← Back
CWE-94

6,560 CVEs • Abstraction: Base • Likelihood of Exploit: Medium

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

JSON object

Loading...

CVEs (6,560)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
-
-
Jun 17, 2026
May 13, 2026
N/A· v4
9.1 CRITICAL· v3
N/A· v2
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The appli...Show more
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and Documents). The application unsafely evaluates user-supplied input directly through the Smarty template engine. By leveraging this, an authenticated attacker with administrative privileges can bypass current restrictions and call native PHP functions within the templates, such as readgzfile() to read sensitive configuration files, or error_log() to write a malicious PHP web shell, ultimately achieving Information Disclosure and full Remote Code Execution (RCE). This vulnerability is fixed in 6.7.0.Show less
-
-
Jun 17, 2026
May 13, 2026
7.3 HIGH· v4
N/A· v3
N/A· v2
A code injection vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to its AppleScript interface allowing a locally authenticated non-admin user to leverage this exposed Apple...Show more
A code injection vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to its AppleScript interface allowing a locally authenticated non-admin user to leverage this exposed Apple Event handler to send unauthorized commands to the browser.Show less
1Vm2 Project
1Vm2
Jun 30, 2026
May 13, 2026
N/A· v4
10.0 CRITICAL· v3
N/A· v2
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.
1Vm2 Project
1Vm2
Jun 30, 2026
May 13, 2026
N/A· v4
10.0 CRITICAL· v3
N/A· v2
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with oth...Show more
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.Show less
1Vm2 Project
1Vm2
Jun 30, 2026
May 13, 2026
N/A· v4
10.0 CRITICAL· v3
N/A· v2
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnP...Show more
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.Show less
1Protobufjs Project
1Protobufjs Cli
Jun 17, 2026
May 13, 2026
N/A· v4
8.7 HIGH· v3
N/A· v2
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaS...Show more
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.Show less
1Protobufjs Project
1Protobufjs
Jul 2, 2026
May 13, 2026
7.7 HIGH· v4
8.8 HIGH· v3
N/A· v2
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controll...Show more
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.Show less
1Protobufjs Project
1Protobufjs
Jun 17, 2026
May 13, 2026
N/A· v4
8.1 HIGH· v3
N/A· v2
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and deco...Show more
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.Show less
1Claris
1Filemaker Cloud
Jun 17, 2026
May 12, 2026
N/A· v4
7.2 HIGH· v3
N/A· v2
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands o...Show more
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5.Show less
-
-
Jun 17, 2026
May 12, 2026
N/A· v4
10.0 CRITICAL· v3
N/A· v2
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PA...Show more
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.Show less
-
-
Jun 17, 2026
May 12, 2026
N/A· v4
6.5 MEDIUM· v3
N/A· v2
The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action...Show more
The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
-
-
Jun 17, 2026
May 12, 2026
N/A· v4
9.4 CRITICAL· v3
N/A· v2
Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data ma...Show more
Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.Show less
1Wftpserver
1Wing Ftp Server
Jun 17, 2026
May 12, 2026
8.6 HIGH· v4
7.2 HIGH· v3
N/A· v2
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain a...Show more
Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().Show less
-
-
Jun 17, 2026
May 12, 2026
9.2 CRITICAL· v4
8.1 HIGH· v3
N/A· v2
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web serv...Show more
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuration scenarios to achieve code execution, and this issue is not mitigated by the SPIP security screen.Show less
-
-
Jun 17, 2026
May 12, 2026
8.7 HIGH· v4
8.8 HIGH· v3
N/A· v2
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability...Show more
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability to achieve code execution that bypasses the SPIP security screen protections.Show less
-
-
Jun 17, 2026
May 12, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16.
1Microsoft
1Dynamics 365
Jun 17, 2026
May 12, 2026
N/A· v4
9.9 CRITICAL· v3
N/A· v2
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
1Microsoft
1Data Formulator
Jun 17, 2026
May 12, 2026
N/A· v4
8.8 HIGH· v3
N/A· v2
Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.
-
-
Jun 30, 2026
May 12, 2026
N/A· v4
9.8 CRITICAL· v3
N/A· v2
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, th...Show more
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.Show less
-
-
Jun 17, 2026
May 12, 2026
N/A· v4
9.8 CRITICAL· v3
N/A· v2
Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the...Show more
Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the post_install field. The script path is constructed from untrusted manifest data and executed without proper validation or sanitization, allowing remote code execution. An attacker who can publish malicious packages to the Hub can inject arbitrary code that will be executed on any system where a victim installs the malicious package.Show less