CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,457 vulnerabilities with CWE-94
CVE-2026-8430 HIGH
SPIP < 4.4.14 Remote Code Execution via nginx
CVSS 8.1
CVE-2026-8429 HIGH
SPIP < 4.4.14 Remote Code Execution via Private Space
CVSS 8.8
CVE-2026-43892 HIGH
AntSword: Incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection
CVSS 8.8
CVE-2026-42898 CRITICAL
Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
CVSS 9.9
CVE-2026-41094 HIGH
Microsoft Data Formulator Remote Code Execution Vulnerability
CVSS 8.8
CVE-2026-31236 CRITICAL
llm CLI < 0.27.1 - Remote Code Execution via --functions Argument
CVSS 9.8
CVE-2026-31233 CRITICAL
Guardrails AI Hub <0.6.7 - Code Injection
CVSS 9.8
CVE-2026-31231 CRITICAL
Cognee <=0.4.0 Notebook Cell Execution API - Remote Code Execution
CVSS 9.8
CVE-2026-31228 CRITICAL
Adversarial Robustness Toolbox thru 1.20.1 - Remote Code Execution
CVSS 9.8
CVE-2026-31225 HIGH
superduper <=0.10.0 Query Parser - Remote Code Execution
CVSS 8.8
CVE-2026-31220 CRITICAL
PySyft <=0.9.5 Syft Server - Remote Code Execution
CVSS 9.8
CVE-2026-31217 CRITICAL
optimate - Remote Code Execution via Unsafe Model Directory Loading
CVSS 9.8
CVE-2026-40129 MEDIUM
Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform
CVSS 4.3
CVE-2026-43874 HIGH
WWBN AVideo: Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
CVSS 7.2
CVE-2026-37630 HIGH
QuickJS-NG 0.12.1 - Remote Code Execution via js_mapped_arguments_mark Function
CVSS 7.3
CVE-2026-42603 HIGH
OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target
CVSS 8.8
CVE-2026-31253 HIGH
flash-attention thru e724e2588c - Deserialization
CVSS 7.3
CVE-2026-31252 MEDIUM
CosyVoice <=6e01309 Remote Code Execution via Insecure Model File Deserialization
CVSS 5.7
CVE-2026-31251 HIGH
CosyVoice thru 6e01309 - Deserialization
CVSS 7.3
CVE-2026-42607 CRITICAL
Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
CVSS 9.1
CVE-2026-8262 LOW
Devs Palace ERP Online chart-save cross site scripting
CVSS 2.4
CVE-2026-8256 LOW
Devs Palace ERP Online mr-save cross site scripting
CVSS 2.4
CVE-2026-8255 LOW
Devs Palace ERP Online add_new_customer cross site scripting
CVSS 2.4
CVE-2026-8254 LOW
Devs Palace ERP Online sales_save cross site scripting
CVSS 2.4
CVE-2026-8253 LOW
Devs Palace ERP Online purchase_save cross site scripting
CVSS 2.4
Details
Vulnerabilities 6,457
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits