CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,184 vulnerabilities with CWE-94
CVE-2026-35093 HIGH
Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins
CVSS 8.8
CVE-2026-29014 CRITICAL
MetInfo CMS Unauthenticated PHP Code Injection RCE
CVSS 9.8
CVE-2026-5255 MEDIUM
code-projects Simple Laundry System Parameter delstaffinfo.php cross site scripting
CVSS 4.3
CVE-2026-5254 LOW
welovemedia FFmate Webhook AppJsonTreeView.vue cross site scripting
CVSS 3.5
CVE-2026-5253 LOW
bufanyun HotGo editNotice Endpoint MessageList.vue cross site scripting
CVSS 3.5
CVE-2026-5252 LOW
z-9527 admin Message Create Endpoint message.js cross site scripting
CVSS 3.5
CVE-2026-5249 LOW
gougucms Record Endpoint record.html cross site scripting
CVSS 3.5
CVE-2026-35056 HIGH
XenForo Remote Code Execution via Authenticated Admin
CVSS 7.2
CVE-2026-5240 MEDIUM
code-projects BloodBank Managing System admin_state.php cross site scripting
CVSS 4.3
CVE-2026-34585 HIGH
SiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command execution
CVSS 8.6
CVE-2026-34448 CRITICAL
SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client
CVSS 9.0
CVE-2026-4800 HIGH
lodash vulnerable to Code Injection via `_.template` imports key names
CVSS 8.1
CVE-2026-5209 LOW
SourceCodester Leave Application System User Management cross site scripting
CVSS 2.4
CVE-2026-34202 HIGH
Zebra node crash — V5 transaction hash panic (P2P reachable)
CVSS 7.5
CVE-2026-34060 CRITICAL
Ruby LSP has arbitrary code execution through branch setting
CVSS 9.8
CVE-2026-3300 CRITICAL
Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field
CVSS 9.8
CVE-2026-5157 MEDIUM
code-projects Online Food Ordering System Order order.php cross site scripting
CVSS 4.3
CVE-2026-4257 CRITICAL
Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
CVSS 9.8
CVE-2026-30313 CRITICAL
DSAI-Cline - Remote Code Execution via Newline Command Injection
CVSS 9.8
CVE-2026-30308 CRITICAL
HAI Build Code Generator - Remote Code Execution via Safe-Command Prompt Injection
CVSS 9.8
CVE-2026-30306 CRITICAL
SakaDev - Remote Code Execution via Safe-Command Prompt Injection
CVSS 9.8
CVE-2026-30307 CRITICAL
Roo Code - Remote Code Execution via Command Substitution
CVSS 9.8
CVE-2026-30305 CRITICAL
Syntx - Command Injection
CVSS 9.8
CVE-2026-28505 CRITICAL
Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check
CVSS 10.0
CVE-2026-2287 CRITICAL
CrewAI 1.0 - RCE via Sandbox Fallback
CVSS 9.8
Details
Vulnerabilities 6,184
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits