CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,491 vulnerabilities with CWE-94
CVE-2025-10272 MEDIUM
10oa 1.0 - Cross-Site Scripting via Name Parameter in /trial/mvc/catalogue
CVSS 4.3
CVE-2025-10271 MEDIUM
10oa 1.0 - Cross-Site Scripting via Name Parameter
CVSS 4.3
CVE-2025-59053 CRITICAL
AIRI 0.7.2-beta.2 - Stored Cross-Site Scripting and Remote Code Execution via Malicious Card File
CVSS 9.6
CVE-2025-10255 LOW
OnlyOffice < 12.7.0 - Cross-Site Scripting in Comment Handler
CVSS 3.5
CVE-2025-10254 LOW
OnlyOffice < 12.7.0 - Cross-Site Scripting via SVG Image Handler in Messages.aspx
CVSS 3.5
CVE-2025-10253 LOW
openDCIM 23.04 - Cross-Site Scripting via SVG File Handler in uploadifive.php
CVSS 3.5
CVE-2025-8417 HIGH
Catalog Importer, Scraper & Crawler <= 5.1.4 - Unauthenticated PHP Code Injection via Guessable Numeric Token
CVSS 8.1
CVE-2025-10246 LOW
lo Gibhardwaj PHP-Code-For-Unlimited-File-Upload <124fe96324915490c...
CVSS 3.5
CVE-2025-10235 LOW
Scada-LTS < 2.7.8.1 - Stored Cross-Site Scripting in Reports Module Colour Parameter
CVSS 2.4
CVE-2025-10234 LOW
Scada-LTS < 2.7.8.1 - Stored Cross-Site Scripting in Data Point Edit Module
CVSS 2.4
CVE-2025-59041 CRITICAL
Claude Code < 1.0.105 - Remote Code Execution via Git Config User.Email
CVSS 9.8
CVE-2025-58764 CRITICAL
Claude Code < 1.0.105 - Command Injection via Confirmation Prompt Bypass
CVSS 9.8
CVE-2025-59042 HIGH
PyInstaller < 6.0.0 - Unauthenticated Arbitrary Code Execution via Malicious Directory Creation
CVE-2025-58768 CRITICAL
DeepChat <0.3.5 - Command Injection
CVSS 9.6
CVE-2025-55728 CRITICAL
XWiki Remote Macros 1.0-1.26.4 - Remote Code Execution via Panel Macro Classes Parameter
CVSS 10.0
CVE-2025-55727 CRITICAL
XWiki Remote Macros 1.0-1.26.4 - Remote Code Execution via Column Macro Width Parameter
CVSS 10.0
CVE-2025-9539 HIGH
AutomatorWP < 5.3.6 - Authenticated Remote Code Execution via Automation Import
CVSS 8.0
CVE-2025-9489 MEDIUM
WP-Members Membership Plugin <3.5.4.2 - RCE
CVSS 5.0
CVE-2025-42922 CRITICAL
SAP NetWeaver AS Java - Privilege Escalation
CVSS 9.9
CVE-2025-10117 LOW
SourceCodester Simple To-Do List System 1.0 - Cross-Site Scripting via Add New Task Component
CVSS 3.5
CVE-2025-58745 CRITICAL
WeGIA < 3.4.11 - Unauthenticated Arbitrary File Upload via Excel MIME Type Bypass
CVSS 9.9
CVE-2025-10099 LOW
Portabilis i-educar < 2.10.0 - Cross-Site Scripting via educar_usuario_cad.php Email Parameter
CVSS 2.4
CVE-2025-10097 MEDIUM
SimStudioAI sim < 1.0.0 - Remote Code Injection via Execute API Code Argument
CVSS 6.3
CVE-2025-57141 CRITICAL
ruisibi rsbi-os 4.7 - Remote Code Execution via sqlite-jdbc
CVSS 9.8
CVE-2025-10088 LOW
SourceCodester Time Tracker 1.0 - Cross-Site Scripting via Project-Name Parameter
CVSS 3.5
Details
Vulnerabilities 6,491
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits