Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-95

CWE-95

Medium likelihood

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Parent: CWE-94 - Improper Control of Generation of Code ('Code Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

138 vulnerabilities with CWE-95

CVE-2026-29091 HIGH

locutus < 3.0.0 - Remote Code Execution via call_user_func_array Eval Injection

CVE-2026-28370 CRITICAL

OpenStack Vitrage <12.0.1,13.0.0,14.0.0,15.0.0 - Code Injection

CVE-2026-27493 CRITICAL

n8n <2.10.1/2.9.3/1.123.22 - Code Injection

CVE-2026-27702 CRITICAL

Budibase < 3.30.4 - Authenticated Remote Code Execution via Unsafe Eval in View Filtering

CVE-2026-1665 MEDIUM

nvm < 0.40.3 - OS Command Injection via NVM_AUTH_HEADER Environment Variable

CVE-2026-1470 CRITICAL

NPM N8n < 1.123.17 - Remote Code Execution

CVE-2026-24474 MEDIUM

Dioxus Components <commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a ...

CVE-2026-0769 CRITICAL

Langflow - Unauthenticated Remote Code Execution via eval_custom_component_code

CVE-2026-23885 MEDIUM

Alchemy <7.4.12,8.0.3 - Code Injection

CVE-2026-0863 HIGH

n8n < 1.123.14 - Authenticated Remote Code Execution via Python Task Executor Sandbox Escape

CVE-2025-40943 CRITICAL

SIMATIC S7-1500 Software Controller CPU 1507S F V4 - Authenticated Code Injection via Crafted Trace File Import

CVE-2025-50187 CRITICAL

Chamilo < 1.11.28 - Remote Code Execution via SOAP Request Parameter

CVE-2025-15551 MEDIUM

TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, TL-WR845N v4 - RCE

CVE-2025-68271 CRITICAL

OpenC3 COSMOS 5.0.0-6.10.1 - Unauthenticated Remote Code Execution via JSON-RPC API String Parameter

CVE-2025-54322 CRITICAL

Xspeeder SXZOS < 2025-12-26 - Unauthenticated Remote Code Execution via Base64-Encoded Python Code in chkid Parameter

CVE-2025-43466 MEDIUM

macOS < 26.1 - Unprotected User Data Exposure via Injection Issue

CVE-2025-43388 MEDIUM

macOS < 26.1 - Unprotected User Data Exposure via Code Injection

CVE-2025-65530 HIGH

CloudLinux ai-bolit <v32.7.4 - Code Injection

CVE-2025-66474 HIGH

XWiki Rendering < 16.10.10, 17.0.0-rc-1-17.4.2, 17.5.0-rc-1-17.5.0 - Remote Code Execution via HTML Macro Injection

CVE-2025-12140 CRITICAL

Wirtualna Uczelnia - redirectUrlParameter Java Expression Code Execution

CVE-2025-64496 HIGH

Open WebUI < 0.6.35 - Remote Code Execution via Direct Connections SSE Event Injection

CVE-2025-61955 HIGH

F5OS-A F5OS-C - Privilege Escalation

CVE-2025-48868 HIGH

Horilla 1.3.0 - Authenticated Remote Code Execution via Eval Injection in project_bulk_archive

CVE-2025-55728 CRITICAL

XWiki Remote Macros 1.0-1.26.4 - Remote Code Execution via Panel Macro Classes Parameter

CVE-2025-55727 CRITICAL

XWiki Remote Macros 1.0-1.26.4 - Remote Code Execution via Column Macro Width Parameter

Previous Page 2 of 6 Next

Details

Vulnerabilities 138

Exploit Likelihood Medium

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy