CWE-494— Download of Code Without Integrity Check
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.— MITRE CWE catalog
204 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-494page 5 of 5
- CVE-2026-55697HIGHCVSS 8.8EG 8.82026-06-25
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can install configDependencies declared in pnpm-workspace.yaml before command dispatch. Before the patch, a repository could declare pacquet or @pnpm/pacquet as a config dependen…
- CVE-2026-55698HIGHCVSS 8.8EG 8.82026-06-25
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDep…
- CVE-2026-9037CRITICALCVSS 9.3EG 9.32026-05-28
A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker wit…
- CVE-2026-9089HIGHCVSS 8.8EG 8.82026-05-21
The ConnectWise Automate™ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5.
Map vulnerabilities like CWE-494 to your infrastructure
EchelonGraph correlates every CVE — across CWE-494 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →