CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,465 vulnerabilities with CWE-94
CVE-2026-4506 MEDIUM
Mindinventory MindSQL mindsql_core.py ask_db code injection
CVSS 6.3
CVE-2026-3584 CRITICAL
Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process
CVSS 9.8
CVE-2026-33154 HIGH
dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver
CVSS 7.5
CVE-2026-4495 LOW
atjiu pybbs CommentApiController.java create cross site scripting
CVSS 3.5
CVE-2026-4494 LOW
atjiu pybbs TopicApiController.java create cross site scripting
CVSS 3.5
CVE-2026-33057 CRITICAL
Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py
CVSS 9.8
CVE-2026-4474 LOW
itsourcecode University Management System admin_single_student_update.php cross site scripting
CVSS 2.4
CVE-2026-33017 CRITICAL KEV
Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint
CVSS 9.8
CVE-2026-29103 CRITICAL
SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass
CVSS 9.1
CVE-2026-29102 HIGH
SuiteCRM has Authenticated RCE in Modules
CVSS 7.2
CVE-2026-30694 CRITICAL
DedeCMS <=5.7.118 array_filter - Remote Code Execution
CVSS 9.8
CVE-2026-30402 CRITICAL
wgcloud <=2.3.7 Test Connection - Remote Code Execution
CVSS 9.8
CVE-2026-4356 LOW
itsourcecode University Management System add_result.php cross site scripting
CVSS 2.4
CVE-2026-4355 LOW
Portabilis i-Educar Endpoint educar_servidor_curso_lst.php cross site scripting
CVSS 3.5
CVE-2026-4354 LOW
TRENDnet TEW-824DRU Web apply_sec.cgi sub_420A78 cross site scripting
CVSS 3.5
CVE-2026-21570 HIGH
Bamboo Data Center Authenticated Remote Code Execution
CVE-2026-30875 HIGH
Chamilo LMS: Authenticated RCE via H5P Import
CVSS 8.8
CVE-2026-4276 HIGH
LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to forge log entries.
CVSS 7.5
CVE-2026-4239 LOW
Lagom WHMCS Template Datatables prototype pollution
CVSS 3.5
CVE-2026-4225 LOW
CMS Made Simple User Management listusers.php cross site scripting
CVSS 2.4
CVE-2026-4186 LOW
UEditor <= 1.4.3.2 - Cross-Site Scripting via JSONP Callback Parameter
CVSS 3.5
CVE-2026-4175 LOW
Aureus ERP <= 1.3.0-BETA2 - Cross-Site Scripting in Chatter Message Handler
CVSS 3.5
CVE-2026-4169 LOW
Tecnick TCExam XML Export tce_xml_users.php F_xml_export_users cross site scripting
CVSS 2.4
CVE-2026-4168 LOW
Tecnick TCExam Group tce_edit_group.php cross site scripting
CVSS 2.4
CVE-2026-4166 LOW
Wavlink WL-NU516U1 240425 - Cross-Site Scripting via Homepage/Hostname Parameter
CVSS 3.5
Details
Vulnerabilities 6,465
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits