CWE-94— Improper Control of Generation of Code (Code Injection)
6,256 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 65 of 126
- CVE-2023-2943HIGHCVSS 8.8EG 4.62023-05-27
Code Injection in GitHub repository openemr/openemr prior to 7.0.1.
- CVE-2023-29453CRITICALCVSS 9.8EG 9.82023-10-12
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript …
- CVE-2023-29492CRITICALCVSS 9.8EG 9.8⚠ KEV2023-04-11
Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data.
- CVE-2023-29509CRITICALCVSS 9.9EG 9.92023-04-16
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the…
- CVE-2023-29566CRITICALCVSS 9.8EG 9.82023-04-24
huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.
- CVE-2023-29861CRITICALCVSS 9.8EG 9.82023-05-15
An issue found in FLIR-DVTEL version not specified allows a remote attacker to execute arbitrary code via a crafted request to the management page of the device.
- CVE-2023-29862CRITICALCVSS 9.8EG 9.82023-05-15
An issue found in Agasio-Camera device version not specified allows a remote attacker to execute arbitrary code via the check and authLevel parameters.
- CVE-2023-29963HIGHCVSS 7.2EG 7.22023-05-05
S-CMS v5.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /admin/ajax.php.
- CVE-2023-30130HIGHCVSS 8.8EG 8.82023-05-12
An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.
- CVE-2023-30131CRITICALCVSS 9.8EG 9.82023-10-19
An issue discovered in IXP EasyInstall 6.6.14884.0 allows attackers to run arbitrary commands, gain escalated privilege, and cause other unspecified impacts via unauthenticated API calls.
- CVE-2023-30145CRITICALCVSS 9.8EG 9.82023-05-26
Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter.
- CVE-2023-30179HIGHCVSS 7.2EG 7.22023-06-13
CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Executio…
- CVE-2023-30349CRITICALCVSS 9.8EG 9.82023-04-27
JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function.
- CVE-2023-30404CRITICALCVSS 9.8EG 9.82023-04-26
Aigital Wireless-N Repeater Mini_Router v0.131229 was discovered to contain a remote code execution (RCE) vulnerability via the sysCmd parameter in the formSysCmd function. This vulnerability is exploited via a crafted HTTP request.
- CVE-2023-30537CRITICALCVSS 9.9EG 9.92023-04-16
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full acce…
- CVE-2023-30638HIGHCVSS 7.2EG 7.22023-04-14
Atos Unify OpenScape SBC 10 before 10R3.1.3, OpenScape Branch 10 before 10R3.1.2, and OpenScape BCF 10 before 10R10.7.0 allow remote authenticated admins to inject commands.
- CVE-2023-30912HIGHCVSS 7.2EG 7.22023-10-25
A remote code execution issue exists in HPE OneView.
- CVE-2023-30990HIGHCVSS 8.6EG 5.62023-07-04
IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036.
- CVE-2023-31037HIGHCVSS 7.2EG 7.22024-01-24
NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a vulnerability in ipmitool, where a root user may cause code injection by a network call. A successful exploit of this vulnerability may lead to code execution on the OS.
- CVE-2023-31296MEDIUMCVSS 5.3EG 5.32023-12-29
CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows attackers to obtain sensitive information via the User Name field.
- CVE-2023-31315HIGHCVSS 7.5EG 7.52024-08-12
Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution.
- CVE-2023-31414HIGHCVSS 8.8EG 8.82023-05-04
Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to t…
- CVE-2023-31415HIGHCVSS 8.8EG 8.82023-05-04
Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing a…
- CVE-2023-31447CRITICALCVSS 9.8EG 9.82023-08-21
user_login.cgi on Draytek Vigor2620 devices before 3.9.8.4 (and on all versions of Vigor2925 devices) allows attackers to send a crafted payload to modify the content of the code segment, insert shellcode, and execute arbitrary code.
- CVE-2023-31493MEDIUMCVSS 6.6EG 6.62024-10-15
RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote s…
- CVE-2023-32095CRITICALCVSS 9.9EG 9.92023-12-29
Improper Control of Generation of Code ('Code Injection') vulnerability in Milan Dinić Rename Media Files.This issue affects Rename Media Files: from n/a through 1.0.1.
- CVE-2023-3224CRITICALCVSS 9.8EG 9.82023-06-13
Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3.
- CVE-2023-32383HIGHCVSS 7.8EG 7.82024-01-10
This issue was addressed by forcing hardened runtime on the affected binaries at the system level. This issue is fixed in macOS Monterey 12.6.6, macOS Big Sur 11.7.7, macOS Ventura 13.4. An app may be able to inject code into sensitive bin…
- CVE-2023-32418HIGHCVSS 7.8EG 7.82023-07-27
The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. Processing a file may lead to unexpected app termination or arbitrary code execution.
- CVE-2023-32527HIGHCVSS 8.8EG 8.82023-06-26
Trend Micro Mobile Security (Enterprise) 9.8 SP5 contains vulnerable .php files that could allow a remote attacker to execute arbitrary code on affected installations. Please note: an attacker must first obtain the ability to execute lo…
- CVE-2023-32528HIGHCVSS 8.8EG 8.82023-06-26
Trend Micro Mobile Security (Enterprise) 9.8 SP5 contains vulnerable .php files that could allow a remote attacker to execute arbitrary code on affected installations. Please note: an attacker must first obtain the ability to execute lo…
- CVE-2023-32540HIGHCVSS 7.2EG 7.22023-06-06
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modi…
- CVE-2023-32546MEDIUMCVSS 4.4EG 4.42023-06-13
Code injection vulnerability exists in Chatwork Desktop Application (Mac) 2.6.43 and earlier. If this vulnerability is exploited, a non-administrative user of the Mac where the product is installed may store and obtain audio and image data…
- CVE-2023-32626CRITICALCVSS 9.8EG 9.82023-08-18
Hidden functionality vulnerability in LAN-W300N/RS all versions, and LAN-W300N/PR5 all versions allows an unauthenticated attacker to log in to the product's certain management console and execute arbitrary OS commands.
- CVE-2023-32692CRITICALCVSS 9.8EG 9.82023-05-30
CodeIgniter is a PHP full-stack web framework. This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller…
- CVE-2023-32697HIGHCVSS 8.8EG 8.82023-05-23
SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in vers…
- CVE-2023-32728MEDIUMCVSS 4.6EG 9.82023-12-18
The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution.
- CVE-2023-33131HIGHCVSS 8.8EG 8.82023-06-14
Microsoft Outlook Remote Code Execution Vulnerability
- CVE-2023-33157HIGHCVSS 8.8EG 8.82023-07-11
Microsoft SharePoint Remote Code Execution Vulnerability
- CVE-2023-33206MEDIUMCVSS 6.8EG 7.52024-08-08
Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR16, 4.0.0 SR06, 4.1.0 SR04, 4.2.0 SR03, and 4.3.0 SR01 fails to validate symlinks during the Pre-Boot Authorization (PBA) process. This can be exploited by a physical attacker who…
- CVE-2023-33229LOWCVSS 3.5EG 3.12023-07-26
The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject passive HTML.
- CVE-2023-33246CRITICALCVSS 9.8EG 9.8⚠ KEV2023-05-24
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission v…
- CVE-2023-33440HIGHCVSS 7.2EG 9.02023-05-26
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.
- CVE-2023-33466HIGHCVSS 8.8EG 8.82023-06-29
Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploite…
- CVE-2023-33469HIGHCVSS 7.8EG 7.82023-08-09
In instances where the screen is visible and remote mouse connection is enabled, KramerAV VIA Connect (2) and VIA Go (2) devices with a version prior to 4.0.1.1326 can be exploited to achieve local code execution at the root level.
- CVE-2023-33472HIGHCVSS 8.8EG 8.82024-01-13
An issue was discovered in Scada-LTS v2.7.5.2 build 4551883606 and before, allows remote attackers with low-level authentication to escalate privileges, execute arbitrary code, and obtain sensitive information via Event Handlers function.
- CVE-2023-33570HIGHCVSS 8.8EG 8.82023-06-28
Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI).
- CVE-2023-33733HIGHCVSS 7.8EG 7.82023-06-05
Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.
- CVE-2023-33831CRITICALCVSS 9.8EG 9.82023-09-18
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
- CVE-2023-3393HIGHCVSS 7.2EG 8.02023-06-23
Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1.
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →