CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,484 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 69 of 130
- CVE-2023-43625CRITICALCVSS 9.8EG 9.82023-10-10
A vulnerability has been identified in Simcenter Amesim (All versions < V2021.1). The affected application contains a SOAP endpoint that could allow an unauthenticated remote attacker to perform DLL injection and execute arbitrary code in …
- CVE-2023-43651CRITICALCVSS 9.9EG 8.52023-09-27
JumpServer is an open source bastion host. An authenticated user can exploit a vulnerability in MongoDB sessions to execute arbitrary commands, leading to remote code execution. This vulnerability may further be leveraged to gain root priv…
- CVE-2023-43661HIGHCVSS 8.8EG 8.82023-10-11
Cachet, the open-source status page system. Prior to the 2.4 branch, a template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Commit 6fb04…
- CVE-2023-43792CRITICALCVSS 9.8EG 5.32023-10-30
baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. As of time of publication, no known patched versions are available.
- CVE-2023-43955CRITICALCVSS 9.8EG 9.82023-12-27
The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript th…
- CVE-2023-43958CRITICALCVSS 9.8EG 9.82025-04-22
An arbitrary file upload vulnerability in the component /jquery-file-upload/server/php/index.php of Hospital Management System v4.0 allows an unauthenticated attacker to upload any file to the server and execute arbitrary code.
- CVE-2023-44011CRITICALCVSS 9.8EG 9.82023-10-02
An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the layout.master skin file at the Skin management component.
- CVE-2023-44141HIGHCVSS 7.8EG 7.82023-10-30
Inkdrop prior to v5.6.0 allows a local attacker to conduct a code injection attack by having a legitimate user open a specially crafted markdown file.
- CVE-2023-44381MEDIUMCVSS 4.9EG 4.92023-12-01
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not…
- CVE-2023-44382CRITICALCVSS 9.1EG 9.12023-12-01
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not…
- CVE-2023-44392CRITICALCVSS 9.0EG 8.22023-10-09
Garden provides automation for Kubernetes development and testing. Prior tov ersions 0.13.17 and 0.12.65, Garden has a dependency on the cryo library, which is vulnerable to code injection due to an insecure implementation of deserializati…
- CVE-2023-44846HIGHCVSS 8.8EG 8.82023-10-10
An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ notify.php component.
- CVE-2023-44847HIGHCVSS 7.2EG 7.22023-10-10
An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ Weixin.php component.
- CVE-2023-44853MEDIUMCVSS 4.8EG 4.82024-04-12
\An issue was discovered in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the sub_219C4 function in the acu_web file.
- CVE-2023-44857HIGHCVSS 8.1EG 8.12024-04-12
An issue in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the sub_21D24 function in the acu_web component.
- CVE-2023-45144CRITICALCVSS 9.6EG 10.02023-10-16
com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vuln…
- CVE-2023-4521CRITICALCVSS 9.8EG 9.82023-09-25
The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously report…
- CVE-2023-45311CRITICALCVSS 9.8EG 9.82023-10-06
fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtaine…
- CVE-2023-45312HIGHCVSS 8.8EG 8.82023-10-10
In the mtproto_proxy (aka MTProto proxy) component through 0.7.2 for Erlang, a low-privileged remote attacker can access an improperly secured default installation without authenticating and achieve remote command execution ability.
- CVE-2023-45560HIGHCVSS 7.5EG 7.52023-11-14
An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
- CVE-2023-45590CRITICALCVSS 9.6EG 9.62024-04-09
An improper control of generation of code ('code injection') in Fortinet FortiClientLinux version 7.2.0, 7.0.6 through 7.0.10 and 7.0.3 through 7.0.4 allows attacker to execute unauthorized code or commands via tricking a FortiClientLinux …
- CVE-2023-45673HIGHCVSS 8.9EG 8.92024-06-21
Joplin is a free, open source note taking and to-do application. A remote code execution (RCE) vulnerability in affected versions allows clicking on a link in a PDF in an untrusted note to execute arbitrary shell commands. Clicking links i…
- CVE-2023-45735HIGHCVSS 8.0EG 8.02024-02-06
A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device.
- CVE-2023-45751HIGHCVSS 7.2EG 9.12023-12-29
Improper Control of Generation of Code ('Code Injection') vulnerability in POSIMYTH Nexter Extension.This issue affects Nexter Extension: from n/a through 2.0.3.
- CVE-2023-45849CRITICALCVSS 9.8EG 8.52023-11-08
An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner.
- CVE-2023-46010CRITICALCVSS 9.8EG 9.82023-10-25
An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary commands via the admin_safe.php component.
- CVE-2023-46042CRITICALCVSS 9.8EG 9.82023-10-19
An issue in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via a crafted payload to the phpinfo().
- CVE-2023-46055HIGHCVSS 8.8EG 8.82023-10-21
An issue in ThingNario Photon v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the ping function to the "thingnario Logger Maintenance Webpage" endpoint.
- CVE-2023-46226CRITICALCVSS 9.8EG 9.82024-01-15
Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.
- CVE-2023-46242HIGHCVSS 8.8EG 9.62023-11-07
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` p…
- CVE-2023-46243HIGHCVSS 8.8EG 9.92023-11-07
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided…
- CVE-2023-46404CRITICALCVSS 9.9EG 9.92023-11-03
PCRS <= 3.11 (d0de1e) “Questions” page and “Code editor” page are vulnerable to remote code execution (RCE) by escaping Python sandboxing.
- CVE-2023-46480CRITICALCVSS 9.8EG 9.82023-11-27
An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function.
- CVE-2023-46509CRITICALCVSS 9.8EG 9.82023-10-27
An issue in Contec SolarView Compact v.6.0 and before allows an attacker to execute arbitrary code via the texteditor.php component.
- CVE-2023-46623HIGHCVSS 8.8EG 9.92023-12-29
Improper Control of Generation of Code ('Code Injection') vulnerability in TienCOP WP EXtra.This issue affects WP EXtra: from n/a through 6.2.
- CVE-2023-46731CRITICALCVSS 9.8EG 10.02023-11-06
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows a…
- CVE-2023-46816HIGHCVSS 8.8EG 8.82023-10-27
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. A Server Site Template Injection (SSTI) vulnerability has been identified in the GecControl action. By using a crafted request, custom PHP code can be injected via …
- CVE-2023-46818HIGHCVSS 7.2EG 9.02023-10-27
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
- CVE-2023-46845HIGHCVSS 7.2EG 7.22023-11-07
EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. A…
- CVE-2023-46865HIGHCVSS 7.2EG 7.22023-10-30
/api/v1/company/upload-logo in CompanyController.php in crater through 6.0.6 allows a superadmin to execute arbitrary PHP code by placing this code into an image/png IDAT chunk of a Company Logo image.
- CVE-2023-46947HIGHCVSS 8.8EG 7.22023-11-03
Subrion 4.2.1 has a remote command execution vulnerability in the backend.
- CVE-2023-46958CRITICALCVSS 9.8EG 9.82023-11-02
An issue in lmxcms v.1.41 allows a remote attacker to execute arbitrary code via a crafted script to the admin.php file.
- CVE-2023-46980CRITICALCVSS 9.8EG 9.82023-11-03
An issue in Best Courier Management System v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the userID parameter.
- CVE-2023-46987HIGHCVSS 8.8EG 8.82023-12-28
SeaCMS v12.9 was discovered to contain a remote code execution (RCE) vulnerability via the component /augap/adminip.php.
- CVE-2023-47003CRITICALCVSS 9.8EG 9.82023-11-16
An issue in RedisGraph v.2.12.10 allows an attacker to execute arbitrary code and cause a denial of service via a crafted string in DataBlock_ItemIsDeleted.
- CVE-2023-47030CRITICALCVSS 9.8EG 9.82025-06-23
An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via a GET request to a UserService SOAP API endpoint to validate if a user exists.
- CVE-2023-47032CRITICALCVSS 9.8EG 9.82025-06-23
Password Vulnerability in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the UserService SOAP API function.
- CVE-2023-4709MEDIUMCVSS 6.1EG 4.32023-09-01
A vulnerability classified as problematic has been found in TOTVS RM 12.1. Affected is an unknown function of the file Login.aspx of the component Portal. The manipulation of the argument VIEWSTATE leads to cross site scripting. It is poss…
- CVE-2023-47257HIGHCVSS 8.1EG 8.12024-02-01
ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages.
- CVE-2023-47397CRITICALCVSS 9.8EG 9.82023-11-08
WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php.
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →