CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,491 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 100 of 130
- CVE-2025-28201MEDIUMCVSS 6.8EG 6.82025-05-09
An issue in Victure RX1800 EN_V1.0.0_r12_110933 allows physically proximate attackers to execute arbitrary code or gain root access.
- CVE-2025-28203HIGHCVSS 8.8EG 9.82025-05-09
Victure RX1800 EN_V1.0.0_r12_110933 was discovered to contain a command injection vulnerability.
- CVE-2025-28386CRITICALCVSS 9.8EG 9.82025-06-13
A remote code execution (RCE) vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file.
- CVE-2025-2867MEDIUMCVSS 4.4EG 4.42025-03-27
An issue has been discovered in the GitLab Duo with Amazon Q affecting all versions from 17.8 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A specifically crafted issue could manipulate AI-assisted development features to po…
- CVE-2025-2878LOWCVSS 2.4EG 2.42025-03-27
A vulnerability was found in Kentico CMS up to 13.0.178. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /CMSInstall/install.aspx of the component Additional Database Installation…
- CVE-2025-28893CRITICALCVSS 9.9EG 9.92025-03-26
Improper Control of Generation of Code ('Code Injection') vulnerability in Govind Visual Text Editor visual-text-editor allows Remote Code Inclusion.This issue affects Visual Text Editor: from n/a through <= 1.2.1.
- CVE-2025-28993HIGHCVSS 8.6EG 8.62025-06-27
Improper Control of Generation of Code ('Code Injection') vulnerability in Jose Mortellaro Content No Cache content-no-cache allows Code Injection.This issue affects Content No Cache: from n/a through <= 0.1.4.
- CVE-2025-29039HIGHCVSS 7.2EG 7.22025-04-17
An issue in dlink DIR 832x 240802 allows a remote attacker to execute arbitrary code via the function 0x41dda8
- CVE-2025-29058CRITICALCVSS 9.8EG 9.82025-04-18
An issue in Qimou CMS v.3.34.0 allows a remote attacker to execute arbitrary code via the upgrade.php component.
- CVE-2025-29064CRITICALCVSS 9.8EG 9.82025-04-03
An issue in TOTOLINK x18 v.9.1.0cu.2024_B20220329 allows a remote attacker to execute arbitrary code via the sub_410E54 function of the cstecgi.cgi.
- CVE-2025-29281HIGHCVSS 8.8EG 8.82025-04-15
In PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component to upload arbitrary files and execute code within them.
- CVE-2025-29306CRITICALCVSS 9.8EG 9.82025-03-27
An issue in FoxCMS v.1.2.5 allows a remote attacker to execute arbitrary code via the case display page in the index.html component.
- CVE-2025-29401CRITICALCVSS 9.8EG 9.82025-03-19
An arbitrary file upload vulnerability in the component /views/plugin.php of emlog pro v2.5.7 allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CVE-2025-2945CRITICALCVSS 9.9EG 9.92025-04-03
Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /clo…
- CVE-2025-29629CRITICALCVSS 9.1EG 8.82025-07-25
Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 use weak default credentials for secure shell access. This may result in attackers gaining access to exposed Gar…
- CVE-2025-29631CRITICALCVSS 9.8EG 9.82025-07-25
Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through vulnerable methods that do not sanitize input before passing content to the oper…
- CVE-2025-29661HIGHCVSS 7.2EG 7.22025-04-17
Litepubl CMS <= 7.0.9 is vulnerable to RCE in admin/service/run.
- CVE-2025-29662CRITICALCVSS 9.8EG 9.82025-04-17
A RCE vulnerability in the core application in LandChat 3.25.12.18 allows an unauthenticated attacker to execute system code via remote network access.
- CVE-2025-2974LOWCVSS 3.5EG 3.52025-03-31
A vulnerability has been found in CodeCanyon Perfex CRM up to 3.2.1 and classified as problematic. This vulnerability affects unknown code of the file /contract of the component Contracts. The manipulation of the argument content leads to …
- CVE-2025-2975LOWCVSS 3.5EG 3.52025-03-31
A vulnerability was found in GFI KerioConnect 10.0.6 and classified as problematic. This issue affects some unknown processing of the file Settings/Email/Signature/EditHtmlSource of the component Signature Handler. The manipulation leads t…
- CVE-2025-2976LOWCVSS 3.5EG 3.52025-03-31
A vulnerability was found in GFI KerioConnect 10.0.6. It has been classified as problematic. Affected is an unknown function of the component File Upload. The manipulation leads to cross site scripting. It is possible to launch the attack …
- CVE-2025-2977LOWCVSS 3.5EG 3.52025-03-31
A vulnerability was found in GFI KerioConnect 10.0.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The at…
- CVE-2025-2979LOWCVSS 2.4EG 2.42025-03-31
A vulnerability classified as problematic has been found in WCMS 11. This affects an unknown part of the file /index.php?anonymous/setregister of the component Registration. The manipulation of the argument Username leads to cross site scr…
- CVE-2025-29806MEDIUMCVSS 6.5EG 6.52025-03-23
No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
- CVE-2025-29807HIGHCVSS 8.7EG 8.72025-03-21
Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network.
- CVE-2025-2981LOWCVSS 3.5EG 3.52025-03-31
A vulnerability, which was classified as problematic, has been found in Legrand SMS PowerView 1.x. This issue affects some unknown processing. The manipulation of the argument redirect leads to cross site scripting. The attack may be initi…
- CVE-2025-29902CRITICALCVSS 10.0EG 10.02025-06-13
Remote code execution that allows unauthorized users to execute arbitrary code on the server machine.
- CVE-2025-30013MEDIUMCVSS 6.7EG 6.72025-04-08
SAP ERP BW Business Content is vulnerable to OS Command Injection through certain function modules. These function modules, when executed with elevated privileges, improperly handle user input, allowing attacker to inject arbitrary OS comm…
- CVE-2025-3004LOWCVSS 3.5EG 3.52025-03-31
A vulnerability has been found in Sayski ForestBlog up to 20250321 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /search. The manipulation of the argument keywords leads to cross site…
- CVE-2025-3005LOWCVSS 3.5EG 3.52025-03-31
A vulnerability was found in Sayski ForestBlog up to 20250321 and classified as problematic. Affected by this issue is some unknown functionality of the component Friend Link Handler. The manipulation leads to cross site scripting. The att…
- CVE-2025-30055CRITICALCVSS 9.0EG 9.02025-08-27
The "system" function receives untrusted input from the user. If the "EnableJSCaching" option is enabled, it is possible to execute arbitrary code provided as the "Module" parameter.
- CVE-2025-30056CRITICALCVSS 9.4EG 9.42025-08-27
The RunCommand function accepts any parameter, which is then passed for execution in the shell. This allows an attacker to execute arbitrary code on the system.
- CVE-2025-30057CRITICALCVSS 9.4EG 9.42025-08-27
In UHCRTFDoc, the filename parameter can be exploited to execute arbitrary code via command injection into the system() call in the ConvertToPDF function.
- CVE-2025-30067HIGHCVSS 7.2EG 7.22025-03-27
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code f…
- CVE-2025-30085CRITICALCVSS 9.2EG 9.22025-06-11
Remote code execution vulnerability in RSForm!pro component 3.0.0 - 3.3.14 for Joomla was discovered. The issue occurs within the submission export feature and requires administrative access to the export feature.
- CVE-2025-30172HIGHCVSS 8.0EG 8.02025-05-22
Remote Code Execution vulnerabilities are present in ASPECT if session administrator credentials become compromised This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
- CVE-2025-3036LOWCVSS 2.4EG 2.42025-03-31
A vulnerability, which was classified as problematic, was found in yzk2356911358 StudentServlet-JSP cc0cdce25fbe43b6c58b60a77a2c85f52d2102f5/d4d7a0643f1dae908a4831206f2714b21820f991. This affects an unknown part of the component Student Ma…
- CVE-2025-3053HIGHCVSS 8.8EG 8.82025-05-15
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the …
- CVE-2025-30580CRITICALCVSS 10.0EG 10.02025-04-01
Improper Control of Generation of Code ('Code Injection') vulnerability in kellydiek DigiWidgets Image Editor digiwidgets-image-editor allows Remote Code Inclusion.This issue affects DigiWidgets Image Editor: from n/a through <= 1.10.
- CVE-2025-30911CRITICALCVSS 9.9EG 9.92025-04-01
Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Command Injection.This issue affects RTMKit: from n/a through <= 1.5.4.
- CVE-2025-30975HIGHCVSS 7.5EG 7.52025-08-20
Improper Control of Generation of Code ('Code Injection') vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Code Injection.This issue affects Add Custom Codes: from n/a through <= 4.80.
- CVE-2025-3114CRITICALCVSS 9.4EG 9.42025-04-09
Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. Sandbox Bypass Vulnerability: A flaw in…
- CVE-2025-3115CRITICALCVSS 9.8EG 9.82025-04-09
Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions. Additionally, insufficient validation of filenames during file uploads can enable attackers to upload an…
- CVE-2025-31330CRITICALCVSS 9.9EG 9.92025-04-08
SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential autho…
- CVE-2025-31365MEDIUMCVSS 5.8EG 5.82025-10-14
An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientMac 7.4.0 through 7.4.3, 7.2.1 through 7.2.8 may allow an unauthenticated attacker to execute arbitrary code on the victim's host via trickin…
- CVE-2025-3149LOWCVSS 2.4EG 2.42025-04-03
A vulnerability was found in itning Student Homework Management System up to 1.2.7. It has been classified as problematic. Affected is an unknown function of the file /shw_war/fileupload of the component Edit Job Page. The manipulation of …
- CVE-2025-3152LOWCVSS 3.5EG 3.52025-04-03
A vulnerability classified as problematic has been found in caipeichao ThinkOX 1.0. This affects an unknown part of the file /ThinkOX-master/index.php?s=/Weibo/Index/search.html of the component Search. The manipulation of the argument key…
- CVE-2025-3157LOWCVSS 2.4EG 2.42025-04-03
A vulnerability was found in Intelbras WRN 150 1.0.15_pt_ITB01. It has been rated as problematic. This issue affects some unknown processing of the component Wireless Menu. The manipulation of the argument SSID leads to cross site scriptin…
- CVE-2025-3163MEDIUMCVSS 5.3EG 5.32025-04-03
A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been declared as critical. Affected by this vulnerability is the function Open of the file lmdeploy/docs/en/conf.py. The manipulation leads to code injection. It is possibl…
- CVE-2025-3164MEDIUMCVSS 4.7EG 4.72025-04-03
A vulnerability was found in Tencent Music Entertainment SuperSonic up to 0.9.8. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/semantic/database/testConnect of the component H2 Databas…
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →