CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,457 vulnerabilities with CWE-94
CVE-2026-48017 HIGH
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
CVSS 8.8
CVE-2026-48836 CRITICAL
WordPress Easy Invoice plugin <= 2.1.19 - Remote Code Execution (RCE) vulnerability
CVSS 10.0
CVE-2026-48124 HIGH
Cursor Desktop sandbox escape via Claude hook configuration
CVE-2026-39465 CRITICAL
WordPress Responsive Slider by MetaSlider plugin <= 3.106.0 - Remote Code Execution (RCE) vulnerability
CVSS 9.1
CVE-2026-52704 CRITICAL
WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Remote Code Execution (RCE) vulnerability
CVSS 10.0
CVE-2026-11860 HIGH
Insecure Deserialisation via Plaintext HTTP leading to Remote Code Execution in Quick.CMS
CVE-2026-12209 MEDIUM
RubyLouvre avalon Template Filter index.js prototype pollution
CVSS 5.3
CVE-2026-12208 MEDIUM
jsonata-js jsonata Function Binding Frame System jsonata.js createFrame prototype pollution
CVSS 5.3
CVE-2026-12202 LOW
Intelliants Subrion CMS Blocks Endpoint cross site scripting
CVSS 2.4
CVE-2026-12176 MEDIUM
SourceCodester CET Automated Grading System with AI Predictive Analytics index.php cross site scripting
CVSS 4.3
CVE-2026-54057 HIGH
Kitty vulnerable to command injection via unsanitized OSC 21 query reply
CVE-2026-12130 LOW
CodeAstro Human Resource Management System Projects Management Add_Projects cross site scripting
CVSS 3.5
CVE-2026-12129 LOW
CodeAstro Human Resource Management System Dashboard add_tod cross site scripting
CVSS 3.5
CVE-2026-42890 MEDIUM
actual Allows Electron to Run As Node
CVE-2026-42851 HIGH
@kitty-edit DCS + --color=geninclude vulnerable to Unauthenticated in-process RCE
CVSS 7.8
CVE-2026-45833 CRITICAL
ChromaDB - Improper Control of Generation of Code ('Code Injection')
CVE-2026-54133 CRITICAL
jmespath.php has CompilerRuntime code injection via unescaped function names
CVSS 9.8
CVE-2026-52860 HIGH
Vim: Arbitrary Code Execution via Python Omni-Completion
CVSS 7.8
CVE-2026-52858 HIGH
Vim: Arbitrary Code Execution via Python Omni-Completion
CVSS 7.8
CVE-2026-47167 MEDIUM
Vim: Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex
CVSS 5.3
CVE-2026-47162 HIGH
Vim: Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name
CVSS 8.8
CVE-2026-44495 HIGH
Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
CVSS 7.0
CVE-2026-50223 HIGH
Apache OFBiz: DataResource Low-Privileged Authenticated FreeMarker Template Injection Leads to Remote Code Execution
CVSS 8.8
CVE-2026-45558 CRITICAL
Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field config injection in section save
CVSS 9.9
CVE-2026-46517 HIGH
LMDeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
CVSS 7.8
Details
Vulnerabilities 6,457
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits