CWE-94— Improper Control of Generation of Code (Code Injection)
6,207 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 59 of 125
- CVE-2022-29078CRITICALCVSS 9.8EG 9.82022-04-25
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option w…
- CVE-2022-29115HIGHCVSS 7.8EG 7.82022-05-10
Windows Fax Service Remote Code Execution Vulnerability
- CVE-2022-29171MEDIUMCVSS 6.6EG 6.62022-05-06
Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site ad…
- CVE-2022-29216HIGHCVSS 7.8EG 7.82022-05-21
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's `saved_model_cli` tool is vulnerable to a code injection. This can be used to open a reverse shell. This code path w…
- CVE-2022-29221HIGHCVSS 8.8EG 8.82022-05-24
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include…
- CVE-2022-29307CRITICALCVSS 9.8EG 9.82022-05-12
IonizeCMS v1.0.8.1 was discovered to contain a command injection vulnerability via the function copy_lang_content in application/models/lang_model.php.
- CVE-2022-29813MEDIUMCVSS 6.9EG 6.72022-04-28
In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible
- CVE-2022-29814MEDIUMCVSS 6.9EG 7.72022-04-28
In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible
- CVE-2022-29815MEDIUMCVSS 6.9EG 6.72022-04-28
In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible
- CVE-2022-29819MEDIUMCVSS 6.9EG 7.72022-04-28
In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible
- CVE-2022-29821MEDIUMCVSS 6.9EG 7.72022-04-28
In JetBrains Rider before 2022.1 local code execution via links in ReSharper Quick Documentation was possible
- CVE-2022-30083CRITICALCVSS 9.8EG 9.82022-07-30
EllieGrid Android Application version 3.4.1 is vulnerable to Code Injection. The application appears to evaluate user input as code (remote).
- CVE-2022-30141HIGHCVSS 8.1EG 8.12022-06-15
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
- CVE-2022-30145HIGHCVSS 7.5EG 7.52022-06-15
Windows Encrypting File System (EFS) Remote Code Execution Vulnerability
- CVE-2022-30175HIGHCVSS 7.8EG 7.82022-08-09
Azure RTOS GUIX Studio Remote Code Execution Vulnerability
- CVE-2022-30194HIGHCVSS 7.5EG 7.52022-08-09
Windows WebBrowser Control Remote Code Execution Vulnerability
- CVE-2022-3033HIGHCVSS 8.1EG 8.12022-12-22
If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird …
- CVE-2022-30580HIGHCVSS 7.8EG 7.82022-08-10
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path…
- CVE-2022-30877CRITICALCVSS 9.8EG 9.82022-06-08
The keep for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2.
- CVE-2022-31161CRITICALCVSS 10.0EG 10.02022-07-15
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the…
- CVE-2022-31491CRITICALCVSS 10.0EG 10.02025-08-22
Voltronic Power ViewPower through 1.04-24215, ViewPower Pro through 2.0-22165, and PowerShield Netguard before 1.04-23292 allows a remote attacker to run arbitrary code via an unspecified web interface related to detection of a managed UPS…
- CVE-2022-31691CRITICALCVSS 9.8EG 9.82022-11-04
Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library …
- CVE-2022-31860CRITICALCVSS 9.8EG 9.82022-09-06
An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule.
- CVE-2022-32054CRITICALCVSS 9.8EG 9.82022-07-07
Tenda AC10 US_AC10V1.0RTL_V15.03.06.26_multi_TD01 was discovered to contain a remote code execution (RCE) vulnerability via the lanIp parameter.
- CVE-2022-3236CRITICALCVSS 9.8EG 9.8⚠ KEV2022-09-23
A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.
- CVE-2022-32409CRITICALCVSS 9.8EG 9.82022-07-14
A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request.
- CVE-2022-32417CRITICALCVSS 9.8EG 9.82022-07-14
PbootCMS v3.1.2 was discovered to contain a remote code execution (RCE) vulnerability via the function parserIfLabel at function.php.
- CVE-2022-3242MEDIUMCVSS 6.1EG 6.12022-09-20
Code Injection in GitHub repository microweber/microweber prior to 1.3.2.
- CVE-2022-3245MEDIUMCVSS 6.1EG 6.12022-09-20
HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
- CVE-2022-32897HIGHCVSS 7.8EG 7.82024-06-10
A memory corruption issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.5. Processing a maliciously crafted tiff file may lead to arbitrary code execution.
- CVE-2022-32924HIGHCVSS 7.8EG 7.82022-11-01
The issue was addressed with improved memory handling. This issue is fixed in tvOS 16.1, macOS Big Sur 11.7, macOS Ventura 13, watchOS 9.1, iOS 16.1 and iPadOS 16, macOS Monterey 12.6. An app may be able to execute arbitrary code with kern…
- CVE-2022-33721MEDIUMCVSS 4.4EG 5.52022-08-05
A vulnerability using PendingIntent in DeX for PC prior to SMR Aug-2022 Release 1 allows attackers to access files with system privilege.
- CVE-2022-33725MEDIUMCVSS 4.0EG 3.32022-08-05
A vulnerability using PendingIntent in Knox VPN prior to SMR Aug-2022 Release 1 allows attackers to access content providers with system privilege.
- CVE-2022-3383HIGHCVSS 7.2EG 7.22022-11-29
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func()…
- CVE-2022-3384HIGHCVSS 7.2EG 7.22022-11-29
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). Thi…
- CVE-2022-3394HIGHCVSS 7.2EG 7.22022-10-25
The WP All Export Pro WordPress plugin before 1.7.9 does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbit…
- CVE-2022-3401HIGHCVSS 8.8EG 8.82022-10-28
The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulne…
- CVE-2022-3418HIGHCVSS 7.2EG 7.22022-11-07
The Import any XML or CSV File to WordPress plugin before 3.6.9 is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbi…
- CVE-2022-34456HIGHCVSS 8.8EG 8.82023-01-18
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the applicati…
- CVE-2022-34625HIGHCVSS 7.2EG 7.22022-08-02
Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to execute arbitrary code via a crafted Jinja2 template.
- CVE-2022-34663HIGHCVSS 8.0EG 8.02022-07-12
A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDCOM i801, RUGGEDCOM i801NC, RUGGEDCOM i802, RUGGEDCOM i802NC, RUGGEDCOM i803, RUGGEDCOM i803NC, RUGGEDCOM M2100, RUGGEDCOM M2100F, RUGGEDCOM M2100NC, RUGGEDCOM …
- CVE-2022-34714HIGHCVSS 8.1EG 8.12022-08-09
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
- CVE-2022-34715CRITICALCVSS 9.8EG 9.82022-08-09
Windows Network File System Remote Code Execution Vulnerability
- CVE-2022-34821HIGHCVSS 7.6EG 9.82022-07-12
A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2), SCALANCE M804PB (6GK5804-0AP00-2AA2), SCALANCE M812-1 ADSL-Router (6GK5812-1AA00-2AA2), SCALANCE M8…
- CVE-2022-35516CRITICALCVSS 9.8EG 9.82022-08-17
DedeCMS v5.7.93 - v5.7.96 was discovered to contain a remote code execution vulnerability in login.php.
- CVE-2022-35649CRITICALCVSS 9.8EG 9.82022-07-25
The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Suc…
- CVE-2022-35743HIGHCVSS 7.8EG 7.82023-05-31
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
- CVE-2022-35766HIGHCVSS 8.1EG 8.12022-08-09
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
- CVE-2022-35767HIGHCVSS 8.1EG 8.12022-08-09
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
- CVE-2022-35772HIGHCVSS 7.2EG 7.22022-08-09
Azure Site Recovery Remote Code Execution Vulnerability
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →