CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,491 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 105 of 130
- CVE-2025-4939MEDIUMCVSS 4.3EG 4.32025-05-19
A vulnerability classified as problematic was found in PHPGurukul Credit Card Application Management System 1.0. This vulnerability affects unknown code of the file /admin/new-ccapplication.php. The manipulation leads to cross site scripti…
- CVE-2025-49521HIGHCVSS 8.8EG 8.82025-06-30
A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute …
- CVE-2025-49581HIGHCVSS 8.8EG 8.82025-06-13
XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki inst…
- CVE-2025-49704HIGHCVSS 8.8EG 9.0⚠ KEV2025-07-08
Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CVE-2025-49887CRITICALCVSS 9.9EG 9.92025-08-14
Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce product-xml-feeds-for-woocommerce allows Remote Code Inclusion.This issue affects Product XML Feed Manager for Wo…
- CVE-2025-49926HIGHCVSS 7.2EG 7.32025-10-22
Improper Control of Generation of Code ('Code Injection') vulnerability in Laborator Kalium kalium allows Code Injection.This issue affects Kalium: from n/a through <= 3.25.
- CVE-2025-4996LOWCVSS 2.4EG 2.42025-05-20
A vulnerability, which was classified as problematic, has been found in Intelbras RF 301K 1.1.5. This issue affects some unknown processing of the component Add Static IP. The manipulation of the argument Description leads to cross site sc…
- CVE-2025-5007LOWCVSS 3.5EG 3.52025-05-20
A vulnerability was found in Part-DB up to 1.17.0. It has been declared as problematic. Affected by this vulnerability is the function handleUpload of the file src/Services/Attachments/AttachmentSubmitHandler.php of the component Profile P…
- CVE-2025-5010MEDIUMCVSS 4.7EG 2.42025-05-21
A vulnerability classified as problematic has been found in moonlightL hexo-boot 4.3.0. This affects an unknown part of the file /admin/home/index.html of the component Blog Backend. The manipulation of the argument Description leads to cr…
- CVE-2025-5011MEDIUMCVSS 4.7EG 2.42025-05-21
A vulnerability classified as problematic was found in moonlightL hexo-boot 4.3.0. This vulnerability affects unknown code of the file /admin/home/index.html of the component Dynamic List Page. The manipulation leads to cross site scriptin…
- CVE-2025-50123HIGHCVSS 7.2EG 7.22025-07-11
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote command execution by a privileged account when the server is accessed via a console and through exploitation of the hostname …
- CVE-2025-5013MEDIUMCVSS 4.7EG 4.32025-05-21
A vulnerability, which was classified as problematic, was found in HkCms up to 2.3.2.240702. This affects an unknown part of the file /index.php/search/index.html of the component Search. The manipulation of the argument keyword leads to c…
- CVE-2025-50567CRITICALCVSS 10.0EG 10.02025-08-19
Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-control…
- CVE-2025-50692CRITICALCVSS 9.8EG 9.82025-08-07
FoxCMS <=v1.2.5 is vulnerable to Code Execution in admin/template_file/editFile.html.
- CVE-2025-50706CRITICALCVSS 9.8EG 9.82025-08-05
An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function
- CVE-2025-50707CRITICALCVSS 9.8EG 9.82025-08-05
An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component
- CVE-2025-50739CRITICALCVSS 9.8EG 9.82025-10-30
iib0011 omni-tools v0.4.0 is vulnerable to remote code execution via unsafe JSON deserialization.
- CVE-2025-50881HIGHCVSS 8.8EG 8.82026-03-16
The `flow/admin/moniteur.php` script in Use It Flow administration website before 10.0.0 is vulnerable to Remote Code Execution. When handling GET requests, the script takes user-supplied input from the `action` URL parameter, performs ins…
- CVE-2025-5101MEDIUMCVSS 5.0EG 5.02025-08-27
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appe…
- CVE-2025-5120CRITICALCVSS 10.0EG 10.02025-07-27
A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). The vulnerability stems from the local_pytho…
- CVE-2025-5127MEDIUMCVSS 5.4EG 3.52025-05-24
A vulnerability was determined in Teledyne FLIR AX8 up to 1.46.16. This issue affects some unknown processing of the file /prod.php. Executing manipulation of the argument cmd can lead to cross site scripting. The attack may be launched re…
- CVE-2025-5133MEDIUMCVSS 6.1EG 4.32025-05-24
A vulnerability classified as problematic has been found in Tmall Demo up to 20250505. Affected is an unknown function of the component Search Box. The manipulation leads to cross site scripting. It is possible to launch the attack remotel…
- CVE-2025-5134MEDIUMCVSS 6.1EG 3.52025-05-24
A vulnerability classified as problematic was found in Tmall Demo up to 20250505. Affected by this vulnerability is an unknown functionality of the component Buy Item Page. The manipulation of the argument Detailed Address leads to cross s…
- CVE-2025-5135MEDIUMCVSS 6.1EG 2.42025-05-24
A vulnerability, which was classified as problematic, has been found in Tmall Demo up to 20250505. Affected by this issue is some unknown functionality of the file /tmall/admin/ of the component Product Details Page. The manipulation of th…
- CVE-2025-5137HIGHCVSS 7.2EG 4.72025-05-25
A vulnerability was found in DedeCMS 5.7.117. It has been classified as critical. Affected is an unknown function of the file dede/sys_verifies.php?action=getfiles of the component Incomplete Fix CVE-2018-9175. The manipulation of the argu…
- CVE-2025-5138LOWCVSS 3.5EG 3.52025-05-25
A vulnerability was found in Bitwarden up to 2.25.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. The manipulation leads to cross site scripting. The att…
- CVE-2025-51387CRITICALCVSS 9.8EG 9.82025-08-04
The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Specifically, the following insecure settings were observed: RunAsNode is enabled and EnableNodeCliInspectArguments is not disabl…
- CVE-2025-51414HIGHCVSS 8.8EG 8.82026-04-13
In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.
- CVE-2025-51427HIGHCVSS 7.3EG 7.32026-05-19
An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via crafted module listed in the configuration file (dey_mini.yaml) under the key ['nnet']['module'].
- CVE-2025-51482HIGHCVSS 8.8EG 8.82025-07-22
Remote Code Execution in letta.server.rest_api.routers.v1.tools.run_tool_from_source in letta-ai Letta 0.7.12 allows remote attackers to execute arbitrary Python code and system commands via crafted payloads to the /v1/tools/run endpoint, …
- CVE-2025-5150HIGHCVSS 8.8EG 6.32025-05-25
A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperl…
- CVE-2025-5151HIGHCVSS 7.8EG 5.32025-05-25
A vulnerability classified as critical has been found in defog-ai introspect up to 0.1.4. This affects the function execute_analysis_code_safely of the file introspect/backend/tools/analysis_tools.py. The manipulation of the argument code …
- CVE-2025-5153MEDIUMCVSS 4.8EG 3.52025-05-25
A vulnerability, which was classified as problematic, has been found in CMS Made Simple 2.2.21. This issue affects some unknown processing of the component Design Manager Module. The manipulation of the argument Description leads to cross …
- CVE-2025-5177MEDIUMCVSS 4.7EG 4.32025-05-26
A vulnerability was found in Realce Tecnologia Queue Ticket Kiosk up to 20250517. It has been rated as problematic. This issue affects some unknown processing of the file /adm/index.php of the component Admin Login Page. The manipulation o…
- CVE-2025-5179LOWCVSS 3.4EG 2.42025-05-26
A vulnerability classified as problematic was found in Realce Tecnologia Queue Ticket Kiosk up to 20250517. Affected by this vulnerability is an unknown functionality of the file /adm/index.php of the component Cadastro de Administrador Pa…
- CVE-2025-5181MEDIUMCVSS 4.1EG 3.52025-05-26
A vulnerability, which was classified as problematic, was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. This affects an unknown part of the file /spgpm/updateListing. The manipulation of the argument spgLsTit…
- CVE-2025-51991HIGHCVSS 8.8EG 8.82025-08-20
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrato…
- CVE-2025-52122CRITICALCVSS 9.8EG 9.82025-08-27
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title).
- CVE-2025-52218HIGHCVSS 7.5EG 7.52025-08-26
SelectZero Data Observability Platform before 2025.5.2 is vulnerable to Content Spoofing / Text Injection. Improper sanitization of unspecified parameters allows attackers to inject arbitrary text or limited HTML into the login page.
- CVE-2025-52385CRITICALCVSS 9.8EG 9.82025-08-13
An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module
- CVE-2025-52718HIGHCVSS 7.2EG 7.22025-07-04
Improper Control of Generation of Code ('Code Injection') vulnerability in Beplusthemes Alone alone allows Remote Code Inclusion.This issue affects Alone: from n/a through <= 7.8.2.
- CVE-2025-52744HIGHCVSS 7.7EG 7.62026-02-20
Improper Control of Generation of Code ('Code Injection') vulnerability in inpersttion Inpersttion For Theme err-our-team allows Code Injection.This issue affects Inpersttion For Theme: from n/a through <= 1.0.
- CVE-2025-52756HIGHCVSS 7.4EG 7.42025-10-22
Improper Control of Generation of Code ('Code Injection') vulnerability in Sayan Datta WP Last Modified Info wp-last-modified-info allows Remote Code Inclusion.This issue affects WP Last Modified Info: from n/a through <= 1.9.4.
- CVE-2025-53002HIGHCVSS 8.3EG 8.32025-06-26
LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises beca…
- CVE-2025-5309CRITICALCVSS 9.8EG 9.82025-06-16
The chat feature within Remote Support (RS) and Privileged Remote Access (PRA) is vulnerable to a Server-Side Template Injection vulnerability which can lead to remote code execution.
- CVE-2025-5321CRITICALCVSS 9.9EG 6.32025-05-29
A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of th…
- CVE-2025-5333CRITICALCVSS 9.5EG 9.52025-07-06
Remote attackers can execute arbitrary code in the context of the vulnerable service process.
- CVE-2025-53419HIGHCVSS 7.8EG 7.82025-08-26
Delta Electronics COMMGR has Code Injection vulnerability.
- CVE-2025-53547HIGHCVSS 8.5EG 8.52025-07-08
Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml …
- CVE-2025-53577CRITICALCVSS 10.0EG 10.02025-08-20
Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS global-dns allows Remote Code Inclusion.This issue affects Global DNS: from n/a through <= 3.1.0.
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →