CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,492 vulnerabilities with CWE-94
CVE-2025-7110 LOW
Portabilis i-Educar 2.9.0 - Cross-Site Scripting via Escola Parameter in School Module
CVSS 3.5
CVE-2025-7109 LOW
Portabilis i-Educar 2.9.0 - Cross-Site Scripting via Student Benefits Registration
CVSS 3.5
CVE-2025-7101 MEDIUM
BoyunCMS < 1.4.20 - Remote Code Injection via db_pass Parameter in Configuration File Handler
CVSS 6.3
CVE-2025-5333 CRITICAL
Broadcom Symantec IT Management Suite - Service Process Code Execution
CVE-2025-52718 HIGH
Bearsthemes Alone <7.8.2 - Code Injection
CVSS 7.2
CVE-2025-49302 CRITICAL
Scott Paterson Easy Stripe <1.1 - Code Injection
CVSS 10.0
CVE-2025-7053 LOW
Cockpit < 2.11.4 - Cross-Site Scripting via User Save Endpoint
CVSS 3.5
CVE-2025-34089 CRITICAL
Remote for Mac <= 2025.7 - Unauthenticated Remote Code Execution via X-Script Header
CVE-2025-34086 HIGH
Bolt CMS <3.7.0 - Authenticated RCE
CVSS 8.8
CVE-2025-34061 CRITICAL
PHPStudy 2016-2018 - Unauthenticated Remote Code Execution via Accept-Charset Header
CVE-2025-34079 HIGH
NSClient++ <0.5.2.35 - Authenticated RCE
CVSS 7.8
CVE-2025-34074 CRITICAL
Lucee Admin Scheduled Task - Remote CFM File Code Execution
CVE-2025-37099 CRITICAL
HPE Insight Remote Support < 7.15.0.646 - Remote Code Execution
CVSS 9.8
CVE-2025-49029 CRITICAL
bitto.Kazi Custom Login And Signup Widget <1.0 - Code Injection
CVSS 9.1
CVE-2025-49521 HIGH
Ansible Automation Platform - Command Injection
CVSS 8.8
CVE-2025-6849 LOW
Simple Forum 1.0 - Cross-Site Scripting via forum_edit1.php Text Parameter
CVSS 3.5
CVE-2025-6778 LOW
Food Distributor Site 1.0 - Cross-Site Scripting via site_phone/site_email/address Parameters
CVSS 2.4
CVE-2025-28993 HIGH
Jose Content No Cache <0.1.3 - Code Injection
CVSS 8.6
CVE-2025-6700 MEDIUM
xxl-sso 1.1.0 - Cross-Site Scripting via Error Message Parameter
CVSS 4.3
CVE-2025-6699 LOW
LabRedesCefetRJ WeGIA 3.4.0 - Cross-Site Scripting via Nome/Sobrenome Parameter
CVSS 3.5
CVE-2025-6698 LOW
WeGIA 3.4.0 - Cross-Site Scripting via Insira o novo tipo Parameter
CVSS 3.5
CVE-2025-6697 LOW
WeGIA 3.4.0 - Cross-Site Scripting via Adicionar tipo Insira o novo tipo Parameter
CVSS 3.5
CVE-2025-6696 LOW
LabRedesCefetRJ WeGIA 3.4.0 - Cross-Site Scripting via Cadastro de Atendio Nome/Sobrenome Parameter
CVSS 3.5
CVE-2025-53002 HIGH
LLaMA-Factory <= 0.9.3 - Remote Code Execution via Malicious Checkpoint Path Parameter
CVSS 8.3
CVE-2025-6695 LOW
LabRedesCefetRJ WeGIA 3.4.0 - Cross-Site Scripting via Additional Categoria Input
CVSS 3.5
Details
Vulnerabilities 6,492
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits