CWE-96
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-35 · CAPEC-73 · CAPEC-77 · CAPEC-81 · CAPEC-85
CVEs mapped to this weakness (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-30091 | Cri | 0.61 | — | 0.01 | Mar 25, 2025 | In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and… | ||
| CVE-2025-7825 | Med | 0.41 | 6.3 | 0.00 | Oct 3, 2025 | The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated… | ||
| CVE-2024-55877 | 0.00 | — | 0.02 | Dec 12, 2024 | XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the… | |||
| CVE-2024-55662 | 0.00 | — | 0.01 | Dec 12, 2024 | XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This… | |||
| CVE-2024-43400 | 0.00 | — | 0.00 | Aug 19, 2024 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to… | |||
| CVE-2024-37900 | 0.00 | — | 0.15 | Jul 31, 2024 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into… | |||
| CVE-2023-0566 | 0.00 | — | 0.00 | Jan 29, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in froxlor/froxlor prior to 2.0.10. | |||
| CVE-2022-24840 | 0.00 | — | 0.02 | Jun 6, 2022 | django-s3file is a lightweight file upload input for Django and Amazon S3 . In versions prior to 5.5.1 it was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. If the `AWS_LOCATION` setting was set, traversal was limited to that location… | |||
| CVE-2022-0895 | 0.00 | — | 0.02 | Mar 10, 2022 | Static Code Injection in GitHub repository microweber/microweber prior to 1.3. |
- risk 0.61cvss —epss 0.01
In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and…
- risk 0.41cvss 6.3epss 0.00
The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated…
- CVE-2024-55877Dec 12, 2024risk 0.00cvss —epss 0.02
XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the…
- CVE-2024-55662Dec 12, 2024risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This…
- CVE-2024-43400Aug 19, 2024risk 0.00cvss —epss 0.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to…
- CVE-2024-37900Jul 31, 2024risk 0.00cvss —epss 0.15
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into…
- CVE-2023-0566Jan 29, 2023risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in froxlor/froxlor prior to 2.0.10.
- CVE-2022-24840Jun 6, 2022risk 0.00cvss —epss 0.02
django-s3file is a lightweight file upload input for Django and Amazon S3 . In versions prior to 5.5.1 it was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. If the `AWS_LOCATION` setting was set, traversal was limited to that location…
- CVE-2022-0895Mar 10, 2022risk 0.00cvss —epss 0.02
Static Code Injection in GitHub repository microweber/microweber prior to 1.3.