← Back
CWE-94

6,544 CVEs • Abstraction: Base • Likelihood of Exploit: Medium

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

JSON object

Loading...

CVEs (6,544)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Churchcrm
1Churchcrm
Jun 17, 2026
Dec 17, 2025
N/A· v4
9.8 CRITICAL· v3
N/A· v2
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP...Show more
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.Show less
1Ritecms
1Ritecms
Jun 17, 2026
Dec 17, 2025
N/A· v4
7.2 HIGH· v3
N/A· v2
RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function.
1Pagekit
1Pagekit
Jun 17, 2026
Dec 17, 2025
N/A· v4
9.9 CRITICAL· v3
N/A· v2
An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file.
1Xiweicheng
1Teamwork Management System
Jun 17, 2026
Dec 17, 2025
1.9 LOW· v4
4.8 MEDIUM· v3
3.3 LOW· v2
A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scr...Show more
A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
1Claris
1Filemaker Server
Jun 17, 2026
Dec 16, 2025
N/A· v4
9.8 CRITICAL· v3
N/A· v2
Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions...Show more
Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing commands or accessing external resources, an attacker could potentially achieve remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4.Show less
1Hpe
1Oneview
Jun 17, 2026
Dec 16, 2025
N/A· v4
9.8 CRITICAL· v3
N/A· v2
A remote code execution issue exists in HPE OneView.
1Trailofbits
1Fickling
Jun 17, 2026
Dec 16, 2025
7.1 HIGH· v4
7.8 HIGH· v3
N/A· v2
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` b...Show more
Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues.Show less
1Thinkinai
1Deepchat
Jun 17, 2026
Dec 16, 2025
N/A· v4
9.6 CRITICAL· v3
N/A· v2
DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to version 0.5.3, a security vulnerability exists in the Mermaid diagram rendering component that allows arb...Show more
DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to version 0.5.3, a security vulnerability exists in the Mermaid diagram rendering component that allows arbitrary JavaScript execution. Due to the exposure of the Electron IPC renderer to the DOM, this Cross-Site Scripting (XSS) flaw escalates to full Remote Code Execution (RCE), allowing an attacker to execute arbitrary system commands. Two concurrent issues, unsafe Mermaid configuration and an exposed IPC interface, cause this issue. Version 0.5.3 contains a patch.Show less
1Ctcms Project
1Ctcms
Jun 17, 2026
Dec 15, 2025
2.0 LOW· v4
7.2 HIGH· v3
5.8 MEDIUM· v2
A security flaw has been discovered in CTCMS Content Management System up to 2.1.2. The impacted element is an unknown function in the library /ctcms/libs/Ct_Config.php of the component Backend System Configuration Modul...Show more
A security flaw has been discovered in CTCMS Content Management System up to 2.1.2. The impacted element is an unknown function in the library /ctcms/libs/Ct_Config.php of the component Backend System Configuration Module. The manipulation of the argument Cj_Add/Cj_Edit results in code injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited.Show less
1Ctcms Project
1Ctcms
Jun 17, 2026
Dec 15, 2025
2.0 LOW· v4
7.2 HIGH· v3
5.8 MEDIUM· v2
A vulnerability was identified in CTCMS Content Management System up to 2.1.2. The affected element is the function Save of the file /ctcms/libs/Ct_App.php of the component Backend App Configuration Module. The manipulat...Show more
A vulnerability was identified in CTCMS Content Management System up to 2.1.2. The affected element is the function Save of the file /ctcms/libs/Ct_App.php of the component Backend App Configuration Module. The manipulation of the argument CT_App_Paytype leads to code injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.Show less
-
-
Jun 17, 2026
Dec 15, 2025
1.9 LOW· v4
2.4 LOW· v3
3.3 LOW· v2
A vulnerability was determined in vion707 DMadmin up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. This impacts the function Add of the file Admin/Controller/AddonsController.class.php of the component Backend. Executing...Show more
A vulnerability was determined in vion707 DMadmin up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. This impacts the function Add of the file Admin/Controller/AddonsController.class.php of the component Backend. Executing manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.Show less
1Zomp
1Zomplog
Jun 17, 2026
Dec 15, 2025
8.6 HIGH· v4
8.8 HIGH· v3
N/A· v2
Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload files (such as JavaScript)...Show more
Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload files (such as JavaScript) and rename them to .php via the saveE and rename actions, then execute the resulting PHP payload to run system commands.Show less
1Webedition
1Webedition Cms
Jun 17, 2026
Dec 15, 2025
8.6 HIGH· v4
7.2 HIGH· v3
N/A· v2
Webedition CMS v2.9.8.8 contains a remote code execution vulnerability that allows authenticated attackers to inject system commands through PHP page creation. Attackers can create a new PHP page with malicious system co...Show more
Webedition CMS v2.9.8.8 contains a remote code execution vulnerability that allows authenticated attackers to inject system commands through PHP page creation. Attackers can create a new PHP page with malicious system commands in the description field to execute arbitrary commands on the server.Show less
1Frappe
1Erpnext
Jun 17, 2026
Dec 15, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering...Show more
A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Format document using frappe.render_template(template, doc) via the get_rendered_template() call chain. Although ERPNext wraps Jinja2 in a SandboxedEnvironment, it exposes sensitive functions such as frappe.db.sql through get_safe_globals(). An authenticated attacker with permission to create or modify a Print Format can inject arbitrary Jinja expressions into the html field. Once the malicious Print Format is saved, the attacker can call get_html_and_style() with a target document (e.g., Supplier or Sales Invoice) to trigger the render process. This leads to information disclosure from the database, such as database version, schema details, or sensitive values, depending on the injected payload. Exploitation flow: Create a Print Format with SSTI payload in the html field; call the get_html_and_style() API; triggers frappe.render_template(template, doc) inside get_rendered_template(); leaks database information via frappe.db.sql or other exposed globals.Show less
1Frappe
1Erpnext
Jun 17, 2026
Dec 15, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context der...Show more
An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a dictionary or a string referencing an Address document. Although ERPNext uses a custom Jinja2 SandboxedEnvironment, dangerous functions like frappe.db.sql remain accessible via get_safe_globals(). An authenticated attacker with permission to create or modify an Address Template can inject arbitrary Jinja expressions into the template field. By creating an Address document with a matching country, and then calling the get_address_display API with address_dict="address_name", the system will render the malicious template using attacker-controlled data. This leads to server-side code execution or database information disclosure.Show less
1Frappe
1Erpnext
Jun 17, 2026
Dec 15, 2025
N/A· v4
4.3 MEDIUM· v3
N/A· v2
An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.rende...Show more
An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to create or modify a Terms and Conditions document can inject arbitrary Jinja expressions into the terms field, resulting in server-side code execution within a restricted but still unsafe context. This vulnerability can be used to leak database information.Show less
1Frappe
1Erpnext
Jun 17, 2026
Dec 15, 2025
N/A· v4
4.3 MEDIUM· v3
N/A· v2
An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe...Show more
An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to create or modify a Contract Template can inject arbitrary Jinja expressions into the contract_terms field, resulting in server-side code execution within a restricted but still unsafe context. This vulnerability can be used to leak database information.Show less
1Frappe
1Erpnext
Jun 17, 2026
Dec 15, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.re...Show more
An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to configure Dunning Type and its child table Dunning Letter Text can inject arbitrary Jinja expressions, resulting in server-side code execution within a restricted but still unsafe context. This can leak database information.Show less
1Mayan Edms
1Mayan Edms
Jun 17, 2026
Dec 14, 2025
2.1 LOW· v4
6.1 MEDIUM· v3
5.0 MEDIUM· v2
A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote...Show more
A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."Show less
1Fabian
1Student File Management System
Jun 17, 2026
Dec 14, 2025
1.9 LOW· v4
4.8 MEDIUM· v3
3.3 LOW· v2
A vulnerability was determined in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/update_student.php. Executing manipulation can lead to cross site scripting....Show more
A vulnerability was determined in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/update_student.php. Executing manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.Show less