CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,503 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 120 of 131
- CVE-2026-24887HIGHCVSS 8.8EG 8.82026-02-03
Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably…
- CVE-2026-24897CRITICALCVSS 10.0EG 10.02026-01-28
Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when cr…
- CVE-2026-24937HIGHCVSS 7.2EG 7.22026-05-25
Improper Control of Generation of Code ('Code Injection') vulnerability in VideoWhisper.Com Broadcast Live Video allows Code Injection. This issue affects Broadcast Live Video: from n/a before 7.1.3.
- CVE-2026-25001HIGHCVSS 8.5EG 8.52026-03-25
Improper Control of Generation of Code ('Code Injection') vulnerability in Saad Iqbal Post Snippets post-snippets allows Remote Code Inclusion.This issue affects Post Snippets: from n/a through <= 4.0.12.
- CVE-2026-25077HIGHCVSS 8.8EG 6.32026-05-08
Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templat…
- CVE-2026-25125MEDIUMCVSS 4.9EG 4.92026-04-14
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${…
- CVE-2026-25141CRITICALCVSS 9.8EG 9.82026-01-30
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape functi…
- CVE-2026-25142CRITICALCVSS 10.0EG 10.02026-02-02
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerabil…
- CVE-2026-25153HIGHCVSS 8.8EG 7.72026-01-30
Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechD…
- CVE-2026-25227CRITICALCVSS 9.1EG 9.12026-02-12
authentik is an open-source identity provider. From 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4, when using delegated permissions, a User that has the permission Can view * Property Mapping or Can view Expression Policy is able t…
- CVE-2026-25366CRITICALCVSS 9.9EG 9.92026-03-25
Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1.
- CVE-2026-25447CRITICALCVSS 9.1EG 9.12026-03-25
Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through <= 2.3.9.
- CVE-2026-2545LOWCVSS 3.5EG 3.52026-02-16
A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketSearch. This manipulation of the argument Profile causes cross site scripting. The attack may be initi…
- CVE-2026-2546LOWCVSS 3.5EG 3.52026-02-16
A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument SortBy leads to cross site scripting. The attack may be launc…
- CVE-2026-2547LOWCVSS 3.5EG 3.52026-02-16
A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. Performing a manipulation of the argument Subaction results in cross site scripting. Remote exploitat…
- CVE-2026-25470CRITICALCVSS 10.0EG 10.02026-06-17
Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion. This issue affects ACPT (Pro) - Custom Post Types Plugin for WordPress: from…
- CVE-2026-25481CRITICALCVSS 9.6EG 9.62026-02-04
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF …
- CVE-2026-25510CRITICALCVSS 9.9EG 9.92026-02-03
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote …
- CVE-2026-2557LOWCVSS 3.5EG 3.52026-02-16
A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. The manipulation results in cross site scripting. The atta…
- CVE-2026-25587CRITICALCVSS 10.0EG 10.02026-02-06
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.2…
- CVE-2026-25636HIGHCVSS 8.2EG 8.22026-02-06
calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre's EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre re…
- CVE-2026-25755HIGHCVSS 8.8EG 8.82026-02-19
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the Ja…
- CVE-2026-25776CRITICALCVSS 9.8EG 9.82026-04-08
Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script.
- CVE-2026-25807HIGHCVSS 8.8EG 8.82026-02-09
ZAI Shell is an autonomous SysOps agent designed to navigate, repair, and secure complex environments. Prior to 9.0.3, the P2P terminal sharing feature (share start) opens a TCP socket on port 5757 without any authentication mechanism. Any…
- CVE-2026-25817HIGHCVSS 8.8EG 8.82026-03-13
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have improper neutralization of special elements used in an OS command allowing remote code execution…
- CVE-2026-2582MEDIUMCVSS 6.5EG 6.52026-04-14
The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an ac…
- CVE-2026-25856HIGHCVSS 8.8EG 8.82026-06-08
OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leve…
- CVE-2026-2586CRITICALCVSS 9.1EG 9.12026-05-19
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with…
- CVE-2026-25879CRITICALCVSS 9.8EG 9.82026-05-27
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that ha…
- CVE-2026-26026CRITICALCVSS 9.1EG 9.12026-04-06
GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.
- CVE-2026-26056HIGHCVSS 8.8EG 8.82026-02-12
Yoke is a Helm-inspired infrastructure-as-code (IaC) package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller (ATC) component of Yoke. It allows users with CR create/update permissions to execute arbitr…
- CVE-2026-26216CRITICALCVSS 10.0EG 10.02026-02-12
Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The __import__ builtin was inc…
- CVE-2026-26332CRITICALCVSS 10.0EG 9.82026-05-04
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
- CVE-2026-26379MEDIUMCVSS 6.5EG 6.52026-06-03
Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attackers to perform internal network scanning and identify running services by analyzi…
- CVE-2026-26830CRITICALCVSS 9.8EG 9.82026-03-25
pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths i…
- CVE-2026-2701CRITICALCVSS 9.1EG 9.12026-04-02
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
- CVE-2026-27044CRITICALCVSS 9.9EG 9.92026-03-25
Improper Control of Generation of Code ('Code Injection') vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Remote Code Inclusion.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
- CVE-2026-27174CRITICALCVSS 9.8EG 9.82026-02-18
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect() call that lacks an…
- CVE-2026-27436CRITICALCVSS 9.1EG 9.12026-07-02
Editor Arbitrary Code Execution in Five Star Business Profile and Schema <= 2.3.19 versions.
- CVE-2026-27674MEDIUMCVSS 6.1EG 6.12026-04-14
Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled …
- CVE-2026-27675LOWCVSS 2.0EG 2.02026-04-14
SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modifi…
- CVE-2026-27760HIGHCVSS 8.1EG 8.12026-04-28
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action pa…
- CVE-2026-27830HIGHCVSS 8.0EG 8.92026-02-26
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOv…
- CVE-2026-27876CRITICALCVSS 9.1EG 9.12026-03-27
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future a…
- CVE-2026-27984CRITICALCVSS 9.0EG 9.02026-03-05
Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3.
- CVE-2026-28134HIGHCVSS 8.5EG 8.52026-03-05
Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetEngine jet-engine allows Remote Code Inclusion.This issue affects JetEngine: from n/a through <= 3.7.2.
- CVE-2026-2830MEDIUMCVSS 6.1EG 6.12026-03-06
The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insuffici…
- CVE-2026-28797HIGHCVSS 8.8EG 8.82026-04-03
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message com…
- CVE-2026-29014CRITICALCVSS 9.8EG 9.82026-04-01
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficie…
- CVE-2026-29091HIGHCVSS 8.1EG 8.12026-03-06
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array fu…
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →