← Back
CWE-94

6,544 CVEs • Abstraction: Base • Likelihood of Exploit: Medium

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

JSON object

Loading...

CVEs (6,544)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
-
-
Jun 17, 2026
Nov 7, 2025
9.2 CRITICAL· v4
N/A· v3
N/A· v2
Various Ruijie Gateway EG and NBR models firmware versions 11.1(6)B9P1 < 11.9(4)B12P1 contain a code execution vulnerability in the EWEB management system that can be abused via front-end functionality. Attackers can exp...Show more
Various Ruijie Gateway EG and NBR models firmware versions 11.1(6)B9P1 < 11.9(4)B12P1 contain a code execution vulnerability in the EWEB management system that can be abused via front-end functionality. Attackers can exploit front-end code when features such as guest authentication, local server authentication, or screen mirroring are enabled to gain access or execute commands on affected devices. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-02-05 UTC.Show less
-
-
Jun 17, 2026
Nov 6, 2025
N/A· v4
10.0 CRITICAL· v3
N/A· v2
Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.This issue affects HAPPY: from n/a through <= 1.0.7.
-
-
Jun 17, 2026
Nov 6, 2025
N/A· v4
9.1 CRITICAL· v3
N/A· v2
Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic Pricing With...Show more
Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through <= 4.5.9.Show less
-
-
Jun 17, 2026
Nov 6, 2025
N/A· v4
9.9 CRITICAL· v3
N/A· v2
Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.This issue affects Widget Logic: from n/a through <= 6.0.5.
1Wso2
6Api Control Plane
Api ManagerEnterprise Integrator+3 more
Jun 17, 2026
Nov 5, 2025
N/A· v4
7.2 HIGH· v3
N/A· v2
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute a...Show more
An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the GraalJS and NashornJS Script Mediator engines. Authenticated users with elevated privileges can execute arbitrary code within the integration runtime environment. By default, access to these scripting engines is limited to administrators in WSO2 Micro Integrator and WSO2 Enterprise Integrator, while in WSO2 API Manager, access extends to both administrators and API creators. This may allow trusted-but-privileged users to perform unauthorized actions or compromise the execution environment.Show less
2Jorenbroekema
Silentmatt
2Javascript Expression Evaluator
Javascript Expression Evaluator
Jun 17, 2026
Nov 5, 2025
N/A· v4
9.8 CRITICAL· v3
N/A· v2
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass...Show more
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object into the evaluate() function and trigger arbitrary code execution.Show less
1Anysphere
1Cursor
Jun 17, 2026
Nov 4, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
Cursor is a code editor built for programming with AI. In versions 1.7.44 and below, various NTFS path quirks allow a prompt injection attacker to circumvent sensitive file protections and overwrite files which Cursor re...Show more
Cursor is a code editor built for programming with AI. In versions 1.7.44 and below, various NTFS path quirks allow a prompt injection attacker to circumvent sensitive file protections and overwrite files which Cursor requires human approval to overwrite. Modification of some of the protected files can lead to RCE. Must be chained with a prompt injection or malicious model attach. Only affects systems supporting NTFS. This issue is fixed in version 2.0.Show less
1Xibosignage
1Xibo
Jun 17, 2026
Nov 4, 2025
N/A· v4
7.2 HIGH· v3
N/A· v2
Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionali...Show more
Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionality, allowing authenticated users with "System -> Add/Edit custom modules and templates" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits.Show less
1Salesforce
1Agentforce Vibes
Jun 17, 2026
Nov 4, 2025
N/A· v4
5.3 MEDIUM· v3
N/A· v2
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0...Show more
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.Show less
1Salesforce
1Agentforce Vibes
Jun 17, 2026
Nov 4, 2025
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Code Injection.This issue affects Agentforce Vibes Extension: before 3.2.0.
1Salesforce
1Mulesoft Anypoint Code Builder
Jun 17, 2026
Nov 4, 2025
N/A· v4
5.3 MEDIUM· v3
N/A· v2
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: befo...Show more
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Manipulating Writeable Configuration Files.This issue affects Mulesoft Anypoint Code Builder: before 1.12.1.Show less
1Salesforce
1Mulesoft Anypoint Code Builder
Jun 17, 2026
Nov 4, 2025
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allows Code Injection.This issue affects Mulesoft Anypoint Code Builder: before 1.11.6.
1Kagilum
1Icescrum
Jun 17, 2026
Nov 3, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
A remote code execution (RCE) vulnerability in the Postgres Drivers component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via a crafted HTML page.
-
-
Jun 17, 2026
Nov 1, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code ed...Show more
The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.Show less
-
-
Jun 17, 2026
Nov 1, 2025
N/A· v4
7.3 HIGH· v3
N/A· v2
The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.12 via the select_one() function. This is due to the endpoint not properly res...Show more
The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.12 via the select_one() function. This is due to the endpoint not properly restricting access to the AJAX endpoint or limiting the functions that can be called to safe functions. This makes it possible for unauthenticated attackers to call arbitrary functions beginning with get_the_ like get_the_excerpt which can make information exposure possible.Show less
1Logicaldoc
1Logicaldoc
Jun 17, 2026
Oct 31, 2025
2.0 LOW· v4
5.4 MEDIUM· v3
4.0 MEDIUM· v2
A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the att...Show more
A vulnerability was determined in LogicalDOC Community Edition up to 9.2.1. This affects an unknown part of the component API Key creation UI. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.Show less
1Veeam
1Veeam Backup & Replication
Jun 17, 2026
Oct 31, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.
1Nagios
1Log Server
Jun 17, 2026
Oct 30, 2025
9.4 CRITICAL· v4
9.8 CRITICAL· v3
N/A· v2
Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply c...Show more
Nagios Log Server versions prior to 2024R1.3.1 contain a code injection vulnerability where malformed dashboard ID values are not properly validated before being forwarded to an internal API. An attacker able to supply crafted dashboard ID values can cause the system to execute attacker-controlled data, leading to arbitrary code execution in the context of the Log Server process.Show less
-
-
Jun 17, 2026
Oct 30, 2025
N/A· v4
8.8 HIGH· v3
N/A· v2
An issue in BusinessNext CRMnext v.10.8.3.0 allows a remote attacker to execute arbitrary code via the comments input parameter.
-
-
Jun 17, 2026
Oct 30, 2025
N/A· v4
9.8 CRITICAL· v3
N/A· v2
iib0011 omni-tools v0.4.0 is vulnerable to remote code execution via unsafe JSON deserialization.