CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,492 vulnerabilities with CWE-94
CVE-2025-5135 LOW
Tmall Demo < 2025-05-05 - Cross-Site Scripting via Product Name/Product Title
CVSS 2.4
CVE-2025-5134 LOW
Tmall Demo < 2025-05-05 - Cross-Site Scripting via Buy Item Page Detailed Address Parameter
CVSS 3.5
CVE-2025-5133 MEDIUM
Tmall Demo < 2025-05-05 - Cross-Site Scripting in Search Box
CVSS 4.3
CVE-2025-5127 LOW
FLIR AX8 Firmware 1.46.0-1.46.16 - Cross-Site Scripting via /prod.php cmd Parameter
CVSS 3.5
CVE-2025-30172 HIGH
ABB ASPECT, NEXUS, and MATRIX <= 3.08.03 - Compromised Admin Code Execution
CVSS 8.0
CVE-2025-45753 HIGH
vtiger CRM Open Source Edition 8.3.0 - Authenticated Remote Code Execution via ZIP Import Module Import
CVSS 7.2
CVE-2025-45752 HIGH
SeedDMS 6.0.32 - Authenticated Remote Code Execution via Zip Import in Extension Manager
CVSS 7.2
CVE-2025-27998 HIGH
Steam Client <1738026274 - Privilege Escalation
CVSS 8.4
CVE-2025-5013 MEDIUM
HkCms <= 2.3.2.240702 - Cross-Site Scripting via Search Keyword Parameter
CVSS 4.3
CVE-2025-5011 LOW
moonlightl hexo-boot 4.3.0 - Cross-Site Scripting in Dynamic List Page
CVSS 2.4
CVE-2025-5010 LOW
moonlightl hexo-boot 4.3.0 - Cross-Site Scripting via Description Argument
CVSS 2.4
CVE-2025-5007 LOW
Part-DB < 1.17.0 - Cross-Site Scripting via Profile Picture Attachment Upload
CVSS 3.5
CVE-2025-44881 CRITICAL
Wavlink WL-WN579A3 v1.0 - OS Command Injection via qos.cgi
CVSS 9.8
CVE-2025-4996 LOW
Intelbras RF 301K 1.1.5 - Cross-Site Scripting via Add Static IP Description Parameter
CVSS 2.4
CVE-2025-46725 CRITICAL
langroid < 0.53.15 - Remote Code Execution via LanceDocChatAgent QueryPlan.dataframe_calc
CVSS 9.8
CVE-2025-46724 CRITICAL
langroid < 0.53.15 - Code Injection via TableChatAgent pandas eval()
CVSS 9.8
CVE-2025-4939 MEDIUM
PHPGurukul Credit Card Application Management System 1.0 - Stored Cross-Site Scripting in /admin/new-ccapplication.php
CVSS 4.3
CVE-2025-26621 HIGH
OpenCTI < 6.5.2 - Authenticated Denial of Service via Webhook JavaScript Execution
CVSS 7.6
CVE-2025-4866 MEDIUM
weibocom rill-flow 0.1.18 - Remote Code Injection in Management Console
CVSS 6.3
CVE-2025-4862 MEDIUM
PHPGurukul Directory Management System 2.0 - Cross-Site Scripting via searchdata Parameter
CVSS 4.3
CVE-2025-4860 LOW
D-Link DAP-2695 120b36r137_ALL_en_20210528 - Cross-Site Scripting via Static Pool Settings Page f_mac Parameter
CVSS 2.4
CVE-2025-4859 LOW
D-Link DAP-2695 120b36r137_ALL_en_20210528 - Cross-Site Scripting via MAC Bypass Settings Page
CVSS 2.4
CVE-2025-4858 LOW
D-Link DAP-2695 120b36r137_ALL_en_20210528 - Cross-Site Scripting via ARP Spoofing Prevention Page
CVSS 2.4
CVE-2025-4852 LOW
TOTOLINK A3002R 2.1.1-B20230720.1011 - Stored Cross-Site Scripting via VPN Page Comment Parameter
CVSS 2.4
CVE-2025-48120 MEDIUM
RomanCode MapSVG Lite <8.6.4 - Code Injection
CVSS 5.3
Details
Vulnerabilities 6,492
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits