CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,471 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 55 of 130
- CVE-2021-39128HIGHCVSS 7.2EG 7.22021-09-16
Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in t…
- CVE-2021-39144HIGHCVSS 8.5EG 9.0⚠ KEV2021-08-23
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stre…
- CVE-2021-39159CRITICALCVSS 9.6EG 9.62021-08-25
BinderHub is a kubernetes-based cloud service that allows users to share reproducible interactive computing environments from code repositories. In affected versions a remote code execution vulnerability has been identified in BinderHub, w…
- CVE-2021-39160CRITICALCVSS 9.6EG 9.62021-08-25
nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolv…
- CVE-2021-39383CRITICALCVSS 9.8EG 9.82022-03-20
DWSurvey v3.2.0 was discovered to contain a remote command execution (RCE) vulnerability via the component /sysuser/SysPropertyAction.java.
- CVE-2021-39402HIGHCVSS 7.2EG 7.22021-09-20
MaianAffiliate v.1.0 is suffers from code injection by adding a new product via the admin panel. The injected payload is reflected on the affiliate main page for all authenticated and unauthenticated visitors.
- CVE-2021-39426CRITICALCVSS 9.8EG 9.82022-12-15
An issue was discovered in /Upload/admin/admin_notify.php in Seacms 11.4 allows attackers to execute arbitrary php code via the notify1 parameter when the action parameter equals set.
- CVE-2021-39503HIGHCVSS 7.2EG 7.22021-09-07
PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file.
- CVE-2021-39908MEDIUMCVSS 6.5EG 7.52022-04-01
In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into proj…
- CVE-2021-39979CRITICALCVSS 9.8EG 9.82022-01-03
HHEE system has a Code Injection vulnerability.Successful exploitation of this vulnerability may affect HHEE system integrity.
- CVE-2021-40084CRITICALCVSS 9.8EG 9.82021-08-25
opensysusers through 0.6 does not safely use eval on files in sysusers.d that may contain shell metacharacters. For example, it allows command execution via a crafted GECOS field whereas systemd-sysusers (a program with the same specificat…
- CVE-2021-40219HIGHCVSS 8.8EG 8.82022-04-11
Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution.
- CVE-2021-40323CRITICALCVSS 9.8EG 9.82021-10-04
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
- CVE-2021-40348HIGHCVSS 8.8EG 8.82021-11-01
Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tom…
- CVE-2021-40373CRITICALCVSS 9.8EG 9.82021-09-10
playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI.
- CVE-2021-40485HIGHCVSS 7.8EG 7.82021-10-13
Microsoft Excel Remote Code Execution Vulnerability
- CVE-2021-40487HIGHCVSS 8.1EG 8.12021-10-13
Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2021-40499CRITICALCVSS 9.8EG 9.82021-10-12
Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker cou…
- CVE-2021-40553HIGHCVSS 8.8EG 8.82022-06-28
piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.
- CVE-2021-40889CRITICALCVSS 9.8EG 9.82021-10-11
CMSUno version 1.7.2 is affected by a PHP code execution vulnerability. sauvePass action in {webroot}/uno/central.php file calls to file_put_contents() function to write username in password.php file when a user successfully changed their …
- CVE-2021-41228HIGHCVSS 7.5EG 7.52021-11-05
TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's `saved_model_cli` tool is vulnerable to a code injection as it calls `eval` on user supplied strings. This can be used by attackers to run arbitr…
- CVE-2021-41269CRITICALCVSS 10.0EG 10.02021-11-15
cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java …
- CVE-2021-41282HIGHCVSS 8.8EG 9.02022-03-01
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parse…
- CVE-2021-41365HIGHCVSS 8.8EG 8.82021-12-15
Microsoft Defender for IoT Remote Code Execution Vulnerability
- CVE-2021-41402HIGHCVSS 8.8EG 8.82022-06-16
flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code.
- CVE-2021-41527LOWCVSS 2.3EG 2.32025-02-07
An error related to the 2-factor authorization (2FA) on the RISC Platform prior to the saas-2021-12-29 release can potentially be exploited to bypass the 2FA. The vulnerability requires that the 2FA setup hasn’t been completed.
- CVE-2021-41619HIGHCVSS 7.2EG 7.22021-10-27
An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying…
- CVE-2021-41653CRITICALCVSS 9.8EG 9.82021-11-13
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
- CVE-2021-41749CRITICALCVSS 9.8EG 9.82022-06-12
In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.
- CVE-2021-42057HIGHCVSS 7.8EG 7.82021-11-04
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provid…
- CVE-2021-42139CRITICALCVSS 9.8EG 9.82021-10-11
Deno Standard Modules before 0.107.0 allows Code Injection via an untrusted YAML file in certain configurations.
- CVE-2021-42294HIGHCVSS 7.2EG 7.22021-12-15
Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2021-42296HIGHCVSS 7.8EG 7.82021-11-10
Microsoft Word Remote Code Execution Vulnerability
- CVE-2021-42298HIGHCVSS 7.8EG 7.82021-11-10
Microsoft Defender Remote Code Execution Vulnerability
- CVE-2021-42309HIGHCVSS 8.8EG 8.82021-12-15
Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2021-42310HIGHCVSS 8.1EG 9.82021-12-15
Microsoft Defender for IoT Remote Code Execution Vulnerability
- CVE-2021-42311CRITICALCVSS 10.0EG 9.82021-12-15
Microsoft Defender for IoT Remote Code Execution Vulnerability
- CVE-2021-42314HIGHCVSS 8.8EG 8.82021-12-15
Microsoft Defender for IoT Remote Code Execution Vulnerability
- CVE-2021-42315HIGHCVSS 8.8EG 8.82021-12-15
Microsoft Defender for IoT Remote Code Execution Vulnerability
- CVE-2021-42574HIGHCVSS 8.3EG 8.32021-11-01
An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic tha…
- CVE-2021-42651HIGHCVSS 8.8EG 8.82022-05-11
A Server Side Template Injection (SSTI) vulnerability in Pentest-Collaboration-Framework v1.0.8 allows an authenticated remote attacker to execute arbitrary code through /project/PROJECTNAME/reports/.
- CVE-2021-42694HIGHCVSS 8.3EG 8.32021-11-01
An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical…
- CVE-2021-42754LOWCVSS 3.2EG 3.22021-11-02
An improper control of generation of code vulnerability [CWE-94] in FortiClientMacOS versions 7.0.0 and below and 6.4.5 and below may allow an authenticated attacker to hijack the MacOS camera without the user permission via the malicious …
- CVE-2021-43097HIGHCVSS 7.2EG 7.22022-03-28
A Server-side Template Injection (SSTI) vulnerability exists in bbs 5.3 in TemplateManageAction.javawhich could let a malicoius user execute arbitrary code.
- CVE-2021-4315MEDIUMCVSS 5.5EG 5.52023-01-28
A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of s…
- CVE-2021-43208HIGHCVSS 7.8EG 7.82021-11-10
3D Viewer Remote Code Execution Vulnerability
- CVE-2021-43214HIGHCVSS 7.8EG 9.82021-12-15
Web Media Extensions Remote Code Execution Vulnerability
- CVE-2021-43215CRITICALCVSS 9.8EG 9.82021-12-15
iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution
- CVE-2021-43217HIGHCVSS 8.1EG 9.82021-12-15
Windows Encrypting File System (EFS) Remote Code Execution Vulnerability
- CVE-2021-43221MEDIUMCVSS 4.2EG 4.22021-11-24
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →