CWE-94

Medium likelihood

Improper Control of Generation of Code ('Code Injection')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

6,184 vulnerabilities with CWE-94
CVE-2026-5106 LOW
code-projects Exam Form Submission update_fst.php cross site scripting
CVSS 2.4
CVE-2026-5015 MEDIUM
elecV2 elecV2P Endpoint logs cross site scripting
CVSS 4.3
CVE-2026-5011 MEDIUM
elecV2 elecV2P JSON webhook runJSFile code injection
CVSS 6.3
CVE-2026-4998 HIGH
Sinaptik AI PandasAI Chat Message code_executor.py CodeExecutor.execute code injection
CVSS 7.3
CVE-2026-4995 LOW
wandb OpenUI Window Message Event index.html cross site scripting
CVSS 3.5
CVE-2026-4992 MEDIUM
wandb OpenUI HTMLAnnotator server.py get_share HTML injection
CVSS 4.3
CVE-2026-4991 LOW
QDOCS Smart School Management System Admission Enquiry enquiry cross site scripting
CVSS 3.5
CVE-2026-33976 CRITICAL
Notesnook vulnerable to RCE via stored XSS in Web Clipper rendering
CVSS 9.6
CVE-2026-33955 HIGH
Notesnook vulnerable to RCE via stored XSS in Note History diff viewer
CVSS 8.6
CVE-2026-33943 HIGH
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
CVSS 8.8
CVE-2026-33941 HIGH
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
CVSS 8.2
CVE-2026-33940 HIGH
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
CVSS 8.1
CVE-2026-33938 HIGH
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
CVSS 8.1
CVE-2026-33937 CRITICAL
Handlebars.js has JavaScript Injection via AST Type Confusion
CVSS 9.8
CVE-2026-33881 HIGH
Windmill: Rogue Workspace Admins can inject code via unescaped workspace environment variable interpolation in NativeTS executor
CVSS 7.2
CVE-2026-33873 CRITICAL
Langflow has Authenticated Code Execution in Agentic Assistant Validation
CVSS 9.9
CVE-2026-4973 LOW
SourceCodester Online Quiz System add-question.php cross site scripting
CVSS 3.5
CVE-2026-4972 LOW
code-projects Online Reviewer System btn_functions.php cross site scripting
CVSS 2.4
CVE-2026-33654 CRITICAL
Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling
CVSS 9.8
CVE-2026-4969 LOW
code-projects Social Networking Site Alert home.php cross site scripting
CVSS 3.5
CVE-2026-4965 HIGH
letta-ai letta Incomplete Fix CVE-2025-6101 ast_parsers.py resolve_type eval injection
CVSS 7.3
CVE-2026-4963 MEDIUM
huggingface smolagents Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_with code injection
CVSS 6.3
CVE-2026-27876 CRITICAL
RCE on Grafana via sqlExpressions
CVSS 9.1
CVE-2026-32669 CRITICAL
BUFFALO Wi-Fi router - Code Injection
CVSS 9.8
CVE-2026-4909 LOW
code-projects Exam Form Submission update_s7.php cross site scripting
CVSS 2.4
Details
Vulnerabilities 6,184
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits