CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,457 vulnerabilities with CWE-94
CVE-2026-10175 MEDIUM
Aider-AI Aider Architect Mode auth.py editor_coder.run code injection
CVSS 6.3
CVE-2026-10173 MEDIUM
Orthanc Explorer 2 URL StudyList.vue cross site scripting
CVSS 4.3
CVE-2026-10153 MEDIUM
westboy CicadasCMS AbstractCacheManager.java search cross site scripting
CVSS 4.3
CVE-2026-10112 LOW
sambitraj STUDENT-MANAGEMENT-SYSTEM Dashboard cross site scripting
CVSS 2.4
CVE-2026-45697 CRITICAL
Formie: Pre-authenticated server-side template injection in Hidden fields
CVSS 9.8
CVE-2026-44287 MEDIUM
FastGPT: sandbox escape to RCE - code-sandbox regex /\bimport\s*\(/ is bypassable
CVSS 6.3
CVE-2026-41159 MEDIUM
Mermaid: Improper sanitization of configuration leads to CSS injection
CVSS 5.3
CVE-2026-45555 HIGH
Roslyn CodeLens MCP Server: Untrusted Roslyn Analyzer Execution via get_diagnostics Leads to Arbitrary Code Execution
CVSS 7.8
CVE-2026-44698 HIGH
Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection
CVSS 8.3
CVE-2026-9976 HIGH
Google Chrome - Arbitrary Code Execution
CVSS 8.8
CVE-2026-9938 HIGH
Google Chrome - Arbitrary Code Execution
CVSS 8.8
CVE-2026-45374 CRITICAL
CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files
CVSS 9.6
CVE-2026-45353 HIGH
electerm: Local code through electerm's single-instance socket
CVSS 7.8
CVE-2026-45311 CRITICAL
CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval
CVSS 9.6
CVE-2026-45058 CRITICAL
electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark
CVE-2026-43898 CRITICAL
SandboxJS: Sandbox escape via Function.caller leakage of internal call op
CVSS 10.0
CVE-2026-45261 CRITICAL
GitButler: Link injection via forge integration enables arbitrary script execution
CVE-2026-44672 CRITICAL
mapfish-print: Remote Code Injection (RCE) in Dynamic table
CVE-2026-32999 CRITICAL
Webpros Comet Backup - Improper Control of Generation of Code ('Code Injection')
CVSS 9.0
CVE-2026-45136 HIGH
claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh
CVSS 7.8
CVE-2026-44888 CRITICAL
Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger)
CVSS 9.8
CVE-2026-44887 CRITICAL
Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path)
CVSS 9.8
CVE-2026-42879 MEDIUM
FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images
CVSS 6.3
CVE-2026-45719 MEDIUM
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
CVSS 6.5
CVE-2026-44346 HIGH
BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml
CVSS 8.8
Details
Vulnerabilities 6,457
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits