CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,474 vulnerabilities with CWE-94
CVE-2026-23733 MEDIUM
lobehub chat < 2.0.0-next.180 - Stored Cross-Site Scripting and Remote Code Execution via Mermaid Artifact Renderer
CVSS 6.4
CVE-2026-0863 HIGH
n8n < 1.123.14 - Authenticated Remote Code Execution via Python Task Executor Sandbox Escape
CVSS 8.5
CVE-2026-1049 LOW
LigeroSmart < 6.1.26 - Cross-Site Scripting via TicketID Parameter in /otrs/index.pl
CVSS 3.5
CVE-2026-1048 LOW
ligerosmart < 6.1.26 - Cross-Site Scripting via TicketID Parameter in AgentTicketZoom
CVSS 3.5
CVE-2026-23742 HIGH
Skipper < 0.23.0 - Unauthenticated Information Disclosure via Lua Filter Script Injection
CVSS 8.8
CVE-2026-23523 CRITICAL
openagentplatform/dive < 0.13.0 - Remote Code Execution via Crafted Deeplink
CVSS 9.6
CVE-2026-23498 HIGH
Shopware 6.7.0.0-6.7.6.0 - Remote Code Execution via PHP Closure Allow List Bypass
CVSS 7.2
CVE-2026-22708 CRITICAL
Cursor < 2.3 - Environment Variable Manipulation via Shell Built-in Execution
CVSS 9.8
CVE-2026-22686 CRITICAL
enclave-vm < 2.7.0 - Sandbox Escape via Host Error Prototype Chain Traversal
CVSS 10.0
CVE-2026-22869 CRITICAL
Eigent < 0.0.78 - Remote Code Execution via CI Workflow Misconfiguration
CVSS 9.8
CVE-2026-0500 CRITICAL
SAP Wily Introscope Enterprise Manager - Unauthenticated OS Command Injection via Malicious JNLP File
CVSS 9.6
CVE-2026-0498 CRITICAL
SAP S/4HANA - Authenticated ABAP Code and OS Command Injection via RFC Function Module
CVSS 9.1
CVE-2026-0491 CRITICAL
SAP Landscape Transformation - Command Injection
CVSS 9.1
CVE-2026-22771 HIGH
Envoy Gateway < 1.5.7 and 1.6.0-rc.0-1.6.2 - Credential Leak via EnvoyExtensionPolicy Lua Scripts
CVSS 8.8
CVE-2026-0824 LOW
QuestDB UI < 1.1.10 - Cross-Site Scripting in Web Console
CVSS 3.5
CVE-2026-22584 CRITICAL
Salesforce Uni2TS <= 1.2.0 - Code Injection via Executable Code in Non-Executable Files
CVSS 9.8
CVE-2026-0730 LOW
PHPGurukul Staff Leave Management System 1.0 - Cross-Site Scripting via Profile Pic Argument
CVSS 2.4
CVE-2026-22244 HIGH
OpenMetadata < 1.11.4 - Authenticated Remote Code Execution via FreeMarker Email Template Injection
CVSS 7.2
CVE-2026-21877 CRITICAL
n8n 0.123.0-1.121.2 - Authenticated Remote Code Execution via Git Node
CVSS 9.9
CVE-2026-0642 LOW
projectworlds House Rental and Property Listing 1.0 - Cross-Site Scripting via Complaint Name Parameter
CVSS 2.4
CVE-2026-0588 LOW
RockOA < 2.7.1 - Cross-Site Scripting via rockfun.php Callback Parameter
CVSS 3.5
CVE-2026-0587 LOW
RockOA < 2.7.1 - Cross-Site Scripting via fengmian Parameter in Cover Image Handler
CVSS 3.5
CVE-2026-0586 MEDIUM
Online Product Reservation System 1.0 - Cross-Site Scripting via cat Parameter in prod.php
CVSS 4.3
CVE-2026-0580 LOW
SourceCodester API Key Manager App 1.0 - Cross-Site Scripting in Import Key Handler
CVSS 3.5
CVE-2025-51427 HIGH
ModelScope 1.25.0 - Remote Code Execution via Crafted Module in Configuration File
CVSS 7.3
Details
Vulnerabilities 6,474
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits