CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,474 vulnerabilities with CWE-94
CVE-2026-2145 LOW
nginxwebui < 4.3.7 - Cross-Site Scripting via nginxDir Parameter
CVSS 3.5
CVE-2026-25636 HIGH
calibre < 9.2.0 - Path Traversal and Arbitrary File Write via EPUB Conversion
CVSS 8.2
CVE-2026-2064 LOW
Portabilis i-Educar < 2.10.0 - Cross-Site Scripting via File Parameter in User Data Page
CVSS 3.5
CVE-2026-25587 CRITICAL
sandboxjs < 0.8.29 - Sandbox Escape via Map Prototype Overwrite
CVSS 10.0
CVE-2026-2008 MEDIUM
abhiphile fermat-mcp <47f11def1cd37e45dd060f30cdce346cbdbd6f0a - Co...
CVSS 6.3
CVE-2026-1977 MEDIUM
isaacwasserman mcp-vegalite-server <16aefed598b8cd897b78e99b907f6e2...
CVSS 6.3
CVE-2026-1971 LOW
Edimax BR-6288ACL < 1.12 - Cross-Site Scripting via wiz_WISP24gmanual.asp manualssid Parameter
CVSS 2.4
CVE-2026-25481 CRITICAL
langroid < 0.59.32 - Remote Code Execution via Pandas Eval Bypass
CVSS 9.6
CVE-2026-25510 CRITICAL
Ci4-cms-erp Ci4ms < 0.28.5.0 - Code Injection
CVSS 9.9
CVE-2026-24887 HIGH
Claude Code < 2.0.72 - Command Injection via Find Command Bypass
CVSS 8.8
CVE-2026-24149 HIGH
NVIDIA Megatron-LM - Code Injection
CVSS 7.8
CVE-2026-25142 CRITICAL
SandboxJS < 0.8.27 - Prototype Pollution via __lookupGetter__
CVSS 10.0
CVE-2026-1744 LOW
D-Link DSL-6641K N8.TR069.20131126 - XSS
CVSS 2.4
CVE-2026-25153 HIGH
@backstage/plugin-techdocs-node < 1.13.11 and 1.14.0 - Remote Code Execution via MkDocs Hooks Configuration
CVSS 7.7
CVE-2026-1705 LOW
D-Link DSL-6641K N8.TR069.20131126 - XSS
CVSS 2.4
CVE-2026-25141 CRITICAL
Orval 7.19.0-7.20.9 and 8.0.0-8.1.9 - Code Injection via JSFuck Character Bypass
CVSS 9.8
CVE-2026-1700 LOW
projectworlds House Rental and Property Listing 1.0 - Cross-Site Scripting via SMS Message Parameter
CVSS 3.5
CVE-2026-1340 CRITICAL KEV
Ivanti Endpoint Manager Mobile - Code Injection
CVSS 9.8
CVE-2026-1281 CRITICAL KEV
Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE
CVSS 9.8
CVE-2026-24780 HIGH
AutoGPT Platform < 0.6.44 - Authenticated Remote Code Execution via Disabled BlockInstallationBlock
CVSS 8.8
CVE-2026-1598 LOW
Bdtask Bhojon All-In-One Restaurant Management System <20260116 - XSS
CVSS 3.5
CVE-2026-24897 CRITICAL
erugo <= 0.2.14 - Authenticated Path Traversal and Remote Code Execution via Share Creation
CVSS 10.0
CVE-2026-1520 LOW
rethinkdb <= 2.4.3 - Cross-Site Scripting in Secondary Index Handler
CVSS 2.4
CVE-2026-23830 CRITICAL
sandboxjs < 0.8.26 - Remote Code Execution via AsyncFunction Constructor Access
CVSS 10.0
CVE-2026-24747 HIGH
PyTorch < 2.10.0 - Remote Code Execution via Malicious Checkpoint File
CVSS 8.8
Details
Vulnerabilities 6,474
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits