CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,491 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 104 of 130
- CVE-2025-4512MEDIUMCVSS 4.3EG 4.32025-05-10
A vulnerability classified as problematic has been found in Inetum IODAS 7.2-LTS.4.1-JDK7/7.2-RC3.2-JDK7. Affected is an unknown function of the file /astre/iodasweb/app.jsp. The manipulation of the argument action leads to cross site scri…
- CVE-2025-4531MEDIUMCVSS 6.3EG 6.32025-05-11
A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been rated as critical. Affected by this issue is the function postData of the file ROOT\WEB-INF\classes\com\ours\www\ehr\salary\service\data\EhrSalaryPa…
- CVE-2025-4547LOWCVSS 2.4EG 2.42025-05-11
A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Add User Page. The manipulation leads to …
- CVE-2025-45479CRITICALCVSS 9.8EG 9.82025-07-07
Insufficient security mechanisms for created containers in educoder challenges v1.0 allow attackers to execute arbitrary code via injecting crafted content into a container.
- CVE-2025-4551LOWCVSS 3.5EG 3.52025-05-11
A vulnerability, which was classified as problematic, was found in ContiNew Admin up to 3.6.0. Affected is an unknown function of the file /dev-api/common/file. The manipulation of the argument File leads to cross site scripting. It is pos…
- CVE-2025-45752HIGHCVSS 7.2EG 7.22025-05-21
A vulnerability in SeedDMS 6.0.32 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the zip import functionality in the Extension Manager.
- CVE-2025-45753HIGHCVSS 7.2EG 7.22025-05-21
A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature.
- CVE-2025-45857CRITICALCVSS 9.8EG 9.82025-05-13
EDIMAX CV7428NS v1.20 was discovered to contain a remote code execution (RCE) vulnerability via the command parameter in the mp function.
- CVE-2025-45947CRITICALCVSS 9.8EG 9.82025-04-28
An issue in phpgurukul Online Banquet Booking System V1.2 allows an attacker to execute arbitrary code via the /obbs/change-password.php file of the My Account - Change Password component
- CVE-2025-46000MEDIUMCVSS 6.5EG 6.52025-07-18
An arbitrary file upload vulnerability in the component /rsc/filemanager.rsc.class.php of Filemanager commit c75b914 v.2.5.0 allows attackers to execute arbitrary code via uploading a crafted SVG file.
- CVE-2025-46059CRITICALCVSS 9.8EG 9.82025-07-29
langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email messa…
- CVE-2025-46191CRITICALCVSS 9.8EG 9.82025-05-09
Arbitrary File Upload in user_payment_update.php in SourceCodester Client Database Management System 1.0 allows unauthenticated users to upload arbitrary files via the uploaded_file_cancelled field. Due to the absence of proper file extens…
- CVE-2025-46295CRITICALCVSS 9.8EG 9.82025-12-16
Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing comm…
- CVE-2025-46569HIGHCVSS 7.4EG 7.42025-05-01
Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API enta…
- CVE-2025-46579HIGHCVSS 8.4EG 8.42025-04-27
There is a DDE injection vulnerability in the GoldenDB database product. Attackers can inject DDE expressions through the interface, and when users download and open the affected file, the DDE commands can be executed.
- CVE-2025-46581CRITICALCVSS 9.8EG 9.82025-10-14
ZTE's ZXCDN product is affected by a Struts remote code execution (RCE) vulnerability. An unauthenticated attacker can remotely execute commands with non-root privileges.
- CVE-2025-46661CRITICALCVSS 10.0EG 10.02025-04-28
IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the attacker to provide template expressions, aka Server-Side Template-Injection. All instances have been patched by the Supp…
- CVE-2025-46724CRITICALCVSS 9.8EG 9.82025-05-20
Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `TableChatAgent` uses `pandas eval()`. If fed by untrusted user input, like the case of a public-facing LLM application, it …
- CVE-2025-46725CRITICALCVSS 9.8EG 9.82025-05-20
Langroid is a Python framework to build large language model (LLM)-powered applications. Prior to version 0.53.15, `LanceDocChatAgent` uses pandas eval() through `compute_from_docs()`. As a result, an attacker may be able to make the agent…
- CVE-2025-46818MEDIUMCVSS 6.0EG 6.02025-10-03
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the con…
- CVE-2025-47271MEDIUMCVSS 6.3EG 6.32025-05-12
The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A mal…
- CVE-2025-4744LOWCVSS 3.5EG 3.52025-05-16
A vulnerability, which was classified as problematic, has been found in code-projects Employee Record System 1.0. Affected by this issue is some unknown functionality of the file dashboard\edit_employee.php. The manipulation of the argumen…
- CVE-2025-4745LOWCVSS 3.5EG 3.52025-05-16
A vulnerability, which was classified as problematic, was found in code-projects Employee Record System 1.0. This affects an unknown part of the file current_employees.php. The manipulation of the argument employeed_id/first_name/middle_na…
- CVE-2025-47481MEDIUMCVSS 5.3EG 5.32025-05-07
Improper Control of Generation of Code ('Code Injection') vulnerability in GS Plugins GS Testimonial Slider gs-testimonial allows Code Injection.This issue affects GS Testimonial Slider: from n/a through <= 3.2.9.
- CVE-2025-47562MEDIUMCVSS 5.3EG 5.32025-05-16
Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG mapsvg allows Code Injection.This issue affects MapSVG: from n/a through <= 8.5.34.
- CVE-2025-47588CRITICALCVSS 9.1EG 9.82025-11-06
Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic Pricing With Discount Rules for…
- CVE-2025-4767MEDIUMCVSS 5.3EG 5.32025-05-16
A vulnerability was found in defog-ai introspect up to 0.1.4. It has been rated as critical. Affected by this issue is the function test_custom_tool of the file introspect/backend/integration_routes.py of the component Test Endpoint. The m…
- CVE-2025-47691MEDIUMCVSS 5.5EG 5.52025-05-07
Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member ultimate-member allows Code Injection.This issue affects Ultimate Member: from n/a through <= 2.10.3.
- CVE-2025-47916CRITICALCVSS 10.0EG 10.02025-05-16
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a p…
- CVE-2025-47988HIGHCVSS 7.5EG 7.52025-07-08
Improper control of generation of code ('code injection') in Azure Monitor Agent allows an unauthorized attacker to execute code over an adjacent network.
- CVE-2025-48100CRITICALCVSS 9.1EG 9.12025-08-28
Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Remote Code Inclusion.This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0.
- CVE-2025-48119MEDIUMCVSS 5.3EG 5.32025-05-16
Improper Control of Generation of Code ('Code Injection') vulnerability in RS WP THEMES RS WP Book Showcase rs-wp-books-showcase allows Code Injection.This issue affects RS WP Book Showcase: from n/a through <= 6.7.59.
- CVE-2025-48120MEDIUMCVSS 5.3EG 5.32025-05-16
Improper Control of Generation of Code ('Code Injection') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows Code Injection.This issue affects MapSVG: from n/a through <= 8.6.9.
- CVE-2025-48123CRITICALCVSS 10.0EG 10.02025-06-09
Improper Control of Generation of Code ('Code Injection') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows Code…
- CVE-2025-48140CRITICALCVSS 9.9EG 9.92025-06-09
Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI metalpriceapi allows Code Injection.This issue affects MetalpriceAPI: from n/a through <= 1.1.4.
- CVE-2025-48169CRITICALCVSS 9.9EG 9.92025-08-20
Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine code-engine allows Remote Code Inclusion.This issue affects Code Engine: from n/a through <= 0.3.3.
- CVE-2025-48390HIGHCVSS 7.2EG 7.22025-05-29
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to code injection due to insufficient validation of user input in the php_path parameter. The backticks characters are not remo…
- CVE-2025-4852LOWCVSS 2.4EG 2.42025-05-18
A vulnerability, which was classified as problematic, has been found in TOTOLINK A3002R 2.1.1-B20230720.1011. This issue affects some unknown processing of the component VPN Page. The manipulation of the argument Comment leads to cross sit…
- CVE-2025-4858LOWCVSS 2.4EG 2.42025-05-18
A vulnerability was found in D-Link DAP-2695 120b36r137_ALL_en_20210528. It has been declared as problematic. This vulnerability affects unknown code of the file /adv_arpspoofing.php of the component ARP Spoofing Prevention Page. The manip…
- CVE-2025-4859LOWCVSS 2.4EG 2.42025-05-18
A vulnerability was found in D-Link DAP-2695 120b36r137_ALL_en_20210528. It has been rated as problematic. This issue affects some unknown processing of the file /adv_macbypass.php of the component MAC Bypass Settings Page. The manipulatio…
- CVE-2025-4860LOWCVSS 2.4EG 2.42025-05-18
A vulnerability classified as problematic has been found in D-Link DAP-2695 120b36r137_ALL_en_20210528. Affected is an unknown function of the file /adv_dhcps.php of the component Static Pool Settings Page. The manipulation of the argument…
- CVE-2025-4862MEDIUMCVSS 4.3EG 4.32025-05-18
A vulnerability, which was classified as problematic, has been found in PHPGurukul Directory Management System 2.0. Affected by this issue is some unknown functionality of the file /searchdata.php. The manipulation of the argument searchda…
- CVE-2025-4866MEDIUMCVSS 6.3EG 6.32025-05-18
A vulnerability was found in weibocom rill-flow 0.1.18. It has been classified as critical. Affected is an unknown function of the component Management Console. The manipulation leads to code injection. It is possible to launch the attack …
- CVE-2025-48984HIGHCVSS 8.8EG 8.82025-10-31
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.
- CVE-2025-49013CRITICALCVSS 9.9EG 9.92025-06-09
WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of `${{ github.event.review.body }}` and other user cont…
- CVE-2025-49029CRITICALCVSS 9.1EG 9.12025-07-01
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <…
- CVE-2025-49132CRITICALCVSS 10.0EG 10.02025-06-20
Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being aut…
- CVE-2025-49250MEDIUMCVSS 4.3EG 4.32025-06-06
Improper Control of Generation of Code ('Code Injection') vulnerability in cmoreira Team Showcase team-showcase-cm allows Code Injection.This issue affects Team Showcase: from n/a through < 25.05.13.
- CVE-2025-49302CRITICALCVSS 10.0EG 10.02025-07-04
Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe easy-stripe allows Remote Code Inclusion.This issue affects Easy Stripe: from n/a through <= 1.1.
- CVE-2025-49372CRITICALCVSS 10.0EG 10.02025-11-06
Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through <= 1.0.7.
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →