CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,503 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 118 of 131
- CVE-2026-14752LOWCVSS 3.5EG 3.52026-07-05
A security vulnerability has been detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This affects the function add_definition of the file application/PHP/objects/notes/add_into_dictionary.php. Such manipulation…
- CVE-2026-14791LOWCVSS 3.5EG 3.52026-07-06
A weakness has been identified in crater-invoice-inc crater up to 6.0.6. This affects the function getFormattedString of the file app/Http/Requests/InvoicesRequest.php of the component Invoice Note Handler. Executing a manipulation of the …
- CVE-2026-1509MEDIUMCVSS 5.4EG 5.42026-04-15
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input…
- CVE-2026-1516MEDIUMCVSS 5.7EG 5.72026-04-08
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users …
- CVE-2026-15187MEDIUMCVSS 4.3EG 4.32026-07-09
A security flaw has been discovered in enquirer up to 2.4.1. Affected is the function Enquirer.set of the component Public Package API. The manipulation of the argument question.name results in improperly controlled modification of object …
- CVE-2026-15195MEDIUMCVSS 6.3EG 6.32026-07-09
A weakness has been identified in apidevtools json-schema-ref-parser up to 15.3.5. This impacts the function Refs.set/Pointer.set in the library lib/pointer.ts. Executing a manipulation can lead to improperly controlled modification of obj…
- CVE-2026-1520LOWCVSS 2.4EG 2.42026-01-28
A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack re…
- CVE-2026-15202MEDIUMCVSS 4.3EG 4.32026-07-09
A security vulnerability has been detected in YzmCMS up to 7.5. Affected is the function get_url of the file /yzmphp/yzmphp.php of the component Header Handler. The manipulation of the argument HTTP_HOST leads to cross site scripting. The …
- CVE-2026-15311LOWCVSS 3.5EG 3.52026-07-09
A vulnerability was identified in NousResearch hermes-agent up to 2026.5.29.2. Affected by this issue is the function MatrixAdapter._markdown_to_html of the file gateway/platforms/matrix.py of the component Matrix Adapter. Such manipulatio…
- CVE-2026-15321LOWCVSS 2.4EG 2.42026-07-10
A vulnerability was found in MyEMS up to 6.4.0. The affected element is the function on_post of the file myems-api/core/svg.py of the component Admin Backend. The manipulation of the argument new_values['data'] results in cross site script…
- CVE-2026-1540HIGHCVSS 7.2EG 7.22026-04-02
The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header
- CVE-2026-15410HIGHCVSS 7.2EG 0.0⚠ KEV2026-07-14
Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated …
- CVE-2026-15492MEDIUMCVSS 4.3EG 4.32026-07-12
A security vulnerability has been detected in igweze wizgrade up to b1d55f22b90cd7e7a6e5002f006d7c649e8086d6. This vulnerability affects unknown code of the file dashboard/studentConductManager.php. Such manipulation leads to cross site sc…
- CVE-2026-15493LOWCVSS 3.5EG 3.52026-07-12
A vulnerability was detected in Akpali9 Attendance-Management-System up to 70b91fe38f4195b701a45f0edcd4f42d5f64aeee. This issue affects some unknown processing of the file absent.php. Performing a manipulation of the argument export_date r…
- CVE-2026-15497HIGHCVSS 7.3EG 7.32026-07-12
A vulnerability was determined in SonicCloudOrg sonic-agent up to 2.7.2. This affects an unknown function of the file sonic-server-controller/src/main/java/org/cloud/sonic/controller/controller/ExchangeController.java of the component JWT …
- CVE-2026-15505LOWCVSS 3.5EG 3.52026-07-12
A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument p_metaData causes cross site…
- CVE-2026-15512MEDIUMCVSS 6.3EG 6.32026-07-12
A vulnerability was identified in pig-mesh Pig up to 3.9.2. Affected by this issue is some unknown functionality of the file \pig-master\pig-visual\pig-codegen\src\main\java\com\pig4cloud\pig\codegen\service\impl\GeneratorServiceImpl.java …
- CVE-2026-15532LOWCVSS 2.4EG 2.42026-07-13
A vulnerability was identified in SourceCodester Online Book Store System 1.0. This issue affects some unknown processing of the component User Management Module. Such manipulation of the argument Name/Username leads to cross site scriptin…
- CVE-2026-15533MEDIUMCVSS 4.7EG 4.72026-07-13
A security flaw has been discovered in DedeCMS 5.7.118. Impacted is an unknown function of the file /plus/search.php of the component Column Management. Performing a manipulation of the argument Column Name results in code injection. The a…
- CVE-2026-15538MEDIUMCVSS 6.3EG 6.32026-07-13
A weakness has been identified in primefaces primereact up to 10.9.8. This issue affects the function ObjectUtils.mutateFieldData of the component API. This manipulation of the argument Field causes improperly controlled modification of ob…
- CVE-2026-15595MEDIUMCVSS 4.3EG 4.32026-07-13
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. The affected element is an unknown function of the file /forsubject.php. This manipulation of the argument subject causes cross site scripting. It is p…
- CVE-2026-15596MEDIUMCVSS 4.3EG 4.32026-07-13
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /subject.php. Such manipulation of the argument subject leads to cross site scripting. It is po…
- CVE-2026-15598MEDIUMCVSS 6.3EG 6.32026-07-13
A weakness has been identified in antv layout 2.0.0. This impacts the function setNestedValue in the library lib/util/object.js. Executing a manipulation of the argument path can lead to improperly controlled modification of object prototy…
- CVE-2026-1560HIGHCVSS 8.8EG 8.82026-02-11
The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authentica…
- CVE-2026-15607MEDIUMCVSS 4.3EG 4.32026-07-13
A vulnerability was detected in tanstack db up to 0.6.8. Affected by this vulnerability is the function select of the file src/query/compiler/select.ts of the component Alias Path Handler. The manipulation results in improperly controlled …
- CVE-2026-15678LOWCVSS 3.5EG 3.52026-07-14
A security vulnerability has been detected in code-projects Online Job Portal 1.0. This impacts an unknown function of the file /Admin/DetailJob.php. The manipulation leads to cross site scripting. The attack is possible to be carried out …
- CVE-2026-15697MEDIUMCVSS 6.3EG 6.32026-07-14
A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in improperly controlled modification of obj…
- CVE-2026-15698MEDIUMCVSS 6.3EG 6.32026-07-14
A vulnerability was determined in kofrasa mingo up to 7.2.1. This impacts the function update/updateOne/updateMany of the component Update API. Executing a manipulation of the argument Set can lead to improperly controlled modification of …
- CVE-2026-15699MEDIUMCVSS 6.3EG 6.32026-07-14
A vulnerability was identified in spencermountain compromise up to 14.15.1. Affected is the function nlp.extend of the file src/API/extend.js of the component Public Root API. The manipulation of the argument plugin leads to improperly con…
- CVE-2026-15702MEDIUMCVSS 6.3EG 6.32026-07-14
A security vulnerability has been detected in tamagui up to 2.3.0. This affects the function updateConfig of the file code/core/web/src/config.ts. Such manipulation leads to improperly controlled modification of object prototype attributes…
- CVE-2026-15715MEDIUMCVSS 4.3EG 4.32026-07-14
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. …
- CVE-2026-1598LOWCVSS 3.5EG 3.52026-01-29
A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. Performing a manipulation of t…
- CVE-2026-1606MEDIUMCVSS 4.3EG 4.32026-06-25
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to conceal content within a S…
- CVE-2026-1615CRITICALCVSS 9.8EG 9.82026-02-09
Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not de…
- CVE-2026-1700LOWCVSS 3.5EG 3.52026-01-30
A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message causes cross site scripting. It is possible …
- CVE-2026-1705LOWCVSS 2.4EG 2.42026-01-30
A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scriptin…
- CVE-2026-1744LOWCVSS 2.4EG 2.42026-02-02
A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be …
- CVE-2026-1829HIGHCVSS 8.8EG 8.82026-06-02
The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the 'et_pb_text' shortcode 'cvdb_content_visibility_check' parameter. This makes it possible…
- CVE-2026-1929HIGHCVSS 8.8EG 8.82026-02-25
The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_sel…
- CVE-2026-1971LOWCVSS 2.4EG 2.42026-02-06
A vulnerability has been found in Edimax BR-6288ACL up to 1.12. Impacted is the function wiz_WISP24gmanual of the file wiz_WISP24gmanual.asp. Such manipulation of the argument manualssid leads to cross site scripting. The attack can be lau…
- CVE-2026-1977MEDIUMCVSS 6.3EG 6.32026-02-06
A security vulnerability has been detected in isaacwasserman mcp-vegalite-server up to 16aefed598b8cd897b78e99b907f6e2984572c61. Affected by this vulnerability is the function eval of the component visualize_data. Such manipulation of the …
- CVE-2026-20045HIGHCVSS 8.2EG 9.0⚠ KEV2026-01-21
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), C…
- CVE-2026-2008MEDIUMCVSS 6.3EG 6.32026-02-06
A vulnerability was detected in abhiphile fermat-mcp up to 47f11def1cd37e45dd060f30cdce346cbdbd6f0a. This vulnerability affects the function eqn_chart of the file fmcp/mpl_mcp/core/eqn_chart.py. Performing a manipulation of the argument eq…
- CVE-2026-2052HIGHCVSS 8.8EG 8.82026-05-02
The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is du…
- CVE-2026-2064LOWCVSS 3.5EG 3.52026-02-06
A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads …
- CVE-2026-20892HIGHCVSS 7.2EG 7.22026-03-11
Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker with administrative privileges to execute arbitrary commands.
- CVE-2026-21256HIGHCVSS 8.8EG 8.82026-02-10
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.
- CVE-2026-2145LOWCVSS 3.5EG 3.52026-02-08
A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. Such manipulation of the argument nginxDir leads to …
- CVE-2026-2149MEDIUMCVSS 4.3EG 4.32026-02-08
A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument pati…
- CVE-2026-2150MEDIUMCVSS 4.3EG 4.32026-02-08
A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /checkin.php. This manipulation of the argument patient_id causes cro…
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →