CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,465 vulnerabilities with CWE-94
CVE-2026-4965 HIGH
letta-ai letta Incomplete Fix CVE-2025-6101 ast_parsers.py resolve_type eval injection
CVSS 7.3
CVE-2026-4963 MEDIUM
huggingface smolagents Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_with code injection
CVSS 6.3
CVE-2026-27876 CRITICAL
RCE on Grafana via sqlExpressions
CVSS 9.1
CVE-2026-32669 CRITICAL
BUFFALO Wi-Fi router - Code Injection
CVSS 9.8
CVE-2026-4909 LOW
code-projects Exam Form Submission update_s7.php cross site scripting
CVSS 2.4
CVE-2026-33744 HIGH
BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml
CVSS 7.8
CVE-2026-4899 LOW
code-projects Online Food Ordering System food.php cross site scripting
CVSS 2.4
CVE-2026-4898 MEDIUM
code-projects Online Food Ordering System contact.php cross site scripting
CVSS 4.3
CVE-2026-33622 HIGH
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution
CVSS 8.8
CVE-2026-30457 CRITICAL
Daylight Studio FuelCMS - Remote Code Execution via Dwoo Parser
CVSS 9.8
CVE-2026-4877 MEDIUM
itsourcecode Payroll Management System index.php cross site scripting
CVSS 4.3
CVE-2026-4849 MEDIUM
code-projects Simple Laundry System Parameter modify.php cross site scripting
CVSS 4.3
CVE-2026-4848 MEDIUM
dameng100 muucmf list.html cross site scripting
CVSS 4.3
CVE-2026-4847 MEDIUM
dameng100 muucmf list.html cross site scripting
CVSS 4.3
CVE-2026-4846 MEDIUM
dameng100 muucmf autoReply.html cross site scripting
CVSS 4.3
CVE-2026-4845 MEDIUM
dameng100 muucmf index.html cross site scripting
CVSS 4.3
CVE-2026-4835 LOW
code-projects Accounting System Web Application add_costumer.php cross site scripting
CVSS 3.5
CVE-2026-33660 HIGH
n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode
CVSS 8.8
CVE-2026-32573 CRITICAL
WordPress Nelio AB Testing plugin <= 8.2.7 - Remote Code Execution (RCE) vulnerability
CVSS 9.1
CVE-2026-32525 CRITICAL
WordPress JetFormBuilder plugin <= 3.5.6.1 - Remote Code Execution (RCE) vulnerability
CVSS 9.9
CVE-2026-27044 CRITICAL
WordPress Total Poll Lite plugin <= 4.12.0 - Remote Code Execution (RCE) vulnerability
CVSS 9.9
CVE-2026-25447 CRITICAL
WordPress Widget Wrangler plugin <= 2.3.9 - Remote Code Execution (RCE) vulnerability
CVSS 9.1
CVE-2026-25366 CRITICAL
WordPress Woody ad snippets plugin <= 2.7.1 - Remote Code Execution (RCE) vulnerability
CVSS 9.9
CVE-2026-25001 HIGH
WordPress Post Snippets plugin <= 4.0.12 - Remote Code Execution (RCE) vulnerability
CVSS 8.5
CVE-2026-26833 CRITICAL
thumbler <=1.1.2 - Command Injection
CVSS 9.8
Details
Vulnerabilities 6,465
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits