CWE-94: Code Injection

CVE-2026-27597 is a critical sandbox escape vulnerability in Enclave, a secure JavaScript sandbox for AI agent code execution. Attackers can bypass se...

This critical vulnerability in NLTK's downloader component allows remote code execution when users download malicious zip packages. Attackers can craf...

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the Docker API deployment. Attackers can send malicio...

CVE-2026-25587 is a critical sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attackers can overwrite Map.prototype.has to br...

CVE-2026-25142 is a critical sandbox escape vulnerability in SandboxJS library versions before 0.8.27. Attackers can use the __lookupGetter__ method t...

SandboxJS versions before 0.8.26 have a critical sandbox escape vulnerability that allows attackers to execute arbitrary code outside the sandbox cont...

CVE-2026-22686 is a critical sandbox escape vulnerability in enclave-vm that allows untrusted JavaScript code to execute arbitrary code in the host No...

This critical vulnerability in Azure Container Apps allows remote attackers to execute arbitrary code via code injection. Any organization using vulne...

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM that allows unauthenticated attackers to inject arbit...

CVE-2025-65108 is a critical remote code execution vulnerability in md-to-pdf, a Node.js tool for converting Markdown to PDF. Attackers can execute ar...

This critical vulnerability in VillaTheme's HAPPY helpdesk support ticket system for WordPress allows remote attackers to execute arbitrary code on af...

This critical vulnerability in the Alone WordPress theme allows remote attackers to execute arbitrary code through improper input validation. All Word...

Flowise versions 3.0.5 and below contain a critical remote code execution vulnerability in the CustomMCP node. Attackers can execute arbitrary JavaScr...

CVE-2025-41243 allows attackers to modify Spring Environment properties through unsecured Spring Boot actuator endpoints in Spring Cloud Gateway Serve...

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code on Voltronic Power management systems via the web interf...

This critical vulnerability in the hp Global DNS WordPress plugin allows attackers to execute arbitrary code remotely through code injection. All Word...

This CVE describes a critical sandbox escape vulnerability in huggingface/smolagents version 1.14.0 that allows attackers to bypass execution restrict...

CVE-2025-49302 is a critical code injection vulnerability in the Easy Stripe WordPress plugin that allows unauthenticated attackers to execute arbitra...

This vulnerability allows non-admin users to embed scripts in reports that execute with administrator privileges on BRAIN2 servers. This affects BRAIN...

CVE-2025-49132 is a critical remote code execution vulnerability in Pterodactyl Panel that allows unauthenticated attackers to execute arbitrary code ...

This critical vulnerability allows remote attackers to execute arbitrary code on affected Bosch systems without authentication. It affects specific Bo...

CVE-2025-32432 is a critical remote code execution vulnerability in Craft CMS that allows attackers to execute arbitrary code on affected servers. Thi...

This critical vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of the DigiWidgets Image Editor W...

This critical vulnerability in the Fresh Framework WordPress plugin allows unauthenticated attackers to execute arbitrary code on affected websites. I...

This is a critical unauthenticated remote code execution vulnerability in Uniguest Tripleplay software. Attackers can execute arbitrary code on affect...

This critical vulnerability allows unauthenticated attackers to execute arbitrary code on WordPress sites using the Ark Theme Core plugin. Attackers c...

ComfyUI-Bmad-Nodes contains a critical code injection vulnerability in three custom nodes (BuildColorRangeHSVAdvanced, FilterContour, FindContour) tha...

CVE-2024-21574 is a critical remote code execution vulnerability in ComfyUI-Manager extension that allows attackers to execute arbitrary code on the s...

This critical vulnerability in ABB ASPECT, NEXUS, and MATRIX series allows remote attackers to execute arbitrary code on affected systems by sending s...

CVE-2024-50498 is a critical code injection vulnerability in the LUBUS WP Query Console WordPress plugin that allows unauthenticated remote code execu...

This critical vulnerability in the WordPress ajax-extend plugin allows remote attackers to execute arbitrary code on affected websites. The Code Injec...

This CVE describes a critical PHP injection vulnerability in the M4 PDF Extensions module for PrestaShop. Attackers can execute arbitrary code on affe...

This critical vulnerability in the InstaWP Connect WordPress plugin allows attackers to upload arbitrary files and execute malicious code on affected ...

This critical vulnerability allows unauthenticated remote code execution in Bricks Builder WordPress theme. Attackers can inject arbitrary PHP code th...

CVE-2024-5407 is a critical PHP code injection vulnerability in RhinOS 3.0-1190 that allows remote attackers to execute arbitrary code through the sea...

This vulnerability allows unauthenticated attackers to execute arbitrary code on WordPress sites running the vulnerable Canto plugin. It affects all W...

This vulnerability in the WordPress Social Warfare plugin allows attackers to execute arbitrary code on the server via the 'swp_url' parameter. It aff...

CVE-2023-25054 is a critical code injection vulnerability in the RSVPMaker WordPress plugin that allows remote attackers to execute arbitrary code on ...

CVE-2023-46731 is a critical remote code execution vulnerability in XWiki Platform where improper escaping of the section URL parameter allows attacke...

CVE-2023-41892 is a critical remote code execution vulnerability in Craft CMS that allows attackers to execute arbitrary code on affected systems. Thi...

CVE-2023-37470 is a critical remote code execution vulnerability in Metabase that allows attackers to execute arbitrary code on the server by injectin...

This critical vulnerability in Siemens industrial control software allows remote attackers with low privileges to execute arbitrary code with elevated...

CVE-2023-2583 is a critical code injection vulnerability in jsreport, a JavaScript-based reporting tool. It allows attackers to execute arbitrary code...

CVE-2021-27446 is a critical code injection vulnerability in Weintek cMT industrial HMI products that allows unauthenticated remote attackers to execu...

CVE-2022-22947 is a critical remote code execution vulnerability in Spring Cloud Gateway when the Actuator endpoint is enabled and exposed without pro...

CVE-2021-41269 is a critical template injection vulnerability in cron-utils Java library that allows attackers to inject arbitrary Java Expression Lan...

CVE-2021-29475 is a critical file disclosure vulnerability in HedgeDoc (formerly CodiMD) where attackers can read arbitrary files from the filesystem ...

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper validation of image files passed to ExifTool allows at...

This vulnerability allows unauthenticated attackers to execute arbitrary code on Eaton Intelligent Power Manager (IPM) systems by sending specially cr...

This vulnerability in n8n allows authenticated users with workflow creation/modification permissions to escape the JavaScript Task Runner sandbox and ...