CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,457 vulnerabilities with CWE-94
CVE-2026-9416 MEDIUM
code-projects Employee Management System myprofile.php cross site scripting
CVSS 4.3
CVE-2026-9415 MEDIUM
code-projects Employee Management System eloginwel.php cross site scripting
CVSS 4.3
CVE-2026-9414 LOW
SourceCodester Indian Invoicing System Invoice Template Render Database-Backed add_order.php cross site scripting
CVSS 3.5
CVE-2026-9413 MEDIUM
SourceCodester Indian Invoicing System category.php cross site scripting
CVSS 4.3
CVE-2026-9377 LOW
SourceCodester SUP Online Shopping productedit.php cross site scripting
CVSS 2.4
CVE-2026-9357 LOW
vBulletin Login cross site scripting
CVSS 3.5
CVE-2026-9302 MEDIUM
546669204 vps-inventory-monitoring VpsTest Console VpsTest.php eval code injection
CVSS 6.3
CVE-2026-41149 MEDIUM
Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection
CVE-2026-41148 MEDIUM
Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection
CVE-2026-9264 CRITICAL
Cross-Site Scripting in SketchUp Dynamic Components
CVSS 9.3
CVE-2026-42396 MEDIUM
Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
CVSS 4.9
CVE-2026-39311 MEDIUM
Trilium Notes: Stored XSS Leads to Unauthorized Remote Code Execution (RCE) via Unsanitized SVG Attachments
CVSS 6.8
CVE-2026-8467 CRITICAL
Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
CVE-2026-22314 CRITICAL
Mesalvo Meona Client Launcher Component - Improper Control of Generation of Code ('Code Injection')
CVSS 9.0
CVE-2026-30117 CRITICAL
scalar/astro 0.1.13 - Arbitrary File Upload and Remote Code Execution via Scalar Proxy scalar_url Parameter
CVSS 9.8
CVE-2026-2586 CRITICAL
Eclipse Glassfish - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVSS 9.1
CVE-2026-46586 HIGH
Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution
CVSS 8.8
CVE-2026-35086 MEDIUM
Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email services
CVSS 6.5
CVE-2026-31379 MEDIUM
Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager
CVSS 6.1
CVE-2026-33233 HIGH
AutoGPT Platform: Remote Code Execution via Unsafe Pickle Deserialization of Redis Cache Entries
CVSS 7.6
CVE-2026-8838 CRITICAL
Remote Code Execution via eval() Injection in amazon-redshift-python-driver
CVSS 9.8
CVE-2026-45495 HIGH
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVSS 8.8
CVE-2026-45829 CRITICAL
ChromaDB >=1.0.0 - Unauthenticated Remote Code Execution via Malicious Model Repository
CVE-2026-6902 HIGH
Code Injection in Perforce P4 (Helix Core)
CVE-2026-44717 CRITICAL
MCP Calculate Server: Prompt Injection to RCE
CVSS 9.8
Details
Vulnerabilities 6,457
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits