CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,507 vulnerabilities with CWE-94
CVE-2024-25180 CRITICAL
pdfmake 0.2.9 - Remote Code Execution via /pdf Endpoint
CVSS 9.8
CVE-2024-25291 CRITICAL
Deskfiler 1.2.3 - Remote Code Execution via Crafted Plugin Upload
CVSS 9.8
CVE-2024-24525 CRITICAL
EpointWebBuilder 5.1.0-sp1 5.2.1-sp1 5.4.1 5.4.2 - Remote Code Execution via infoid Parameter
CVSS 9.8
CVE-2024-25713 HIGH
yyjson <= 0.8.0 - Remote Code Execution via Double Free in Pool Allocator
CVSS 8.6
CVE-2024-25350 CRITICAL
PHPGurukul Zoo Management System 1.0 - SQL Injection
CVSS 9.8
CVE-2024-25202 MEDIUM
Phpgurukul User Registration & Login and User Management System 1.0 - Stored Cross-Site Scripting via Search Bar
CVSS 6.1
CVE-2024-1885 MEDIUM
LG webOS Signage - Remote Code Execution
CVSS 6.3
CVE-2024-22988 CRITICAL
ZKteco ZKBio WDMS <9.0.2 - Info Disclosure
CVSS 9.8
CVE-2024-0220 HIGH
B&R Automation Studio < 4.6 and Technology Guarding < 1.4.0 - Cleartext Transmission of Sensitive Information
CVSS 8.3
CVE-2024-26483 HIGH
Kirby CMS 4.1.0 - Arbitrary File Upload and Remote Code Execution via Profile Image Module
CVSS 8.8
CVE-2024-25249 CRITICAL
He3 App 2.0.17 - Remote Code Execution via RunAsNode and enableNodeClilnspectArguments
CVSS 9.8
CVE-2024-1706 LOW
ZKTeco ZKBio Access IVS < 3.3.2 - Cross-Site Scripting via Department Name Search Bar
CVSS 3.5
CVE-2024-1705 MEDIUM
shopwind < 4.6 - Code Injection in Installation DefaultController
CVSS 5.6
CVE-2024-21682 HIGH
Atlassian Assets Discovery 1.0.0-6.2.0 - Authenticated Code Injection
CVSS 7.2
CVE-2024-21892 HIGH
Node.js 18.0.0-18.19.1 - Privilege Escalation via Incorrect CAP_NET_BIND_SERVICE Exception
CVSS 7.8
CVE-2024-25298 HIGH
REDAXO 5.15.1 - Remote Code Execution via modules.modules.php
CVSS 7.2
CVE-2024-25415 HIGH
CE Phoenix 1.0.8.20 - Remote Code Execution via define_language.php
CVSS 7.2
CVE-2024-25502 CRITICAL
flusity CMS 2.4 - Directory Traversal and Remote Code Execution via download_backup.php
CVSS 9.8
CVE-2024-25301 HIGH
Redaxo 5.15.1 - Remote Code Execution via Templates Component
CVSS 7.2
CVE-2024-21378 HIGH
Microsoft Outlook - Remote Code Execution
CVSS 8.8
CVE-2024-21351 HIGH KEV
Windows 10 1507-22H2, Windows 11 21H2-23H2, Windows Server 2016-2022 - SmartScreen Security Feature Bypass
CVSS 7.6
CVE-2024-22131 CRITICAL
SAP ABAP Platform - Authenticated Remote Code Execution via Vulnerable Interface
CVSS 9.1
CVE-2024-25110 CRITICAL
Microsoft azure-uamqp < 2024-02-01 - Remote Code Execution via open_get_offered_capabilities Use-After-Free
CVSS 9.8
CVE-2024-24091 CRITICAL
Yealink Meeting Server < 26.0.0.66 - OS Command Injection via File Upload Interface
CVSS 9.8
CVE-2024-22514 HIGH
iSpyConnect.com Agent DVR <5.1.6.0 - Code Injection
CVSS 8.8
Details
Vulnerabilities 6,507
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits