CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,494 vulnerabilities with CWE-94
CVE-2025-26996 MEDIUM
Fetch Designs Sign-up Sheets <2.3.0.1 - Code Injection
CVSS 6.5
CVE-2025-29281 HIGH
PerfreeBlog 4.0.11 - Authenticated Arbitrary File Upload and Code Execution via Attach Component
CVSS 8.8
CVE-2025-3579 CRITICAL
AiDex < 1.7 - Authenticated Remote Code Execution via Prompt Injection in Chat Message Endpoint
CVE-2025-3613 LOW
Demtec Graphytics 5.0.7 - Cross-Site Scripting via Visualization Description Parameter
CVSS 3.5
CVE-2025-3612 MEDIUM
Demtec Graphytics 5.0.7 - Cross-Site Scripting via HTTP GET Parameter Handler
CVSS 4.3
CVE-2025-3592 LOW
My-Blog-layui 1.0 - Cross-Site Scripting in /admin/v1/link/edit
CVSS 3.5
CVE-2025-3591 LOW
ZHENFENG13 My-Blog-layui 1.0 - Cross-Site Scripting in /admin/v1/blog/edit
CVSS 3.5
CVE-2025-3570 LOW
JamesZBL db-hospital-drug 1.0 - Cross-Site Scripting in ContentController Save Function
CVSS 3.5
CVE-2025-3568 LOW
Webkul Krayin CRM <= 2.1.0 - Cross-Site Scripting in SVG File Handler
CVSS 3.5
CVE-2025-3563 MEDIUM
WuzhiCMS 4.1 - Remote Code Execution via Setting Handler
CVSS 4.7
CVE-2025-3560 LOW
ghostxbh uzy-ssm-mall 1.0.0 - Cross-Site Scripting via product_name Parameter
CVSS 3.5
CVE-2025-3554 MEDIUM
phpshe 1.8 - Cross-Site Scripting via api.php?mod=cron&act=buyer Parameter
CVSS 4.3
CVE-2025-3533 MEDIUM
YouDianCMS 9.5.21 - Cross-Site Scripting via Parent Argument in Channel Index
CVSS 4.3
CVE-2025-3532 MEDIUM
YouDianCMS 9.5.21 - Cross-Site Scripting via OrderNumber Parameter
CVSS 4.3
CVE-2025-3531 MEDIUM
YouDianCMS 9.5.21 - Cross-Site Scripting via UserName/LogType Argument
CVSS 4.3
CVE-2025-3422 MEDIUM
Everest Forms < 3.1.1 - Authenticated Arbitrary Shortcode Execution via do_shortcode
CVSS 5.4
CVE-2025-32383 MEDIUM
maxkb < 1.10.4 - Authenticated Remote Code Execution via Function Library Module
CVSS 4.3
CVE-2025-2809 HIGH
Azurecurve Shortcodes in Comments <2.0.2 - RCE
CVSS 7.3
CVE-2025-2805 HIGH
ORDER POST <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution via do_shortcode
CVSS 7.3
CVE-2025-3489 MEDIUM
Nababur Simple-User-Management-System 1.0 - Cross-Site Scripting via Register.php Name/Username Parameter
CVSS 4.3
CVE-2025-3115 CRITICAL
TIBCO Spotfire Enterprise Runtime for R < 6.1.5 - Code Injection and Arbitrary File Upload
CVSS 9.8
CVE-2025-3114 CRITICAL
Spotfire Enterprise Runtime for R < 1.4 - Code Execution via Malicious Files
CVE-2025-31330 CRITICAL
SAP Landscape Transformation (Analysis Platform) - Authenticated ABAP Code Injection via RFC Function Module
CVSS 9.9
CVE-2025-30013 MEDIUM
SAP ERP BW Business Content - Command Injection
CVSS 6.7
CVE-2025-27429 CRITICAL
SAP S/4HANA (Private Cloud) - Authenticated ABAP Code Injection via RFC Function Module
CVSS 9.9
Details
Vulnerabilities 6,494
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits