CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,474 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 57 of 130
- CVE-2022-0578MEDIUMCVSS 6.5EG 6.52022-05-16
Code Injection in GitHub repository publify/publify prior to 9.2.8.
- CVE-2022-0661HIGHCVSS 7.2EG 7.22022-04-18
The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disall…
- CVE-2022-0687HIGHCVSS 8.8EG 8.82022-03-21
The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users …
- CVE-2022-0811HIGHCVSS 8.8EG 8.82022-03-16
A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as ro…
- CVE-2022-0819HIGHCVSS 8.8EG 8.82022-03-02
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
- CVE-2022-0845CRITICALCVSS 9.8EG 9.82022-03-05
Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.
- CVE-2022-0863HIGHCVSS 7.2EG 7.22022-06-13
The WP SVG Icons WordPress plugin through 3.2.3 does not properly validate uploaded custom icon packs, allowing an high privileged user like an admin to upload a zip file containing malicious php code, leading to remote code execution.
- CVE-2022-0885CRITICALCVSS 9.8EG 9.82022-06-13
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.
- CVE-2022-0896HIGHCVSS 8.8EG 8.82022-03-09
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.
- CVE-2022-0921MEDIUMCVSS 6.7EG 6.72022-03-11
Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.
- CVE-2022-0944HIGHCVSS 7.2EG 7.22022-03-15
Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1.
- CVE-2022-1159HIGHCVSS 7.7EG 7.22022-04-01
Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user.
- CVE-2022-1517CRITICALCVSS 10.0EG 9.82022-06-24
LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on …
- CVE-2022-1575CRITICALCVSS 9.6EG 9.62022-05-05
Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.
- CVE-2022-1609CRITICALCVSS 9.8EG 9.82024-01-16
The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.
- CVE-2022-2014MEDIUMCVSS 5.4EG 5.42022-06-09
Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.
- CVE-2022-2054HIGHCVSS 8.4EG 8.42022-06-12
Code Injection in GitHub repository nuitka/nuitka prior to 0.9.
- CVE-2022-20686MEDIUMCVSS 5.3EG 5.32022-12-12
Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) functionality of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device an…
- CVE-2022-2073HIGHCVSS 7.2EG 7.22022-06-29
Code Injection in GitHub repository getgrav/grav prior to 1.7.34.
- CVE-2022-21122CRITICALCVSS 9.0EG 9.02022-06-08
The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constr…
- CVE-2022-21167HIGHCVSS 7.5EG 7.52022-05-01
All versions of package masuit.tools.core are vulnerable to Arbitrary Code Execution via the ReceiveVarData<T> function in the SocketClient.cs component. The socket client in the package can pass in the payload via the user-controllable in…
- CVE-2022-21686CRITICALCVSS 9.0EG 9.02022-01-26
PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1…
- CVE-2022-21797HIGHCVSS 7.3EG 7.32022-09-26
The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
- CVE-2022-21831CRITICALCVSS 9.8EG 9.82022-05-26
A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.
- CVE-2022-21837HIGHCVSS 8.3EG 8.82022-01-11
Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2022-21842HIGHCVSS 7.8EG 7.82022-01-11
Microsoft Word Remote Code Execution Vulnerability
- CVE-2022-21846CRITICALCVSS 9.0EG 9.02022-01-11
Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2022-21874HIGHCVSS 7.8EG 9.82022-01-11
Windows Security Center API Remote Code Execution Vulnerability
- CVE-2022-21878HIGHCVSS 7.8EG 7.82022-01-11
Windows Geolocation Service Remote Code Execution Vulnerability
- CVE-2022-21917HIGHCVSS 7.8EG 7.82022-01-11
HEVC Video Extensions Remote Code Execution Vulnerability
- CVE-2022-21928MEDIUMCVSS 6.3EG 6.42022-01-11
Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
- CVE-2022-22027HIGHCVSS 7.8EG 7.82022-07-12
Windows Fax Service Remote Code Execution Vulnerability
- CVE-2022-22029HIGHCVSS 8.1EG 8.12022-07-12
Windows Network File System Remote Code Execution Vulnerability
- CVE-2022-22038HIGHCVSS 8.1EG 8.12022-07-12
Remote Procedure Call Runtime Remote Code Execution Vulnerability
- CVE-2022-22039HIGHCVSS 7.5EG 7.52022-07-12
Windows Network File System Remote Code Execution Vulnerability
- CVE-2022-22270MEDIUMCVSS 4.4EG 4.42022-01-10
An implicit Intent hijacking vulnerability in Dialer prior to SMR Jan-2022 Release 1 allows unprivileged applications to access contact information.
- CVE-2022-22285MEDIUMCVSS 4.4EG 4.42022-01-10
A vulnerability using PendingIntent in Reminder prior to version 12.2.05.0 in Android R(11.0) and 12.3.02.1000 in Android S(12.0) allows attackers to execute privileged action by hijacking and modifying the intent.
- CVE-2022-22286MEDIUMCVSS 4.4EG 4.42022-01-10
A vulnerability using PendingIntent in Bixby Routines prior to version 3.1.21.8 in Android R(11.0) and 2.6.30.5 in Android Q(10.0) allows attackers to execute privileged action by hijacking and modifying the intent.
- CVE-2022-2268HIGHCVSS 7.2EG 7.22022-07-04
The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary fi…
- CVE-2022-22756HIGHCVSS 8.8EG 8.82022-12-22
If a user was convinced to drag and drop an image to their desktop or other folder, the resulting object could have been changed into an executable script which would have run arbitrary code after the user clicked on it. This vulnerability…
- CVE-2022-22909HIGHCVSS 8.8EG 8.82022-03-03
HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.
- CVE-2022-22947CRITICALCVSS 10.0EG 10.0⚠ KEV2022-03-03
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted r…
- CVE-2022-22954CRITICALCVSS 9.8EG 9.8⚠ KEV2022-04-11
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in rem…
- CVE-2022-22963CRITICALCVSS 9.8EG 9.8⚠ KEV2022-04-01
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution …
- CVE-2022-22965CRITICALCVSS 9.8EG 9.8⚠ KEV2022-04-01
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deplo…
- CVE-2022-22985HIGHCVSS 8.8EG 8.82022-03-10
The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be interpreted when a legitimate user accesses the specific web section where the informa…
- CVE-2022-23008MEDIUMCVSS 5.4EG 5.42022-01-25
On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed …
- CVE-2022-23088CRITICALCVSS 9.8EG 9.82024-02-15
The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beac…
- CVE-2022-23120HIGHCVSS 7.8EG 7.82022-01-20
A code injection vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to escalate privileges and run arbitrary code in the context of root. Please note: a…
- CVE-2022-23332HIGHCVSS 8.8EG 8.82022-05-09
Command injection vulnerability in Manual Ping Form (Web UI) in Shenzhen Ejoin Information Technology Co., Ltd. ACOM508/ACOM516/ACOM532 609-915-041-100-020 allows a remote attacker to inject arbitrary code via the field.
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →