CWE-94— Improper Control of Generation of Code (Code Injection)
6,260 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 76 of 126
- CVE-2024-13929HIGHCVSS 7.2EG 7.22025-05-22
Servlet injection vulnerabilities in ASPECT allow remote code execution if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3…
- CVE-2024-13952HIGHCVSS 8.4EG 8.42025-05-22
Predictable filename vulnerabilities in ASPECT may expose sensitive information to a potential attacker if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Ser…
- CVE-2024-14020MEDIUMCVSS 5.0EG 5.02026-01-07
A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improper…
- CVE-2024-1490HIGHCVSS 7.2EG 7.22026-04-09
An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell com…
- CVE-2024-1577CRITICALCVSS 9.8EG 9.82024-06-12
Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue affects MegaBIP so…
- CVE-2024-1705MEDIUMCVSS 5.6EG 5.62024-02-21
A vulnerability was found in Shopwind up to 4.6. It has been rated as critical. This issue affects the function actionCreate of the file /public/install/controllers/DefaultController.php of the component Installation. The manipulation lead…
- CVE-2024-1706LOWCVSS 3.5EG 3.52024-02-21
A vulnerability was determined in ZKTeco ZKBio Access IVS up to 3.3.2. This impacts an unknown function of the component Department Name Search Bar. This manipulation with the input <marquee>hi causes cross site scripting. Remote exploitat…
- CVE-2024-1885MEDIUMCVSS 6.3EG 6.32024-02-26
This vulnerability allows remote attackers to execute arbitrary code on the affected webOS of LG Signage.
- CVE-2024-2016MEDIUMCVSS 6.3EG 6.32024-03-21
A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Affected is the function index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possib…
- CVE-2024-20359MEDIUMCVSS 6.0EG 9.0⚠ KEV2024-04-24
A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allo…
- CVE-2024-20485MEDIUMCVSS 6.0EG 6.02024-10-23
A vulnerability in the VPN web server of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. …
- CVE-2024-2097HIGHCVSS 7.5EG 7.52024-03-27
An authenticated malicious client can send a special LINQ query to execute arbitrary code remotely (RCE) on the SCM server from List control, and execute the arbitrary code on the same system where SCMArchivedEventViewerTool is installed i…
- CVE-2024-21351HIGHCVSS 7.6EG 9.0⚠ KEV2024-02-13
Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2024-21378HIGHCVSS 8.8EG 8.02024-02-13
Microsoft Outlook Remote Code Execution Vulnerability
- CVE-2024-21508CRITICALCVSS 9.8EG 9.82024-04-11
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
- CVE-2024-21511CRITICALCVSS 9.8EG 9.82024-04-23
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
- CVE-2024-21513HIGHCVSS 8.5EG 8.52024-07-15
Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit t…
- CVE-2024-21534CRITICALCVSS 9.8EG 9.82024-10-11
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note…
- CVE-2024-21537HIGHCVSS 8.8EG 8.82024-10-31
Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious inp…
- CVE-2024-21541HIGHCVSS 7.3EG 7.32024-11-13
Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to …
- CVE-2024-21546CRITICALCVSS 9.8EG 9.82024-12-18
Versions of the package unisharp/laravel-filemanager before 2.9.1 are vulnerable to Remote Code Execution (RCE) through using a valid mimetype and inserting the . character after the php file extension. This allows the attacker to execute …
- CVE-2024-21552CRITICALCVSS 9.8EG 9.82024-07-22
All versions of `SuperAGI` are vulnerable to Arbitrary Code Execution due to unsafe use of the ‘eval’ function. An attacker could induce the LLM output to exploit this vulnerability and gain arbitrary code execution on the SuperAGI app…
- CVE-2024-21571HIGHCVSS 8.1EG 8.12024-12-06
Snyk has identified a remote code execution (RCE) vulnerability in all versions of Code Agent. The vulnerability enables an attacker to execute arbitrary code within the Code Agent container. Exploiting this vulnerability would require an …
- CVE-2024-21574CRITICALCVSS 10.0EG 10.02024-12-12
The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request th…
- CVE-2024-21576CRITICALCVSS 10.0EG 10.02024-12-13
ComfyUI-Bmad-Nodes is vulnerable to Code Injection. The issue stems from a validation bypass in the BuildColorRangeHSVAdvanced, FilterContour and FindContour custom nodes. In the entrypoint function to each node, there’s a call to eval w…
- CVE-2024-21577CRITICALCVSS 10.0EG 10.02024-12-13
ComfyUI-Ace-Nodes is vulnerable to Code Injection. The ACE_ExpressionEval node contains an eval() in its entrypoint function that accepts arbitrary user-controlled data. A user can create a workflow that results in executing arbitrary code…
- CVE-2024-21643HIGHCVSS 7.1EG 7.12024-01-10
IdentityModel Extensions for .NET provide assemblies for web developers that wish to use federated identity providers for establishing the caller's identity. Anyone leveraging the `SignedHttpRequest`protocol or the `SignedHttpRequestValida…
- CVE-2024-21646CRITICALCVSS 9.8EG 9.82024-01-09
Azure uAMQP is a general purpose C library for AMQP 1.0. The UAMQP library is used by several clients to implement AMQP protocol communication. When clients using this library receive a crafted binary type data, an integer overflow or wra…
- CVE-2024-21649HIGHCVSS 8.8EG 8.82024-01-30
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables,…
- CVE-2024-21650CRITICALCVSS 10.0EG 10.02024-01-08
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to ex…
- CVE-2024-21672HIGHCVSS 8.8EG 8.32024-01-16
This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of CVSS:3.0/AV:N/AC:…
- CVE-2024-21673HIGHCVSS 8.8EG 8.02024-01-16
This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.0 and a CVSS Vector of CVSS:3.0/AV:N/A…
- CVE-2024-21674HIGHCVSS 7.5EG 8.62024-01-16
This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of CVSS:3.0/AV:N/AC:…
- CVE-2024-21682HIGHCVSS 7.2EG 7.22024-02-20
This High severity Injection vulnerability was introduced in Assets Discovery 1.0 - 6.2.0 (all versions). Assets Discovery, which can be downloaded via Atlassian Marketplace, is a network scanning tool that can be used with or without an…
- CVE-2024-21683HIGHCVSS 8.8EG 9.02024-05-21
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to…
- CVE-2024-21689HIGHCVSS 8.0EG 7.62024-08-20
This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This RCE (Remote Code Execution) vulnerability, with…
- CVE-2024-21737HIGHCVSS 8.4EG 8.42024-01-09
In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the …
- CVE-2024-21760HIGHCVSS 8.4EG 8.42025-03-18
An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated att…
- CVE-2024-21832LOWCVSS 3.5EG 3.52024-07-09
A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body.
- CVE-2024-21892HIGHCVSS 7.8EG 7.52024-02-20
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implement…
- CVE-2024-2195CRITICALCVSS 9.8EG 9.82024-04-10
A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` funct…
- CVE-2024-22020MEDIUMCVSS 6.5EG 6.52024-07-09
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerabili…
- CVE-2024-2209MEDIUMCVSS 6.3EG 6.32024-03-27
A user with administrative privileges can create a compromised dll file of the same name as the original dll within the HP printer’s Firmware Update Utility (FUU) bundle and place it in the Microsoft Windows default downloads directory w…
- CVE-2024-22116CRITICALCVSS 9.9EG 9.92024-08-12
An administrator with restricted permissions can exploit the script execution functionality within the Monitoring Hosts section. The lack of default escaping for script parameters enabled this user ability to execute arbitrary code via the…
- CVE-2024-22123LOWCVSS 2.7EG 2.72024-08-12
Setting SMS media allows to set GSM modem file. Later this file is used as Linux device. But due everything is a file for Linux, it is possible to set another file, e.g. log file and zabbix_server will try to communicate with it as modem. …
- CVE-2024-22127CRITICALCVSS 9.1EG 9.12024-03-12
SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the att…
- CVE-2024-22131CRITICALCVSS 9.1EG 9.12024-02-13
In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attacker to use the inter…
- CVE-2024-22144CRITICALCVSS 9.0EG 9.02024-04-25
Improper Control of Generation of Code ('Code Injection') vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows Code Injection.This issue affects Anti-Malware Security and Brute-Force Firewall: from n/a …
- CVE-2024-22169HIGHCVSS 7.1EG 0.02024-08-02
WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable. Any malicious application operating with s…
- CVE-2024-22188HIGHCVSS 7.2EG 7.22024-03-05
TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool…
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →