CWE-94: Code Injection
The product constructs all or part of a code segment using externally-influenced input, but does not neutralize special elements that could modify the intended code segment.
Yearly Trend
Top Affected Vendors
All Code Injection CVEs (1,153)
This vulnerability in SAP ABA allows authenticated users with remote execution authorization to exploit a vulnerable interface, enabling them to invok...
Feb 13, 2024This vulnerability allows remote code execution through improper input validation in Verge3D Publishing and E-Commerce WordPress plugin. Attackers can...
Dec 29, 2023This CVE describes a code injection vulnerability in the Kanban Boards for WordPress plugin that allows attackers to execute arbitrary code on affecte...
Dec 29, 2023October CMS has a critical vulnerability where authenticated backend users with specific editor permissions can bypass the Twig sandbox and execute ar...
Dec 1, 2023Control By Web X-600M devices are vulnerable to Lua code injection, allowing remote attackers to execute arbitrary code on affected devices. This affe...
Feb 13, 2023MCMS v5.2.5 contains a Server-Side Template Injection (SSTI) vulnerability in the Template Management module that allows attackers to execute arbitrar...
Feb 18, 2022This vulnerability allows authenticated attackers with permissions to create user-defined functions in Apache Cassandra to execute arbitrary code on t...
Feb 11, 2022This vulnerability in Huawei smartphones allows attackers with system_app permission to delete arbitrary files due to improper input validation. It af...
Dec 7, 2021This CVE describes a second-order expression injection vulnerability in n8n's Form nodes that could allow unauthenticated attackers to inject and eval...
Feb 25, 2026This CVE describes a code injection vulnerability in the Vollstart Event Tickets with Ticket Scanner WordPress plugin that allows attackers to execute...
Jan 22, 2026This critical vulnerability in Dyad v0.19.0 and earlier allows attackers to execute arbitrary code on users' systems by crafting malicious web content...
Sep 17, 2025This vulnerability in graphql-ruby allows remote code execution when loading malicious schema definitions via GraphQL introspection. Systems that load...
Mar 12, 2025Mongoose before version 8.9.5 contains a search injection vulnerability when using nested $where filters with populate() match operations. This allows...
Jan 15, 2025CVE-2024-49375 is a critical remote code execution vulnerability in Rasa, an open-source machine learning framework for conversational AI. Attackers c...
Jan 14, 2025This vulnerability in XWiki Platform allows privilege escalation through improper access control. When an administrator disables a user account, the u...
Jun 20, 2024This vulnerability allows unauthenticated attackers to perform predictable nonce brute-force attacks leading to remote code execution (RCE) in the Got...
Apr 25, 2024CVE-2023-39157 is an authenticated remote code execution vulnerability in the Crocoblock JetElements for Elementor WordPress plugin. Attackers with co...
Dec 31, 2023This vulnerability allows attackers to execute arbitrary code with elevated privileges on Helix Core servers. It affects all Helix Core installations ...
Nov 8, 2023CVE-2022-23631 is a critical remote code execution vulnerability in superjson versions before 1.8.1. It allows attackers to execute arbitrary code on ...
Feb 9, 2022This vulnerability allows attackers to inject Twig template code into the PrestaShop back office when using legacy layouts. Successful exploitation co...
Jan 26, 2022This vulnerability in the Paginator Elixir/Hex package allows remote attackers to execute arbitrary code by manipulating input parameters to the pagin...
Sep 1, 2020This vulnerability in Joplin note-taking application allows remote code execution when users click on links within PDFs attached to untrusted notes. A...
Jun 21, 2024This CVE describes a one-click remote code execution vulnerability in AFFiNE workspace software. Attackers can exploit it by tricking users into visit...
Mar 2, 2026This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to execute arbitrary code on servers running the Master...
Mar 2, 2026This CVE describes a Python sandbox escape vulnerability in Agenta's API server that allows authenticated users to bypass RestrictedPython sandboxing ...
Feb 26, 2026This vulnerability allows authenticated users with workflow creation/modification permissions in n8n to achieve remote code execution by chaining file...
Feb 25, 2026This vulnerability allows users with create/update permissions in Yoke's Air Traffic Controller to execute arbitrary WASM code by injecting malicious ...
Feb 12, 2026CVE-2026-0969 allows remote attackers to execute arbitrary code on servers using next-mdx-remote when processing untrusted MDX content. This occurs be...
Feb 12, 2026This vulnerability in the Lazy Blocks WordPress plugin allows authenticated attackers with Contributor-level access or higher to execute arbitrary cod...
Feb 11, 2026A code injection vulnerability in Microsoft Defender for Linux allows attackers on adjacent networks to execute arbitrary code without authorization. ...
Feb 10, 2026CVE-2026-25807 is a critical vulnerability in ZAI Shell's P2P terminal sharing feature that allows unauthenticated remote attackers to execute arbitra...
Feb 9, 2026This vulnerability allows authenticated users in AutoGPT Platform to execute disabled BlockInstallationBlock components, which write arbitrary Python ...
Jan 29, 2026A vulnerability in PyTorch's `weights_only` unpickler allows attackers to craft malicious checkpoint files (.pth) that, when loaded, can corrupt memor...
Jan 27, 2026This vulnerability allows attackers with access to Moodle's restore interface to execute arbitrary code on the server due to insufficient input valida...
Jan 23, 2026This vulnerability allows authenticated remote attackers to execute arbitrary Python code on Open WebUI installations via command injection in the loa...
Jan 23, 2026This vulnerability allows arbitrary code execution on vLLM servers during model loading. Attackers who can influence the model repository or path (loc...
Jan 21, 2026OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to upload malicious hardware con...
Jan 21, 2026CVE-2026-23742 allows attackers with ability to create Lua filters in Skipper to read arbitrary files accessible to the Skipper process, potentially e...
Jan 16, 2026An unauthenticated remote attacker can trick a high-privileged user into uploading malicious configuration files via the config-upload endpoint, leadi...
Jan 13, 2026Envoy Gateway versions before 1.5.7 and 1.6.2 contain a vulnerability where Lua scripts in EnvoyExtensionPolicy can leak proxy credentials. Attackers ...
Jan 12, 2026Muffon music streaming client versions before 2.3.0 have a one-click remote code execution vulnerability via specially crafted muffon:// links. When v...
Jan 5, 2026LSC Smart Connect Indoor IP Camera version 1.4.13 contains a remote code execution vulnerability in the start_app.sh script. Attackers can execute arb...
Dec 22, 2025CVE-2023-53888 is a remote code execution vulnerability in Zomplog 3.9 that allows authenticated attackers to upload malicious JavaScript files, renam...
Dec 15, 2025This CVE describes a Server-Side Template Injection (SSTI) vulnerability in Frappe ERPNext that allows authenticated attackers with Address Template p...
Dec 15, 2025This Server-Side Template Injection (SSTI) vulnerability in Frappe ERPNext allows authenticated attackers with Print Format creation/modification perm...
Dec 15, 2025An authenticated attacker with Dunning Type configuration access can exploit this Server-Side Template Injection vulnerability in Frappe ERPNext to ex...
Dec 15, 2025CVE-2025-66457 allows arbitrary code execution in Elysia framework when dynamic cookies are enabled. Attackers can inject malicious cookie configurati...
Dec 9, 2025This CVE describes a client-side template injection vulnerability in Azuriom CMS that allows low-privileged users to execute arbitrary template code w...
Dec 8, 2025Grav CMS versions before 1.8.0-beta.27 contain a Server-Side Template Injection vulnerability that allows authenticated users with editor permissions ...
Dec 1, 2025This Server-Side Template Injection (SSTI) vulnerability in Grav allows authenticated users with editor permissions to execute arbitrary commands on t...
Dec 1, 2025About Code Injection (CWE-94)
The product constructs all or part of a code segment using externally-influenced input, but does not neutralize special elements that could modify the intended code segment.
Our database tracks 1,153 CVEs classified as CWE-94, with 521 rated critical and 513 rated high severity. The average CVSS score for Code Injection vulnerabilities is 8.6.
External reference: View CWE-94 on MITRE CWE →
Monitor Code Injection Vulnerabilities
Get alerted when new Code Injection CVEs affect your infrastructure.
Start Monitoring Free