CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | Java | — | Undetermined | — |
| language | JavaScript | — | Undetermined | — |
| language | Python | — | Undetermined | — |
| language | Perl | — | Undetermined | — |
| language | PHP | — | Undetermined | — |
| language | Ruby | — | Undetermined | — |
| language | — | Interpreted | Undetermined | — |
| technology | AI/ML | — | Often | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-52858 | 2026-06-11 | Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pytho… |
| CVE-2026-47167 | 2026-06-11 | Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vi… |
| CVE-2026-11422 | 2026-06-05 | Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embeddi… |
| CVE-2026-50733 | 2026-06-05 | Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the… |
| CVE-2026-8914 | 2026-06-05 | In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerabilit… |
| CVE-2026-48962 | 2026-05-27 | IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in d… |
| CVE-2026-46586 | 2026-05-19 | Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apa… |
| CVE-2026-42603 | 2026-05-11 | OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_tar… |
| CVE-2026-31254 | 2026-05-11 | The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains a code injection vulnerability (CWE-94) in its training script. The script registers the Python e… |
| CVE-2026-44643 | 2026-05-11 | Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to… |
| CVE-2026-44128 | 2026-05-08 | SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an endpoint passes attacker-controlled input from a parameter to Perl's ev… |
| CVE-2026-42079 | 2026-05-04 | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python eval() of LLM-generated code with builtins… |
| CVE-2026-6652 | 2026-04-20 | A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. Thi… |
| CVE-2026-40316 | 2026-04-15 | OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflo… |
| CVE-2026-39423 | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with … |
| CVE-2026-33618 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An att… |
| CVE-2026-5971 | 2026-04-09 | A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Exec… |
| CVE-2026-4837 | 2026-04-08 | An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon res… |
| CVE-2026-22666 | 2026-04-07 | Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode… |
| CVE-2026-35002 | 2026-04-02 | Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the field_type p… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-08-15 | — | 1.0 | — | Suggested OWASP Top Ten 2004 mapping |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Applicable_Platforms, Description, Modes_of_Introduction, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
| 2009-01-12 | CWE Content Team | 1.2 | — | updated Description, Observed_Examples, Other_Notes, Research_Gaps |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Name, References |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Potential_Mitigations |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Description, Name |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Common_Consequences, Demonstrative_Examples, References, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Observed_Examples |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Causal_Nature, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Taxonomy_Mappings |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Type |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Potential_Mitigations, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Potential_Mitigations |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-04-28 | CWE Content Team | 4.7 | — | updated Research_Gaps |
| 2022-06-28 | CWE Content Team | 4.8 | — | updated Observed_Examples |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Observed_Examples |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Demonstrative_Examples, Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2024-02-29 | CWE Content Team | 4.14 | — | updated Demonstrative_Examples, Potential_Mitigations, References |
| 2024-07-16 | CWE Content Team | 4.15 | — | updated Applicable_Platforms, Observed_Examples |
| 2025-04-03 | CWE Content Team | 4.17 | — | updated Common_Consequences, Description, Diagram |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Demonstrative_Examples, Relationships |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Applicable_Platforms, Potential_Mitigations, Relationships |