CWE-95

Medium likelihood

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Parent: CWE-94 - Improper Control of Generation of Code ('Code Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

126 vulnerabilities with CWE-95
CVE-2026-6652 MEDIUM
Pagekit CMS StringStorage Template PhpEngine.php evaluate eval injection
CVSS 4.7
CVE-2026-40316 HIGH
OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow
CVSS 8.8
CVE-2026-39423 MEDIUM
Stored XSS via Eval Injection in EchartsRander Component
CVSS 5.4
CVE-2026-33618 HIGH
Chamilo LMS Affected by Remote Code Execution via eval() in Platform Settings
CVSS 8.8
CVE-2026-5971 HIGH
FoundationAgents MetaGPT XML action_node.py ActionNode.xml_fill eval injection
CVSS 7.3
CVE-2026-4837 MEDIUM
Eval Injection in Rapid7 Insight Agent
CVSS 6.6
CVE-2026-22666 HIGH
Dolibarr ERP/CRM < 23.0.2 Authenticated RCE via dol_eval_standard()
CVSS 7.2
CVE-2026-35002 CRITICAL
Agno < 2.3.24 field_type Eval Injection Arbitrary Code Execution
CVSS 9.8
CVE-2026-28505 CRITICAL
Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check
CVSS 10.0
CVE-2026-4851 CRITICAL
GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization
CVSS 9.8
CVE-2026-4965 HIGH
letta-ai letta Incomplete Fix CVE-2025-6101 ast_parsers.py resolve_type eval injection
CVSS 7.3
CVE-2026-4001 CRITICAL
Woocommerce Custom Product Addons Pro <=5.4.1 - RCE
CVSS 9.8
CVE-2026-33017 CRITICAL KEV
Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint
CVSS 9.8
CVE-2026-29091 HIGH
Locutus <3.0.0 - RCE
CVSS 8.1
CVE-2026-28370 CRITICAL
OpenStack Vitrage <12.0.1,13.0.0,14.0.0,15.0.0 - Code Injection
CVSS 9.1
CVE-2026-27493 CRITICAL
n8n <2.10.1/2.9.3/1.123.22 - Code Injection
CVSS 9.0
CVE-2026-27702 CRITICAL
Budibase <3.30.4 - Code Injection
CVSS 9.9
CVE-2026-1665 MEDIUM
nvm <0.40.3 - Command Injection
CVE-2026-1470 CRITICAL
NPM N8n < 1.123.17 - Remote Code Execution
CVSS 9.9
CVE-2026-24474 MEDIUM
Dioxus Components <commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a ...
CVE-2026-0769 CRITICAL
Langflow - Code Injection
CVSS 9.8
CVE-2026-23885 MEDIUM
Alchemy <7.4.12,8.0.3 - Code Injection
CVSS 6.4
CVE-2026-0863 HIGH
N8n < 1.123.14 - Code Injection
CVSS 8.5
CVE-2025-40943 CRITICAL
Affected Devices - Code Injection
CVSS 9.6
CVE-2025-50187 CRITICAL
Chamilo <1.11.28 - RCE
CVSS 9.8
Details
Vulnerabilities 126
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits