CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,478 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 61 of 130
- CVE-2022-40486HIGHCVSS 8.8EG 8.82022-09-28
TP Link Archer AX10 V1 Firmware Version 1.3.1 Build 20220401 Rel. 57450(5553) was discovered to allow authenticated attackers to execute arbitrary code via a crafted backup file.
- CVE-2022-40497HIGHCVSS 8.8EG 8.82022-09-28
Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Response endpoint.
- CVE-2022-4060CRITICALCVSS 9.8EG 9.82023-01-16
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
- CVE-2022-40628CRITICALCVSS 9.8EG 9.82022-09-23
This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper control of code generation in the Tacitine Firewall web-based management …
- CVE-2022-40871CRITICALCVSS 9.8EG 9.82022-10-12
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it b…
- CVE-2022-41061HIGHCVSS 7.8EG 7.82022-11-09
Microsoft Word Remote Code Execution Vulnerability
- CVE-2022-41138CRITICALCVSS 9.8EG 9.82022-09-20
In Zutty before 0.13, DECRQSS in text written to the terminal can achieve arbitrary code execution.
- CVE-2022-41158HIGHCVSS 7.2EG 9.82022-11-25
Remote code execution vulnerability can be achieved by using cookie values as paths to a file by this builder program. A remote attacker could exploit the vulnerability to execute or inject malicious code.
- CVE-2022-41205MEDIUMCVSS 5.5EG 6.12022-11-08
SAP GUI allows an authenticated attacker to execute scripts in the local network. On successful exploitation, the attacker can gain access to registries which can cause a limited impact on confidentiality and high impact on availability of…
- CVE-2022-41223MEDIUMCVSS 6.8EG 9.0⚠ KEV2022-11-22
The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker to conduct a code-injection attack via crafted data due to insufficient restrictions on the database data type.
- CVE-2022-41264HIGHCVSS 8.8EG 8.82022-12-13
Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of …
- CVE-2022-41534HIGHCVSS 7.2EG 7.22022-10-13
Online Diagnostic Lab Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /php_action/createOrder.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP fi…
- CVE-2022-41544CRITICALCVSS 9.8EG 9.82022-10-18
GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.
- CVE-2022-41576HIGHCVSS 7.8EG 7.82022-10-14
The rphone module has a script that can be maliciously modified.Successful exploitation of this vulnerability may cause irreversible programs to be implanted on user devices.
- CVE-2022-41763HIGHCVSS 8.8EG 8.82023-09-05
An issue was discovered in NOKIA AMS 9.7.05. Remote Code Execution exists via the debugger of the ipAddress variable. A remote user, authenticated to the AMS server, could inject code in the PING function. The privileges of the command exe…
- CVE-2022-41882MEDIUMCVSS 6.6EG 6.62022-11-11
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc:…
- CVE-2022-41945MEDIUMCVSS 6.5EG 6.52022-11-21
super-xray is a vulnerability scanner (xray) GUI launcher. In version 0.1-beta, the URL is not filtered and directly spliced into the command, resulting in a possible RCE vulnerability. Users should upgrade to super-xray 0.2-beta.
- CVE-2022-42045MEDIUMCVSS 6.7EG 6.72023-07-13
Certain Zemana products are vulnerable to Arbitrary code injection. This affects Watchdog Anti-Malware 4.1.422 and Zemana AntiMalware 3.2.28.
- CVE-2022-4223HIGHCVSS 8.8EG 9.02022-12-13
The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pg_dump and pg_restore. The utility is executed by the server to determine what PostgreSQL ver…
- CVE-2022-42268HIGHCVSS 7.8EG 7.82023-01-13
Omniverse Kit contains a vulnerability in the reference applications Create, Audio2Face, Isaac Sim, View, Code, and Machinima. These applications allow executable Python code to be embedded in Universal Scene Description (USD) files to cu…
- CVE-2022-42541CRITICALCVSS 9.8EG 9.82023-11-29
Remote code execution
- CVE-2022-42699CRITICALCVSS 9.1EG 8.82022-12-06
Auth. Remote Code Execution vulnerability in Easy WP SMTP plugin <= 1.5.1 on WordPress.
- CVE-2022-42889CRITICALCVSS 9.8EG 9.82022-10-13
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.common…
- CVE-2022-42902HIGHCVSS 8.8EG 8.82022-10-13
In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute use…
- CVE-2022-4300MEDIUMCVSS 6.3EG 8.82022-12-06
A vulnerability was found in FastCMS. It has been rated as critical. This issue affects some unknown processing of the file /template/edit of the component Template Handler. The manipulation leads to injection. The attack may be initiated …
- CVE-2022-43279HIGHCVSS 7.2EG 7.22022-11-15
LimeSurvey before v5.0.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php.
- CVE-2022-43333CRITICALCVSS 9.8EG 9.82022-12-01
Telenia Software s.r.l TVox before v22.0.17 was discovered to contain a remote code execution (RCE) vulnerability in the component action_export_control.php.
- CVE-2022-43416HIGHCVSS 8.8EG 8.82022-10-19
Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments, allowing attackers able to control agent processes to in…
- CVE-2022-43486MEDIUMCVSS 6.8EG 6.82022-12-19
Hidden functionality vulnerability in Buffalo network devices allows a network-adjacent attacker with an administrative privilege to enable the debug functionalities and execute an arbitrary command on the affected devices.
- CVE-2022-43541HIGHCVSS 7.2EG 7.22022-12-12
Vulnerabilities in the Aruba EdgeConnect Enterprise command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as roo…
- CVE-2022-43542HIGHCVSS 7.2EG 8.82022-12-12
Vulnerabilities in the Aruba EdgeConnect Enterprise command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as roo…
- CVE-2022-43571HIGHCVSS 8.8EG 8.82022-11-03
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.
- CVE-2022-43572HIGHCVSS 7.5EG 6.52022-11-04
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, sending a malformed file through the Splunk-to-Splunk (S2S) or HTTP Event Collector (HEC) protocols to an indexer results in a blockage or denial-of-service preventing further i…
- CVE-2022-43660HIGHCVSS 7.2EG 7.22022-12-07
Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an arbitrary Perl script and/or an arbitrary OS c…
- CVE-2022-43769HIGHCVSS 8.8EG 9.0⚠ KEV2023-04-03
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
- CVE-2022-43938HIGHCVSS 8.8EG 8.82023-04-03
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager.
- CVE-2022-44038CRITICALCVSS 9.8EG 9.82022-11-29
Russound XSourcePlayer 777D v06.08.03 was discovered to contain a remote code execution vulnerability via the scriptRunner.cgi component.
- CVE-2022-44087CRITICALCVSS 9.8EG 9.82022-11-10
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component UPFILE_PIC_ZOOM_HIGHT.
- CVE-2022-44088CRITICALCVSS 9.8EG 9.82022-11-10
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component INPUT_ISDESCRIPTION.
- CVE-2022-44089CRITICALCVSS 9.8EG 9.82022-11-10
ESPCMS P8.21120101 was discovered to contain a remote code execution (RCE) vulnerability in the component IS_GETCACHE.
- CVE-2022-44262CRITICALCVSS 9.8EG 9.82022-12-01
ff4j 1.8.1 is vulnerable to Remote Code Execution (RCE).
- CVE-2022-44533HIGHCVSS 7.2EG 7.22022-12-12
A vulnerability in the Aruba EdgeConnect Enterprise web management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as …
- CVE-2022-4455LOWCVSS 3.5EG 6.12022-12-13
A vulnerability was identified in sproctor php-calendar up to 2.0.13. This impacts an unknown function of the file index.php. Such manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. The attack may be launched …
- CVE-2022-44702HIGHCVSS 7.8EG 7.82022-12-13
Windows Terminal Remote Code Execution Vulnerability
- CVE-2022-44794HIGHCVSS 8.8EG 8.82022-11-07
An issue was discovered in Object First Ootbi BETA build 1.0.7.712. Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command that sets the hostname doesn't validate inpu…
- CVE-2022-45132CRITICALCVSS 9.8EG 9.82022-11-18
In Linaro Automated Validation Architecture (LAVA) before 2022.11.1, remote code execution can be achieved through user-submitted Jinja2 template. The REST API endpoint for validating device configuration files in lava-server loads input a…
- CVE-2022-45177HIGHCVSS 7.5EG 7.52024-02-21
An issue was discovered in LIVEBOX Collaboration vDesk through v031. An Observable Response Discrepancy can occur under the /api/v1/vdeskintegration/user/isenableuser endpoint, the /api/v1/sharedsearch?search={NAME]+{SURNAME] endpoint, and…
- CVE-2022-45550CRITICALCVSS 9.8EG 9.82022-12-07
AyaCMS 3.1.2 is vulnerable to Remote Code Execution (RCE).
- CVE-2022-45553CRITICALCVSS 9.8EG 9.82023-03-03
An issue discovered in Shenzhen Zhibotong Electronics WBT WE1626 Router v 21.06.18 allows attacker to execute arbitrary commands via serial connection to the UART port.
- CVE-2022-45699CRITICALCVSS 9.8EG 9.82023-02-10
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter.
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →