CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,503 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 122 of 131
- CVE-2026-33608HIGHCVSS 7.4EG 7.42026-04-22
An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next resta…
- CVE-2026-33646CRITICALCVSS 9.6EG 9.62026-06-22
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec() function registered, enabling arbitrary command execut…
- CVE-2026-33937CRITICALCVSS 9.8EG 9.82026-03-27
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral`…
- CVE-2026-33938HIGHCVSS 8.1EG 8.12026-03-27
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a templat…
- CVE-2026-33940HIGHCVSS 8.1EG 8.12026-03-27
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartia…
- CVE-2026-33941HIGHCVSS 8.2EG 8.22026-03-27
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file…
- CVE-2026-33943CRITICALCVSS 9.8EG 8.82026-03-27
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Exec…
- CVE-2026-3395HIGHCVSS 7.3EG 7.32026-03-01
A flaw has been found in MaxSite CMS up to 109.1. This impacts the function eval of the file application/maxsite/admin/plugins/editor_markitup/preview-ajax.php of the component MarkItUp Preview AJAX Endpoint. Executing a manipulation can l…
- CVE-2026-34060CRITICALCVSS 9.8EG 9.82026-03-31
Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generat…
- CVE-2026-34197HIGHCVSS 8.8EG 9.0⚠ KEV2026-04-07
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console…
- CVE-2026-34724HIGHCVSS 7.2EG 7.22026-04-08
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or …
- CVE-2026-34725HIGHCVSS 8.2EG 8.22026-04-02
DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI th…
- CVE-2026-3476HIGHCVSS 7.8EG 7.82026-03-16
A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file.
- CVE-2026-34916HIGHCVSS 8.8EG 8.82026-06-23
A missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to use the logical parameter to inject malicious PHP code into the compiledlimitations field on th…
- CVE-2026-34965HIGHCVSS 8.8EG 8.82026-04-29
Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into coll…
- CVE-2026-35056HIGHCVSS 7.2EG 8.82026-04-01
XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server.
- CVE-2026-35086MEDIUMCVSS 6.5EG 6.52026-05-19
Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.
- CVE-2026-35093HIGHCVSS 8.8EG 8.82026-04-01
A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with…
- CVE-2026-35171CRITICALCVSS 9.8EG 9.82026-04-06
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration s…
- CVE-2026-35178CRITICALCVSS 9.8EG 9.82026-04-06
Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, …
- CVE-2026-35194HIGHCVSS 8.1EG 8.12026-05-15
Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. Th…
- CVE-2026-35197MEDIUMCVSS 6.6EG 6.62026-04-06
dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be exp…
- CVE-2026-35211MEDIUMCVSS 6.5EG 6.52026-07-08
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260401.0, the OpenCTI GraphQL API exposes a script filter operator in its FilterOperator enum that allows any authenticated use…
- CVE-2026-35255MEDIUMCVSS 6.6EG 6.62026-05-06
Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to co…
- CVE-2026-3584CRITICALCVSS 9.8EG 9.82026-03-20
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly int…
- CVE-2026-36340HIGHCVSS 8.1EG 8.12026-04-30
An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function
- CVE-2026-36365HIGHCVSS 7.8EG 7.82026-05-04
An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp
- CVE-2026-36418CRITICALCVSS 9.1EG 9.12026-06-17
JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine witho…
- CVE-2026-36458CRITICALCVSS 9.8EG 9.82026-05-07
ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.
- CVE-2026-37630HIGHCVSS 7.3EG 7.32026-05-11
An issue in QuickJS-NG v.0.12.1 allows an attacker to execute arbitrary code via the js_mapped_arguments_mark function
- CVE-2026-37637CRITICALCVSS 9.1EG 9.12026-06-29
An issue in Alexantr filemanager v.1.0 allows a remote attacker to execute arbitrary code via the filemanager.php component
- CVE-2026-37711HIGHCVSS 7.3EG 7.32026-05-27
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php
- CVE-2026-37712HIGHCVSS 7.3EG 7.32026-05-27
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type
- CVE-2026-37713HIGHCVSS 7.3EG 7.32026-05-27
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php.
- CVE-2026-38431CRITICALCVSS 9.8EG 9.82026-05-05
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendere…
- CVE-2026-38450CRITICALCVSS 9.8EG 0.02026-07-14
An issue in Aetopia Digital Asset Management DAM v.1.0.0 allows a remote attacker to execute arbitrary code via the name and description parameter of the Add/Update Project function
- CVE-2026-38992CRITICALCVSS 9.8EG 9.82026-04-29
Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func…
- CVE-2026-39052MEDIUMCVSS 6.5EG 6.52026-05-15
Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. The method ScriptRunner.run(String expression, String type, Map<String, Object> context) evaluates attacker-controlled script expressions through the underlying …
- CVE-2026-39087MEDIUMCVSS 6.4EG 9.82026-04-23
ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs.
- CVE-2026-39311MEDIUMCVSS 6.8EG 6.82026-05-20
Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of SVG sanitization combined with a disabled…
- CVE-2026-39337CRITICALCVSS 10.0EG 10.02026-04-07
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the init…
- CVE-2026-39421MEDIUMCVSS 6.3EG 6.32026-04-14
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacke…
- CVE-2026-39440CRITICALCVSS 9.9EG 9.92026-04-23
Improper Control of Generation of Code ('Code Injection') vulnerability in Funnelforms LLC FunnelFormsPro allows Remote Code Inclusion.This issue affects FunnelFormsPro: from n/a through 3.8.1.
- CVE-2026-39465CRITICALCVSS 9.1EG 9.12026-06-15
Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.
- CVE-2026-3960CRITICALCVSS 9.8EG 9.82026-04-23
A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklis…
- CVE-2026-39842CRITICALCVSS 9.9EG 9.92026-04-15
OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes …
- CVE-2026-39846CRITICALCVSS 9.0EG 9.02026-04-07
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored witho…
- CVE-2026-39881MEDIUMCVSS 5.0EG 5.02026-04-08
Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized …
- CVE-2026-39891HIGHCVSS 8.8EG 8.82026-04-08
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed dire…
- CVE-2026-39918CRITICALCVSS 9.8EG 9.82026-04-20
Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject ar…
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →