CWE-96— Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.— MITRE CWE catalog
23 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-96page 1 of 1
- CVE-2015-2079CRITICALCVSS 9.9EG 9.92025-04-28
Usermin 0.980 through 1.x before 1.660 allows uconfig_save.cgi sig_file_free remote code execution because it uses the two argument (not three argument) form of Perl open.
- CVE-2020-6143CRITICALCVSS 9.8EG 9.82020-09-01
A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The password variable which is set at line 122 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An …
- CVE-2020-6144CRITICALCVSS 9.8EG 9.82020-09-01
A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The username variable which is set at line 121 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An …
- CVE-2021-39115HIGHCVSS 7.2EG 7.22021-09-01
Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vul…
- CVE-2022-0895CRITICALCVSS 9.8EG 9.82022-03-10
Static Code Injection in GitHub repository microweber/microweber prior to 1.3.
- CVE-2022-3960MEDIUMCVSS 6.3EG 6.32023-04-03
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin.
- CVE-2022-43938HIGHCVSS 8.8EG 8.82023-04-03
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager.
- CVE-2023-39726CRITICALCVSS 9.8EG 9.82023-10-26
An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.
- CVE-2024-0788MEDIUMCVSS 6.6EG 5.82024-01-29
SUPERAntiSpyware Pro X v10.0.1260 is vulnerable to kernel-level API parameters manipulation and Denial of Service vulnerabilities by triggering the 0x9C402140 IOCTL code of the saskutil64.sys driver.
- CVE-2024-13263MEDIUMCVSS 5.5EG 5.52025-01-09
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno group manager allows PHP Local File Inclusion.This issue affects Opigno group manager: from 0.0.0 before 3.1.1.
- CVE-2024-13264CRITICALCVSS 9.8EG 9.82025-01-09
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno module allows PHP Local File Inclusion.This issue affects Opigno module: from 0.0.0 before 3.1.2.
- CVE-2024-13265HIGHCVSS 7.5EG 7.52025-01-09
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno Learning path allows PHP Local File Inclusion.This issue affects Opigno Learning path: from 0.0.0 before 3.1.2.
- CVE-2024-13267HIGHCVSS 7.5EG 7.52025-01-09
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno TinCan Question Type allows PHP Local File Inclusion.This issue affects Opigno TinCan Question Type: from 7.X-1.0 befor…
- CVE-2024-13268MEDIUMCVSS 6.8EG 6.82025-01-09
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno allows PHP Local File Inclusion.This issue affects Opigno: from 7.X-1.0 before 7.X-1.23.
- CVE-2024-32487HIGHCVSS 8.6EG 8.62024-04-13
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted f…
- CVE-2024-37900MEDIUMCVSS 6.4EG 6.42024-07-31
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineerin…
- CVE-2024-43400CRITICALCVSS 9.0EG 9.02024-08-19
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requi…
- CVE-2024-55662CRITICALCVSS 9.9EG 9.92024-12-12
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programmi…
- CVE-2024-55877CRITICALCVSS 9.9EG 9.92024-12-12
XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` …
- CVE-2025-30091CRITICALCVSS 9.4EG 9.42025-03-25
In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be in…
- CVE-2025-36595HIGHCVSS 7.2EG 7.22025-06-27
Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability. A high privileged attacker with remote access could potentially exp…
- CVE-2025-57707HIGHCVSS 8.8EG 8.82026-02-11
An improper neutralization of directives in statically saved code ('Static Code Injection') vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to acc…
- CVE-2025-7825MEDIUMCVSS 6.3EG 6.32025-10-03
The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This…
Map vulnerabilities like CWE-96 to your infrastructure
EchelonGraph correlates every CVE — across CWE-96 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →