CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,503 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 124 of 131
- CVE-2026-4239LOWCVSS 3.5EG 3.52026-03-16
A vulnerability was found in Lagom WHMCS Template up to 2.3.7. Impacted is an unknown function of the component Datatables. The manipulation results in improperly controlled modification of object prototype attributes. It is possible to la…
- CVE-2026-42396MEDIUMCVSS 4.9EG 4.92026-05-21
Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
- CVE-2026-42555CRITICALCVSS 9.1EG 9.12026-05-14
Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.2…
- CVE-2026-4257CRITICALCVSS 9.8EG 9.82026-03-30
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_L…
- CVE-2026-42588HIGHCVSS 8.1EG 8.12026-06-01
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/joloki…
- CVE-2026-42603HIGHCVSS 8.8EG 8.82026-05-11
OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out…
- CVE-2026-42607CRITICALCVSS 9.1EG 9.12026-05-11
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the "Direct Install" tool. While the s…
- CVE-2026-4276HIGHCVSS 7.5EG 7.52026-03-16
LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to forge log entries.
- CVE-2026-42785HIGHCVSS 7.2EG 7.22026-05-26
OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an act…
- CVE-2026-42851HIGHCVSS 7.8EG 7.82026-06-12
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue…
- CVE-2026-42879MEDIUMCVSS 6.3EG 6.32026-05-27
FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid creden…
- CVE-2026-42890MEDIUMCVSS 4.8EG 4.82026-06-08
Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control co…
- CVE-2026-42898CRITICALCVSS 9.9EG 9.92026-05-12
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
- CVE-2026-42994CRITICALCVSS 9.8EG 9.82026-05-01
Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, when obtained from npm, had embedded malicious code. This is related to a Checkmarx supply chain incident.
- CVE-2026-43680HIGHCVSS 7.2EG 7.22026-05-12
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying ho…
- CVE-2026-43874HIGHCVSS 7.2EG 7.22026-05-11
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the payload when it sits under $json['msg'], bu…
- CVE-2026-43892HIGHCVSS 8.8EG 8.82026-05-12
AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16.
- CVE-2026-43898CRITICALCVSS 10.0EG 10.02026-05-28
SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker…
- CVE-2026-43921HIGHCVSS 8.9EG 8.92026-07-06
FOSSBilling is a free, open-source billing and client management system. Versions 0.6.10 through 0.7.2 have a PHP code injection vulnerability in FOSSBilling's `Config::prettyPrintArrayToPHP()` method. When configuration values are updated…
- CVE-2026-43944CRITICALCVSS 9.6EG 9.62026-05-08
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Expl…
- CVE-2026-43997CRITICALCVSS 10.0EG 10.02026-05-13
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to o…
- CVE-2026-44005CRITICALCVSS 10.0EG 10.02026-05-13
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and …
- CVE-2026-44006CRITICALCVSS 10.0EG 10.02026-05-13
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.
- CVE-2026-44016HIGHCVSS 8.2EG 8.22026-06-03
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. FIn versions >= 2.82.0, < 2.91.0, if the HTML backend was explicitly configured for rendering (rendering option …
- CVE-2026-44244HIGHCVSS 7.8EG 7.82026-05-07
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded n…
- CVE-2026-44262CRITICALCVSS 9.4EG 9.42026-05-12
Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated duri…
- CVE-2026-44287MEDIUMCVSS 6.3EG 6.32026-05-29
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a b…
- CVE-2026-44291HIGHCVSS 8.1EG 8.12026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Ob…
- CVE-2026-44293HIGHCVSS 7.1EG 8.82026-05-13
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field defa…
- CVE-2026-44295HIGHCVSS 8.7EG 8.72026-05-13
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafte…
- CVE-2026-44334HIGHCVSS 8.4EG 8.42026-05-08
PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import si…
- CVE-2026-44336CRITICALCVSS 9.6EG 9.62026-05-08
PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praison…
- CVE-2026-44346HIGHCVSS 8.8EG 8.82026-05-27
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in …
- CVE-2026-44377CRITICALCVSS 9.1EG 9.12026-05-13
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely eva…
- CVE-2026-44403HIGHCVSS 7.2EG 7.22026-05-12
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory fi…
- CVE-2026-44482CRITICALCVSS 9.6EG 9.62026-05-14
soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCl…
- CVE-2026-44495HIGHCVSS 7.0EG 7.02026-05-29
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has…
- CVE-2026-44513HIGHCVSS 8.8EG 8.82026-05-14
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitt…
- CVE-2026-44586HIGHCVSS 8.3EG 8.32026-05-14
SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this b…
- CVE-2026-44632CRITICALCVSS 9.1EG 9.12026-05-27
Yamcs is a mission control framework. Prior to 5.12.7, a server-side code injection vulnerability existed in the Yamcs algorithm evaluation engine org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory, which dynamically compiled and evalu…
- CVE-2026-44670CRITICALCVSS 9.4EG 9.42026-05-14
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName)…
- CVE-2026-44672CRITICALCVSS 9.3EG 9.32026-05-28
mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. T…
- CVE-2026-44698HIGHCVSS 8.3EG 8.32026-05-29
Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in…
- CVE-2026-44717CRITICALCVSS 9.8EG 9.82026-05-15
MCP Calculate Server is a mathematical calculation service based on MCP protocol and SymPy library. Prior to 0.1.1, the use of eval() to evaluate mathematical expressions without proper input sanitization leads to remote code execution. Th…
- CVE-2026-44728HIGHCVSS 8.2EG 8.22026-05-26
Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arb…
- CVE-2026-44827HIGHCVSS 8.8EG 8.82026-05-14
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hugging Face Hub repositories. The _resolv…
- CVE-2026-44887CRITICALCVSS 9.8EG 9.82026-05-27
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads th…
- CVE-2026-44888CRITICALCVSS 9.8EG 9.82026-05-27
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly into pialert.conf without validation. S…
- CVE-2026-44959HIGHCVSS 8.8EG 8.82026-06-23
A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected component parameter and inject malicious PHP code into the compiledlimitations…
- CVE-2026-45058CRITICALCVSS 9.4EG 9.42026-05-28
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookm…
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →