Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-94 (对生成代码的控制不恰当(代码注入)) — Vulnerability Class 1417

1417 vulnerabilities classified as CWE-94 (对生成代码的控制不恰当(代码注入)). AI Chinese analysis included.

CWE-94 represents a critical code injection weakness where software constructs executable code using untrusted input without proper sanitization. Attackers typically exploit this vulnerability by injecting malicious scripts or commands into user-supplied fields, such as web forms or API parameters, which the application then executes directly. This allows adversaries to bypass security controls, steal sensitive data, or gain unauthorized administrative access to the underlying system. To prevent such exploits, developers must rigorously validate and sanitize all external inputs, ensuring that only expected characters are processed. Implementing strict allow-listing strategies, utilizing parameterized queries for database interactions, and avoiding dynamic code execution functions like eval() are essential defensive measures. By treating all user input as potentially hostile and applying robust encoding techniques, organizations can effectively neutralize injection vectors and maintain application integrity.

MITRE CWE Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Common Consequences (4)
Access ControlBypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Access ControlGain Privileges or Assume Identity
Injected code can access resources that the attacker is directly prevented from accessing.
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
When a product allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the product. As a result, code injection can often result in the execution of arbitrary code. Code injection attacks can…
Non-RepudiationHide Activities
Often the actions performed by injected control code are unlogged.
Mitigations (5)
Architecture and DesignRefactor your program so that you do not have to dynamically generate code.
Architecture and DesignRun your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating s…
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
TestingUse dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
OperationRun the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Examples (2)
This example attempts to write user messages to a message file and allow users to view them.
$MessageFile = "messages.out"; if ($_GET["action"] == "NewMessage") { $name = $_GET["name"]; $message = $_GET["message"]; $handle = fopen($MessageFile, "a+"); fwrite($handle, "<b>$name</b> says '$message'<hr>\n"); fclose($handle); echo "Message Saved!<p>\n"; } else if ($_GET["action"] == "ViewMessages") { include($MessageFile); }
Bad · PHP
name=h4x0r message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E
Attack
edit-config.pl: This CGI script is used to modify settings in a configuration file.
use CGI qw(:standard); sub config_file_add_key { my ($fname, $key, $arg) = @_; # code to add a field/key to a file goes here } sub config_file_set_key { my ($fname, $key, $arg) = @_; # code to set key to a particular file goes here } sub config_file_delete_key { my ($fname, $key, $arg) = @_; # code to delete key from a particular file goes here } sub handleConfigAction { my ($fname, $action) = @_; my $key = param('key'); my $val = param('val'); # this is super-efficient code, especially if you have to invoke # any one of dozens of different functions! my $code = "config_file_$action_key(\$fnam
Bad · Perl
add_key(",","); system("/bin/ls");
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2026-10688 ahujasid blender-mcp server.py execute_blender_code code injection — blender-mcp 5.5 Medium2026-06-02
CVE-2026-49143 BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler — browserstack-runner 8.8 High2026-06-02
CVE-2026-1829 Content Visibility for Divi Builder <= 4.02 - Authenticated (Contributor+) Remote Code Execution — Content Visibility for Divi Builder 8.8 High2026-06-02
CVE-2026-47117 OpenMed < 1.5.2 Remote Code Execution via PII Model Loading — openmed 9.8 Critical2026-06-02
CVE-2026-9311 IBM WebSphere Application Server is affected by remote code execution — WebSphere Application Server 9.0 Critical2026-06-01
CVE-2026-45131 CloudPirates Open Source Helm Charts: GitHub Actions pull_request_target workflow allows secret exfiltration via fork pull requests — helm-charts 10.0 Critical2026-06-01
CVE-2026-45132 CloudPirates Open Source Helm Charts: GitHub Actions workflow leaks PAT and SSH signing key via unsafe credential handling — helm-charts 10.0 Critical2026-06-01
CVE-2026-10175 Aider-AI Aider Architect Mode auth.py editor_coder.run code injection — Aider 6.3 Medium2026-05-31
CVE-2026-44287 FastGPT: sandbox escape to RCE - code-sandbox regex /\bimport\s*\(/ is bypassable — FastGPT 6.3 Medium2026-05-29
CVE-2026-45697 Formie: Pre-authenticated server-side template injection in Hidden fields — formie 9.8 Critical2026-05-29
CVE-2026-41159 Mermaid: Improper sanitization of configuration leads to CSS injection — mermaid--2026-05-29
CVE-2026-44698 Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection — core 8.3 High2026-05-29
CVE-2026-45555 Roslyn CodeLens MCP Server: Untrusted Roslyn Analyzer Execution via get_diagnostics Leads to Arbitrary Code Execution — roslyn-codelens-mcp 7.8 High2026-05-29
CVE-2026-43898 SandboxJS: Sandbox escape via Function.caller leakage of internal call op — SandboxJS 10.0 Critical2026-05-28
CVE-2026-45311 CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval — CodeWhale 9.6 Critical2026-05-28
CVE-2026-45374 CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files — CodeWhale 9.6 Critical2026-05-28
CVE-2026-45058 electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark — electerm--2026-05-28
CVE-2026-45353 electerm: Local code through electerm's single-instance socket — electerm--2026-05-28
CVE-2026-45261 GitButler: Link injection via forge integration enables arbitrary script execution — gitbutler--2026-05-28
CVE-2026-44672 mapfish-print: Remote Code Injection (RCE) in Dynamic table — mapfish-print--2026-05-28
CVE-2026-32999 WebPros Comet Backup 安全漏洞 — Comet Backup 9.1 Critical2026-05-28
CVE-2026-44887 Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path) — Pi.Alert 9.8 Critical2026-05-27
CVE-2026-44888 Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger) — Pi.Alert 9.8 Critical2026-05-27
CVE-2026-42879 FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images — facturascripts 6.3 Medium2026-05-27
CVE-2026-45719 Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API — budibase 6.5 Medium2026-05-27
CVE-2026-6169 affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution — affiliate-toolkit – Multi-Network Affiliate & Amazon Product Display 7.2 High2026-05-27
CVE-2026-8832 WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost — WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager 8.8 High2026-05-27
CVE-2026-9568 ThingsBoard YAML provision getGatewayDockerComposeFile code injection — ThingsBoard 5.0 Medium2026-05-26
CVE-2026-44728 Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs — babel 8.2 High2026-05-26
CVE-2026-9170 IBM HTTP Server is affected by multiple vulnerabilities — HTTP Server--2026-05-26

Vulnerabilities classified as CWE-94 (对生成代码的控制不恰当(代码注入)) represent 1417 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.