CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,471 vulnerabilities with CWE-94
CVE-2026-29039 HIGH
changedetection.io <0.54.4 - Info Disclosure
CVSS 7.5
CVE-2026-28801 MEDIUM
Natro Macro <1.1.0 - Code Injection
CVSS 6.6
CVE-2026-25888 HIGH
Chartbrew < 4.8.1 - Remote Code Execution via Vulnerable API
CVSS 8.8
CVE-2026-25887 HIGH
Chartbrew < 4.8.1 - Remote Code Execution via MongoDB Dataset Query
CVSS 7.2
CVE-2026-3610 MEDIUM
HSC Cybersecurity Mailinspector <5.3.2-3 - XSS
CVSS 4.3
CVE-2026-28134 HIGH
Crocoblock JetEngine <=3.7.2 - Code Injection
CVSS 8.5
CVE-2026-27984 CRITICAL
Widget Options <=4.1.3 - Code Injection
CVSS 9.0
CVE-2026-22390 CRITICAL
Builderall Builder for WordPress <=3.0.1 - Code Injection
CVSS 9.9
CVE-2026-28783 CRITICAL
Craft CMS <5.9.0-beta.1/4.17.0-beta.1 - RCE
CVSS 9.1
CVE-2026-23808 MEDIUM
Wireless Roaming Protocol - Auth Bypass
CVSS 5.4
CVE-2026-21853 HIGH
AFFiNE < 0.25.4 - Remote Code Execution via Crafted affine: URL Handler
CVSS 8.8
CVE-2026-3132 HIGH
Master Addons for Elementor Premium <2.1.3 - RCE
CVSS 8.8
CVE-2026-24105 CRITICAL
Tenda AC15V1.0 V15.03.05.18 - Command Injection
CVSS 9.8
CVE-2026-26720 CRITICAL
Twenty CRM < 1.15.0 - Remote Code Execution via Local Driver Module
CVSS 9.8
CVE-2026-26699 HIGH
SourceCodester Personnel Property Equipment System 1.0 - Arbitrary Code Execution
CVSS 7.2
CVE-2026-24107 CRITICAL
Tenda W20E V4.0br_V15.11.0.6 - Command Injection
CVSS 9.8
CVE-2026-3412 MEDIUM
itsourcecode University Management System 1.0 - XSS
CVSS 4.3
CVE-2026-3409 HIGH
eosphoros-ai db-gpt 0.7.5 - Code Injection
CVSS 7.3
CVE-2026-3403 LOW
PHPGurukul Student Record Management System 1.0 - Cross-Site Scripting via Subject Parameter in edit-subject.php
CVSS 2.4
CVE-2026-3402 LOW
PHPGurukul Student Record Management System <1.0 - XSS
CVSS 2.4
CVE-2026-3395 HIGH
MaxSite CMS <109.1 - Code Injection
CVSS 7.3
CVE-2026-28425 HIGH
Statmatic <5.73.11/6.4.0 - Authenticated RCE
CVSS 8.0
CVE-2026-21658 CRITICAL
Johnson Controls Frick Controls Quantum HD <=10.22 - Code Injection
CVSS 9.8
CVE-2026-21657 CRITICAL
Johnson Controls Frick Controls Quantum HD <=10.22 - Code Injection
CVSS 9.8
CVE-2026-21656 CRITICAL
Johnson Controls Frick Controls Quantum HD <=10.22 - Code Injection
CVSS 9.8
Details
Vulnerabilities 6,471
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits