CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,474 vulnerabilities with CWE-94
CVE-2026-24871 CRITICAL
pilgrimage233 Minecraft-Rcon-Manage <3.0 - Code Injection
CVE-2026-24806 MEDIUM
liuyueyi quick-media < v1.0 - Code Injection in PNGImageEncoder
CVE-2026-22709 CRITICAL
NPM Vm2 < 3.10.2 - Code Injection
CVSS 9.8
CVE-2026-1444 LOW
iJason-Liu Books_Manager - Cross-Site Scripting via Mark Parameter in Add Book Check
CVSS 2.4
CVE-2026-1421 LOW
Online Examination System 1.0 - Stored Cross-Site Scripting in Add Pages
CVSS 3.5
CVE-2026-24474 MEDIUM
Dioxus Components <commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a ...
CVE-2026-0771 HIGH
Langflow - Remote Code Execution via Python Function Component Injection
CVSS 7.1
CVE-2026-0768 CRITICAL
Langflow - Unauthenticated Remote Code Execution via Validate Endpoint Code Parameter
CVSS 9.8
CVE-2026-0766 HIGH
Open WebUI - Authenticated Remote Code Execution via load_tool_module_by_id Function
CVSS 8.8
CVE-2026-0761 CRITICAL
Foundation Agents MetaGPT - Code Injection
CVSS 9.8
CVE-2026-24132 CRITICAL
Orval <7.19.0 and 8.0.0-rc.0-8.0.2 - Code Injection
CVSS 9.8
CVE-2026-23946 MEDIUM
Tendenci <15.3.11 - Authenticated RCE
CVSS 6.8
CVE-2026-22807 HIGH
vllm 0.10.1-0.13.0 - Remote Code Execution via Hugging Face auto_map Dynamic Module Loading
CVSS 8.8
CVE-2026-22793 CRITICAL
5ire < 0.15.3 - Remote Code Execution via ECharts Markdown Plugin
CVSS 9.6
CVE-2026-20045 HIGH KEV
Cisco Unified Communications Manager - RCE
CVSS 8.2
CVE-2026-1245 MEDIUM
binary-parser < 2.3.0 - Remote Code Execution via Parser Field Name or Encoding Parameter
CVSS 6.5
CVE-2026-23947 CRITICAL
Orval < 7.19.0 and 8.0.0-rc.0-8.0.2 - Remote Code Execution via x-enumDescriptions Field
CVSS 9.8
CVE-2026-23852 CRITICAL
SiYuan < 3.5.4 - Stored Cross-Site Scripting via Block Icon Attribute
CVSS 9.6
CVE-2026-1161 LOW
pbrong hrms 1.0.1 - Cross-Site Scripting in UpdateRecruitmentById Function
CVSS 3.5
CVE-2026-1151 LOW
technical-laohu mpay < 1.2.4 - Cross-Site Scripting via Nickname Parameter
CVSS 2.4
CVE-2026-1147 LOW
Patients Waiting Area Queue Management System 1.0 - Cross-Site Scripting via Reason Parameter
CVSS 3.5
CVE-2026-1146 LOW
Patients Waiting Area Queue Management System 1.0 - Cross-Site Scripting via firstName/lastName Parameter
CVSS 3.5
CVE-2026-1136 LOW
lcg0124 BootDo <e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb - XSS
CVSS 3.5
CVE-2026-1135 MEDIUM
itsourcecode Society Management System 1.0 - Cross-Site Scripting via Title Parameter in Activity Page
CVSS 4.3
CVE-2026-1134 MEDIUM
Society Management System 1.0 - Cross-Site Scripting via Expenses Detail Parameter
CVSS 4.3
Details
Vulnerabilities 6,474
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits