 2026 | A Server-Side Template Injection (SSTI) vulnerability in the Freemarker template engine of Datart v1.0.0-rc.3 allows authenticated attackers to execute arbitrary code via injecting crafted Freemarker template syntax into the SQL script field. | |
| CVE-2020-37186 | Cri | 0.64 | 9.8 | 0.00 | Feb 11, 2026 | Chevereto 3.13.4 Core contains a remote code execution vulnerability that allows attackers to inject malicious code during database configuration installation. Attackers can manipulate the database table prefix parameter to write a PHP shell file and execute arbitrary system commands through a crafted POST request. | |
| CVE-2025-69872 | Cri | 0.64 | 9.8 | 0.00 | Feb 11, 2026 | DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache. | |
| CVE-2020-37052 | Cri | 0.64 | 9.8 | 0.00 | Jan 30, 2026 | AirControl 1.4.2 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through malicious Java expression injection. Attackers can exploit the /.seam endpoint by crafting a specially constructed URL with embedded Java expressions to run commands with the application's system privileges. | |
| CVE-2025-68897 | Cri | 0.64 | 9.9 | 0.00 | Dec 29, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode if-as-shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through <= 1.2. | |
| CVE-2025-13773 | Cri | 0.64 | 9.8 | 0.01 | Dec 24, 2025 | The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server. | |
| CVE-2025-42880 | Cri | 0.64 | 9.9 | 0.00 | Dec 9, 2025 | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system. | |
| CVE-2025-14324 | Cri | 0.64 | 9.8 | 0.00 | Dec 9, 2025 | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. | |
| CVE-2025-6389 | Cri | 0.64 | 9.8 | 0.01 | Nov 25, 2025 | The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts. | |
| CVE-2025-12813 | Cri | 0.64 | 9.8 | 0.00 | Nov 11, 2025 | The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server. | |
| CVE-2025-42887 | Cri | 0.64 | 9.9 | 0.00 | Nov 11, 2025 | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system. | |
| CVE-2025-32222 | Cri | 0.64 | 9.9 | 0.00 | Nov 6, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.This issue affects Widget Logic: from n/a through <= 6.0.5. | |
| CVE-2025-50739 | Cri | 0.64 | 9.8 | 0.01 | Oct 30, 2025 | iib0011 omni-tools v0.4.0 is vulnerable to remote code execution via unsafe JSON deserialization. | |
| CVE-2025-46581 | Cri | 0.64 | 9.8 | 0.00 | Oct 14, 2025 | ZTE's ZXCDN product is affected by a Struts remote code execution (RCE) vulnerability. An unauthenticated attacker can remotely execute commands with non-root privileges. |