CWE-94— Improper Control of Generation of Code (Code Injection)
6,269 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 84 of 126
- CVE-2024-43469HIGHCVSS 8.8EG 8.82024-09-10
Azure CycleCloud Remote Code Execution Vulnerability
- CVE-2024-43767HIGHCVSS 8.8EG 8.82025-01-03
In prepare_to_draw_into_mask of SkBlurMaskFilterImpl.cpp, there is a possible heap overflow due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not …
- CVE-2024-43770HIGHCVSS 8.8EG 8.82025-01-21
In gatts_process_find_info of gatt_sr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction …
- CVE-2024-43771HIGHCVSS 8.8EG 8.82025-01-21
In gatts_process_read_req of gatt_sr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction i…
- CVE-2024-43922MEDIUMCVSS 4.8EG 4.82024-08-29
Improper Control of Generation of Code ('Code Injection') vulnerability in NitroPack Inc. NitroPack allows Code Injection.This issue affects NitroPack: from n/a through 1.16.7.
- CVE-2024-44410CRITICALCVSS 9.8EG 9.82024-09-09
D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the upgrade_filter_asp function.
- CVE-2024-44411CRITICALCVSS 9.8EG 9.82024-09-09
D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the msp_info_htm function.
- CVE-2024-44414HIGHCVSS 8.8EG 8.82024-10-11
A vulnerability was discovered in FBM_292W-21.03.10V, which has been classified as critical. This issue affects the sub_4901E0 function in the msp_info.htm file. Manipulation of the path parameter can lead to command injection.
- CVE-2024-44430CRITICALCVSS 9.8EG 9.82024-09-13
SQL Injection vulnerability in Best Free Law Office Management Software-v1.0 allows an attacker to execute arbitrary code and obtain sensitive information via a crafted payload to the kortex_lite/control/register_case.php interface
- CVE-2024-44466CRITICALCVSS 9.8EG 9.82024-09-11
COMFAST CF-XR11 V2.7.2 has a command injection vulnerability in function sub_424CB4. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter iface.
- CVE-2024-44623CRITICALCVSS 9.8EG 7.32024-09-16
An issue in TuomoKu SPx-GC v.1.3.0 and before allows a remote attacker to execute arbitrary code via the child_process.js function.
- CVE-2024-44722CRITICALCVSS 9.8EG 9.82026-03-20
SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd.
- CVE-2024-44724HIGHCVSS 7.2EG 7.22024-09-09
AutoCMS v5.4 was discovered to contain a PHP code injection vulnerability via the txtsite_url parameter at /admin/site_add.php. This vulnerability allows attackers to execute arbitrary PHP code via injecting a crafted value.
- CVE-2024-44744MEDIUMCVSS 5.7EG 5.72024-10-01
An issue in Malwarebytes Premium Security v5.0.0.883 allows attackers to execute arbitrary code via placing crafted binaries into unspecified directories. NOTE: Malwarebytes argues that this issue requires admin privileges and that the con…
- CVE-2024-44757HIGHCVSS 7.5EG 7.52024-11-18
An arbitrary file download vulnerability in the component /Basics/DownloadInpFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to download arbitrary files and access sensitive information via a crafted interface request.
- CVE-2024-44758CRITICALCVSS 9.8EG 9.82024-11-15
An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files.
- CVE-2024-45053CRITICALCVSS 9.1EG 9.12024-09-04
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Se…
- CVE-2024-45186CRITICALCVSS 9.8EG 9.82024-10-02
FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials.
- CVE-2024-45198HIGHCVSS 8.8EG 8.82025-04-03
insightsoftware Spark JDBC 2.6.21 has a remote code execution vulnerability. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to the dat…
- CVE-2024-45199HIGHCVSS 8.8EG 8.82025-04-03
insightsoftware Hive JDBC through 2.6.13 has a remote code execution vulnerability. Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver uses this URL to connect to …
- CVE-2024-45200MEDIUMCVSS 6.3EG 6.32024-09-30
In Nintendo Mario Kart 8 Deluxe before 3.0.3, the LAN/LDN local multiplayer implementation allows a remote attacker to exploit a stack-based buffer overflow upon deserialization of session information via a malformed browse-reply packet, a…
- CVE-2024-45201HIGHCVSS 8.8EG 8.82024-08-22
An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.
- CVE-2024-45271HIGHCVSS 8.4EG 8.42024-10-15
An unauthenticated local attacker can gain admin privileges by deploying a config file due to improper input validation.
- CVE-2024-45321HIGHCVSS 8.1EG 9.82024-08-27
The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.
- CVE-2024-45390HIGHCVSS 7.3EG 7.32024-09-03
@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, d…
- CVE-2024-45480CRITICALCVSS 9.2EG 9.22025-03-25
An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system.
- CVE-2024-45507CRITICALCVSS 9.8EG 8.82024-09-04
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fi…
- CVE-2024-45623CRITICALCVSS 9.8EG 9.82024-09-02
D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary that handles PHP HTTP GET requests for the Apache HTTP Server (httpd). NOTE: This vulnerabi…
- CVE-2024-45766HIGHCVSS 8.0EG 8.02024-10-17
Dell OpenManage Enterprise, version(s) OME 4.1 and prior, contain(s) an Improper Control of Generation of Code ('Code Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, lea…
- CVE-2024-45798CRITICALCVSS 9.9EG 9.92024-09-17
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `te…
- CVE-2024-45846HIGHCVSS 8.8EG 8.82024-09-12
An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python cod…
- CVE-2024-45847HIGHCVSS 8.8EG 8.82024-09-12
An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is…
- CVE-2024-45848HIGHCVSS 8.8EG 8.82024-09-12
An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is ru…
- CVE-2024-45849HIGHCVSS 8.8EG 8.82024-09-12
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘IN…
- CVE-2024-45850HIGHCVSS 8.8EG 8.82024-09-12
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘IN…
- CVE-2024-45851HIGHCVSS 8.8EG 8.82024-09-12
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘IN…
- CVE-2024-45873CRITICALCVSS 9.8EG 9.82024-10-07
A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe.
- CVE-2024-45874CRITICALCVSS 9.8EG 9.82024-10-07
A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe.
- CVE-2024-45933MEDIUMCVSS 6.6EG 6.62024-10-07
OnlineNewsSite v1.0 is vulnerable to Cross Site Scripting (XSS) which allows attackers to execute arbitrary code via the Title and summary fields in the /admin/post/edit/ endpoint.
- CVE-2024-4605HIGHCVSS 8.8EG 8.82024-05-14
The Breakdance plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.7.1 via post meta data. This is due to the plugin storing custom data in metadata without an underscore prefix. This makes i…
- CVE-2024-46076CRITICALCVSS 9.8EG 9.82024-10-07
RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the injection of malicious code.
- CVE-2024-46080HIGHCVSS 8.0EG 8.02024-10-01
Scriptcase v9.10.023 and before is vulnerable to Remote Code Execution (RCE) via the nm_zip function.
- CVE-2024-46103CRITICALCVSS 9.8EG 9.82024-09-20
SEMCMS 4.8 is vulnerable to SQL Injection via SEMCMS_Main.php.
- CVE-2024-46489HIGHCVSS 8.8EG 8.82024-09-25
A remote command execution (RCE) vulnerability in promptr v6.0.7 allows attackers to execute arbitrary commands via a crafted URL.
- CVE-2024-46507HIGHCVSS 7.3EG 7.32026-05-08
A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server.
- CVE-2024-4662HIGHCVSS 8.8EG 8.82024-05-23
The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.8.2 via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix. This…
- CVE-2024-46639HIGHCVSS 7.6EG 7.62024-09-23
A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field of Custom Fields message box.
- CVE-2024-46640CRITICALCVSS 9.8EG 9.82024-09-20
SeaCMS 13.2 has a remote code execution vulnerability located in the file sql.class.chp. Although the system has a check function, the check function is not executed during execution, allowing remote code execution by writing to the file t…
- CVE-2024-46960HIGHCVSS 8.8EG 8.82024-11-07
The ASD com.rocks.video.downloader (aka HD Video Downloader All Format) application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivity component.
- CVE-2024-46961HIGHCVSS 8.1EG 8.12024-11-07
The Inshot com.downloader.privatebrowser (aka Video Downloader - XDownloader) application through 1.3.5 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.privatebrowser.activity.PrivateMainActivity …
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →