CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,494 vulnerabilities with CWE-94
CVE-2025-23376 LOW
Dell PowerProtect Data Manager 19.16-19.18 - Information Disclosure via Template Injection
CVSS 2.3
CVE-2025-4022 MEDIUM
webarena < 0.2.0 - Remote Code Execution via HTMLContentEvaluator URL Argument
CVSS 6.3
CVE-2025-46661 CRITICAL
IPW Systems Metazo < 8.1.13 - Unauthenticated Remote Code Execution via Smarty Template Injection
CVSS 10.0
CVE-2025-4011 LOW
Redmine 6.0.0-6.0.3 - Cross-Site Scripting via Custom Query Name Parameter
CVSS 3.5
CVE-2025-4000 LOW
Seeyon OA Web Application System 8.1 SP2 - Cross-Site Scripting via ssoproxy.jsp Name Parameter
CVSS 3.5
CVE-2025-3999 LOW
Seeyon Zhiyuan OA Web App 8.1 SP2 - XSS
CVSS 3.5
CVE-2025-3996 LOW
TOTOLINK N150RT 3.4.0-B20190525 - XSS
CVSS 2.4
CVE-2025-3995 LOW
TOTOLINK N150RT 3.4.0-B20190525 - XSS
CVSS 2.4
CVE-2025-3994 LOW
TOTOLINK N150RT 3.4.0-B20190525 - XSS
CVSS 2.4
CVE-2025-3984 MEDIUM
Apereo CAS 5.2.6 - Code Injection in Groovy Code Handler
CVSS 5.0
CVE-2025-3982 MEDIUM
nortikin Sverchok 1.3.0 - Prototype Pollution
CVSS 4.3
CVE-2025-3970 LOW
jsite < 1.0 - Cross-Site Scripting via Remarks Argument
CVSS 3.5
CVE-2025-3965 LOW
itwanger paicoding 1.0.3 - Stored Cross-Site Scripting via /article/app/post Content Argument
CVSS 3.5
CVE-2025-3962 LOW
withstars Books-Management-System 1.0 - XSS
CVSS 3.5
CVE-2025-3961 LOW
withstars Books-Management-System 1.0 - XSS
CVSS 3.5
CVE-2025-3958 LOW
withstars Books-Management-System 1.0 - XSS
CVSS 3.5
CVE-2025-46579 HIGH
ZTE ZXCloud GoldenDB >=6.1.03 <6.1.03.11 - DDE Injection via File Download Interface
CVSS 8.4
CVE-2025-3491 HIGH
Add custom page template < 2.0.1 - Authenticated Remote Code Execution via 'template_name' Parameter
CVSS 7.2
CVE-2025-2801 HIGH
WordPress abcSubmit <= 1.2.4 - Unauthenticated Shortcode Execution
CVSS 7.3
CVE-2025-3642 HIGH
Moodle < 4.1.18 - Authenticated Remote Code Execution via EQUELLA Repository
CVSS 8.8
CVE-2025-3641 HIGH
Moodle < 4.1.18 - Authenticated Remote Code Execution via Dropbox Repository
CVSS 8.8
CVE-2025-32432 CRITICAL KEV
CraftCMS - Remote Code Execution
CVSS 10.0
CVE-2025-3776 HIGH
WordPress TargetSMS <= 1.5 - Unauthenticated Callable Function Execution
CVSS 8.3
CVE-2025-1976 MEDIUM KEV
Brocade Fabric OS <9.1.1d6 - Privilege Escalation
CVSS 6.7
CVE-2025-0618 MEDIUM
FireEye EDR HX - Denial of Service via Tamper Protection Event
CVSS 6.5
Details
Vulnerabilities 6,494
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits