VYPR

CWE-96

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

BaseDraft

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-35 · CAPEC-73 · CAPEC-77 · CAPEC-81 · CAPEC-85

CVEs mapped to this weakness (9)

  • CVE-2025-30091CriMar 25, 2025
    risk 0.61cvss epss 0.01

    In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and…

  • CVE-2025-7825MedOct 3, 2025
    risk 0.41cvss 6.3epss 0.00

    The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated…

  • CVE-2024-55877Dec 12, 2024
    risk 0.00cvss epss 0.02

    XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the…

  • CVE-2024-55662Dec 12, 2024
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This…

  • CVE-2024-43400Aug 19, 2024
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to…

  • CVE-2024-37900Jul 31, 2024
    risk 0.00cvss epss 0.15

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into…

  • CVE-2023-0566Jan 29, 2023
    risk 0.00cvss epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in froxlor/froxlor prior to 2.0.10.

  • CVE-2022-24840Jun 6, 2022
    risk 0.00cvss epss 0.02

    django-s3file is a lightweight file upload input for Django and Amazon S3 . In versions prior to 5.5.1 it was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. If the `AWS_LOCATION` setting was set, traversal was limited to that location…

  • CVE-2022-0895Mar 10, 2022
    risk 0.00cvss epss 0.02

    Static Code Injection in GitHub repository microweber/microweber prior to 1.3.