CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,488 vulnerabilities with CWE-94
CVE-2025-60206 CRITICAL
Bearsthemes Alone <7.8.3 - Code Injection
CVSS 10.0
CVE-2025-52756 HIGH
Sayan Datta WP Last Modified Info <1.9.3 - Code Injection
CVSS 7.4
CVE-2025-49926 HIGH
Laborator Kalium <3.26 - Code Injection
CVSS 7.2
CVE-2025-8848 MEDIUM
librechat 0.7.9 - HTML Injection via Accept-Language Header
CVSS 5.4
CVE-2025-61488 HIGH
SLiMS 9 Bulian 9.6.1 - Server-Side Request Forgery via scrap_image.php
CVSS 7.6
CVE-2025-62429 HIGH
ClipBucket 5.3-5.5.2-147 - Remote Code Execution via Update Launch Type Parameter
CVSS 7.2
CVE-2025-11946 LOW
LogicalDOC Community Edition < 9.2.1 - Cross-Site Scripting via Add Contact Page Parameters
CVSS 3.5
CVE-2025-11945 LOW
AFFiNE <= 0.24.1 - Cross-Site Scripting via Avatar Upload Image Endpoint
CVSS 3.5
CVE-2025-57567 CRITICAL
PluXml CMS - Authenticated Remote Code Execution via Theme Editor File Overwrite
CVSS 9.1
CVE-2025-11905 MEDIUM
chancms < 3.3.2 - Remote Code Execution via gather.js getArticle Function
CVSS 6.3
CVE-2025-62416 MEDIUM
Bagisto < 2.3.8 - Authenticated Server-Side Template Injection in Product Description Renderer
CVSS 5.1
CVE-2025-11851 LOW
Apeman ID71 EN75.8.53.20 - Cross-Site Scripting via /set_alias.cgi Alias Parameter
CVSS 3.5
CVE-2025-11548 CRITICAL
ibi WebFOCUS - Privilege Escalation
CVE-2025-31365 MEDIUM
FortiClientMac 7.2.1-7.2.8, 7.4.0-7.4.3 - Unauthenticated Remote Code Execution via Malicious Website
CVSS 5.8
CVE-2025-46581 CRITICAL
ZTE ZXCDN >= V3.01.02 - Unauthenticated Remote Code Execution via Struts
CVSS 9.8
CVE-2025-41699 HIGH
Web-based management - Code Injection
CVSS 8.8
CVE-2025-42901 MEDIUM
SAP Application Server for ABAP (BAPI Browser) - Authenticated Stored Cross-Site Scripting
CVSS 5.4
CVE-2025-61929 CRITICAL
Cherry Studio < 1.6.4 - Remote Code Execution via MCP Installation URL Handler
CVSS 9.6
CVE-2025-61927 HIGH
happy-dom < 20.0.0 - Remote Code Execution via VM Context Escape
CVE-2025-61773 HIGH
pyload-ng < 0.5.0b3.dev91 - Cross-Site Scripting via Captcha Script Endpoint and Click'N'Load Blueprint
CVSS 8.1
CVE-2025-11539 CRITICAL
Grafana Image Renderer 1.0.0-4.0.16 - Remote Code Execution via CSV Endpoint File Path Parameter
CVSS 9.9
CVE-2025-11512 MEDIUM
code-projects Voting System 1.0 - Cross-Site Scripting via Firstname/Lastname/Platform Parameters
CVSS 4.3
CVE-2025-11485 LOW
Student Grades Management System 1.0 - Cross-Site Scripting via Manage Users Page
CVSS 2.4
CVE-2025-11437 LOW
JhumanJ OpnForm < 1.9.3 - Cross-Site Scripting in Form Editor
CVSS 2.4
CVE-2025-11435 MEDIUM
JhumanJ OpnForm < 1.9.3 - Cross-Site Scripting in /show/submissions
CVSS 4.3
Details
Vulnerabilities 6,488
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits