CWE-94— Improper Control of Generation of Code (Code Injection)
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.— MITRE CWE catalog
6,491 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 98 of 130
- CVE-2025-2313CRITICALCVSS 9.4EG 9.42025-08-27
In the Print.pl service, the "uhcPrintServerPrint" function allows execution of arbitrary code via the "CopyCounter" parameter.
- CVE-2025-23186HIGHCVSS 8.5EG 8.52025-04-08
In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These cre…
- CVE-2025-23209HIGHCVSS 8.0EG 9.0⚠ KEV2025-01-18
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been comprom…
- CVE-2025-23211CRITICALCVSS 9.9EG 9.92025-01-28
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. Th…
- CVE-2025-23251HIGHCVSS 7.6EG 7.62025-04-22
NVIDIA NeMo Framework contains a vulnerability where a user could cause an improper control of generation of code by remote code execution. A successful exploit of this vulnerability might lead to code execution and data tampering.
- CVE-2025-23264HIGHCVSS 7.8EG 7.82025-06-24
NVIDIA Megatron-LM for all platforms contains a vulnerability in a python component where an attacker may cause a code injection issue by providing a malicious file. A successful exploit of this vulnerability may lead to Code Execution, Es…
- CVE-2025-23265HIGHCVSS 7.8EG 7.82025-06-24
NVIDIA Megatron-LM for all platforms contains a vulnerability in a python component where an attacker may cause a code injection issue by providing a malicious file. A successful exploit of this vulnerability may lead to Code Execution, Es…
- CVE-2025-23295HIGHCVSS 7.8EG 7.82025-08-13
NVIDIA Apex for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue by providing a malicious file. A successful exploit of this vulnerability might lead to code execution, escal…
- CVE-2025-23296HIGHCVSS 7.8EG 7.82025-08-13
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, in…
- CVE-2025-23298HIGHCVSS 7.8EG 7.82025-08-13
NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of …
- CVE-2025-23304HIGHCVSS 7.8EG 7.82025-08-13
NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by loading .nemo files with maliciously crafted metadata. A successful exploit of this vulnerabilit…
- CVE-2025-23305HIGHCVSS 7.8EG 7.82025-08-13
NVIDIA Megatron-LM for all platforms contains a vulnerability in the tools component, where an attacker may exploit a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, in…
- CVE-2025-23306HIGHCVSS 7.8EG 7.82025-08-13
NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/ arguments.py component where an attacker could cause a code injection issue by providing a malicious input. A successful exploit of this vulnerability …
- CVE-2025-23307HIGHCVSS 7.8EG 7.82025-08-26
NVIDIA NeMo Curator for all platforms contains a vulnerability where a malicious file created by an attacker could allow code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, inf…
- CVE-2025-23312HIGHCVSS 7.8EG 7.82025-08-26
NVIDIA NeMo Framework for all platforms contains a vulnerability in the retrieval services component, where malicious data created by an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code e…
- CVE-2025-23313HIGHCVSS 7.8EG 7.82025-08-26
NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution,…
- CVE-2025-23314HIGHCVSS 7.8EG 7.82025-08-26
NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution,…
- CVE-2025-23315HIGHCVSS 7.8EG 7.82025-08-26
NVIDIA NeMo Framework for all platforms contains a vulnerability in the export and deploy component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to c…
- CVE-2025-23348HIGHCVSS 7.8EG 7.82025-09-24
NVIDIA Megatron-LM for all platforms contains a vulnerability in the pretrain_gpt script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, …
- CVE-2025-23349HIGHCVSS 7.8EG 7.82025-09-24
NVIDIA Megatron-LM for all platforms contains a vulnerability in the tasks/orqa/unsupervised/nq.py component, where an attacker may cause a code injection. A successful exploit of this vulnerability may lead to code execution, escalation o…
- CVE-2025-2335LOWCVSS 3.5EG 3.52025-03-16
A vulnerability classified as problematic was found in Drivin Soluções up to 20250226. This vulnerability affects unknown code of the file /api/school/registerSchool of the component API Handler. The manipulation of the argument message …
- CVE-2025-23353HIGHCVSS 7.8EG 7.82025-09-24
NVIDIA Megatron-LM for all platforms contains a vulnerability in the msdp preprocessing script where malicious data created by an attacker may cause an injection. A successful exploit of this vulnerability may lead to code execution, escal…
- CVE-2025-23354HIGHCVSS 7.8EG 7.82025-09-24
NVIDIA Megatron-LM for all platforms contains a vulnerability in the ensemble_classifer script where malicious data created by an attacker may cause an injection. A successful exploit of this vulnerability may lead to code execution, escal…
- CVE-2025-23357HIGHCVSS 7.8EG 7.82025-11-11
NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of p…
- CVE-2025-23361HIGHCVSS 7.8EG 7.82025-11-11
NVIDIA NeMo Framework for all platforms contains a vulnerability in a script, where malicious input created by an attacker may cause improper control of code generation. A successful exploit of this vulnerability may lead to code execution…
- CVE-2025-23376LOWCVSS 2.3EG 2.32025-04-28
Dell PowerProtect Data Manager Reporting, version(s) 19.16, 19.17, 19.18, contain(s) an Improper Neutralization of Special Elements Used in a Template Engine vulnerability. A high privileged attacker with local access could potentially exp…
- CVE-2025-2340LOWCVSS 2.4EG 2.42025-03-16
A vulnerability was found in otale Tale Blog 2.0.5. It has been declared as problematic. This vulnerability affects the function saveOptions of the file /options/save of the component Site Settings. The manipulation of the argument Site Ti…
- CVE-2025-2352LOWCVSS 2.4EG 2.42025-03-16
A vulnerability, which was classified as problematic, has been found in StarSea99 starsea-mall 1.0. This issue affects some unknown processing of the file /admin/indexConfigs/save of the component Backend. The manipulation of the argument …
- CVE-2025-2354MEDIUMCVSS 4.3EG 4.32025-03-17
A vulnerability has been found in VAM Virtual Airlines Manager 2.6.2 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /vam/index.php. The manipulation of the argument registry_id/plane_i…
- CVE-2025-2361MEDIUMCVSS 4.3EG 4.32025-03-17
A vulnerability was found in Mercurial SCM 4.5.3/71.19.145.211. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument cmd leads to cross site scripting…
- CVE-2025-2364LOWCVSS 3.5EG 3.52025-03-17
A vulnerability classified as problematic was found in lenve VBlog up to 1.0.0. Affected by this vulnerability is the function addNewArticle of the file blogserver/src/main/java/org/sang/service/ArticleService.java. The manipulation of the…
- CVE-2025-2366LOWCVSS 2.4EG 2.42025-03-17
A vulnerability, which was classified as problematic, was found in gougucms 4.08.18. This affects the function add of the file /admin/department/add of the component Add Department Page. The manipulation of the argument title leads to cros…
- CVE-2025-2371LOWCVSS 3.5EG 3.52025-03-17
A vulnerability was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /registered-user-testing.php of the component R…
- CVE-2025-2375LOWCVSS 3.5EG 3.52025-03-17
A vulnerability, which was classified as problematic, was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. Affected is an unknown function of the file /profile.php of the component Admin Profile Page. The manipulati…
- CVE-2025-2377LOWCVSS 3.5EG 3.52025-03-17
A vulnerability was found in SourceCodester Vehicle Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /confirmbooking.php. The manipulation of the argument id leads to cro…
- CVE-2025-24159HIGHCVSS 7.8EG 7.82025-01-27
A validation issue was addressed with improved logic. This issue is fixed in iOS 18.3 and iPadOS 18.3, iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, tvOS 18.3, visionOS 2.3, watchOS 11.3. An app may be able to execute arbitrary c…
- CVE-2025-2421CRITICALCVSS 9.8EG 8.22025-05-02
Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows Code Injection. This issue affects SambaBox: before 5.1.
- CVE-2025-24243HIGHCVSS 7.8EG 7.82025-03-31
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4, watchOS 11.4. Processing a malic…
- CVE-2025-24287MEDIUMCVSS 6.1EG 6.12025-06-19
A vulnerability allowing local system users to modify directory contents, allowing for arbitrary code execution on the local system with elevated permissions.
- CVE-2025-24293HIGHCVSS 8.1EG 9.22026-01-30
# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three meth…
- CVE-2025-24482HIGHCVSS 7.0EG 7.02025-01-28
A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default permissions and allows for DLLs to be executed with higher level permissions.
- CVE-2025-24677CRITICALCVSS 9.9EG 9.92025-02-04
Improper Control of Generation of Code ('Code Injection') vulnerability in wpspin Post/Page Copying Tool postpage-import-export-with-custom-fields-taxonomies allows Remote Code Inclusion.This issue affects Post/Page Copying Tool: from n/a …
- CVE-2025-24893CRITICALCVSS 9.8EG 9.8⚠ KEV2025-02-20
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity a…
- CVE-2025-2490LOWCVSS 2.4EG 2.42025-03-18
A vulnerability was found in Dromara ujcms 9.7.5. It has been rated as problematic. Affected by this issue is the function uploadZip/upload of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileUploadController.java of the compone…
- CVE-2025-2491LOWCVSS 2.4EG 2.42025-03-18
A vulnerability classified as problematic has been found in Dromara ujcms 9.7.5. This affects the function update of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileTemplateController.java of the component Edit Template File Pa…
- CVE-2025-24959LOWCVSS 1.0EG 1.02025-02-03
zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to arbitrary command execution or unexpected behavior in appli…
- CVE-2025-24977CRITICALCVSS 9.1EG 9.12025-05-05
OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the underlying infrastructure where OpenCTI is hosted and can access internal…
- CVE-2025-25021HIGHCVSS 7.2EG 7.22025-06-03
IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow a privileged execute code in case management script creation due to the improper generation of code.
- CVE-2025-25246HIGHCVSS 8.1EG 8.12025-02-05
NETGEAR XR1000 before 1.0.0.74, XR1000v2 before 1.1.0.22, and XR500 before 2.3.2.134 allow remote code execution by unauthenticated users.
- CVE-2025-25362CRITICALCVSS 9.8EG 9.82025-03-05
A Server-Side Template Injection (SSTI) vulnerability in Spacy-LLM v0.7.2 allows attackers to execute arbitrary code via injecting a crafted payload into the template field.
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →