CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,494 vulnerabilities with CWE-94
CVE-2025-23186 HIGH
SAP NetWeaver Application Server ABAP - RCE
CVSS 8.5
CVE-2025-3397 MEDIUM
YzmCMS 7.1 - Cross-Site Scripting via gourl Argument in message.tpl
CVSS 4.3
CVE-2025-3393 LOW
mrcen springboot-ucan-admin - Cross-Site Scripting in Personal Settings Interface
CVSS 3.5
CVE-2025-3392 LOW
hailey888 oa_system <2025.01.01 - XSS
CVSS 3.5
CVE-2025-3391 LOW
hailey888 oa_system <2025.01.01 - XSS
CVSS 3.5
CVE-2025-3390 LOW
hailey888 oa_system <2025.01.01 - XSS
CVSS 3.5
CVE-2025-3389 LOW
hailey888 oa_system < 2025.01.01 - Cross-Site Scripting via InformManageController menu Argument
CVSS 3.5
CVE-2025-3388 MEDIUM
hailey888 oa_system <2025.01.01 - XSS
CVSS 4.3
CVE-2025-3387 LOW
renrenio renren-security <5.4.0 - XSS
CVSS 3.5
CVE-2025-3386 LOW
pb-cms 2.0 - Cross-Site Scripting in Friendship Link Handler
CVSS 2.4
CVE-2025-3385 LOW
pb-cms 2.0 - Stored Cross-Site Scripting via Classification Name Parameter
CVSS 2.4
CVE-2025-3248 CRITICAL KEV
Langflow AI - Unauthenticated Remote Code Execution
CVSS 9.8
CVE-2025-3327 LOW
iteaj iboot 1.1.3 - Cross-Site Scripting via File Upload
CVSS 3.5
CVE-2025-3326 LOW
iteaj iboot 1.1.3 - Cross-Site Scripting via File Upload
CVSS 3.5
CVE-2025-3297 LOW
SourceCodester Online Eyewear Shop 1.0 - XSS
CVSS 3.5
CVE-2025-3253 LOW
admintwo 1.0 - Cross-Site Scripting via /ztree/insertTree Name Parameter
CVSS 3.5
CVE-2025-3252 LOW
admintwo 1.0 - Cross-Site Scripting via Name Parameter in /resource/add
CVSS 3.5
CVE-2025-3251 LOW
admintwo 1.0 - Cross-Site Scripting via User UpdateSet Motto Parameter
CVSS 3.5
CVE-2025-28146 CRITICAL
Edimax BR-6478AC V3 Firmware 1.0.15 - OS Command Injection via fota_url Parameter
CVSS 9.8
CVE-2025-3219 LOW
Perfex CRM 3.2.1 - Stored Cross-Site Scripting in Project Discussions Module
CVSS 3.5
CVE-2025-29064 CRITICAL
TOTOLINK X18 v.9.1.0cu.2024_B20220329 - Remote Code Execution via cstecgi.cgi sub_410E54 Function
CVSS 9.8
CVE-2025-26818 CRITICAL
Netwrix Password Secure <= 9.2 - OS Command Injection
CVSS 9.8
CVE-2025-3164 MEDIUM
Tencent Music Entertainment SuperSonic <= 0.9.8 - Remote Code Execution via H2 Database Connection Handler
CVSS 4.7
CVE-2025-3163 MEDIUM
InternLM LMDeploy <= 0.7.1 - Code Injection in Open Function
CVSS 5.3
CVE-2025-3157 LOW
Intelbras WRN 150 1.0.15_pt_ITB01 - XSS
CVSS 2.4
Details
Vulnerabilities 6,494
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits