CWE-95(Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'))は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | Java | — | Undetermined | — |
| language | JavaScript | — | Undetermined | — |
| language | Python | — | Undetermined | — |
| language | Perl | — | Undetermined | — |
| language | PHP | — | Undetermined | — |
| language | Ruby | — | Undetermined | — |
| language | — | Interpreted | Undetermined | — |
| technology | AI/ML | — | Often | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-44939 | 2026-06-19 | A command injection vulnerability in the Rancher Manager cluster before 2.14.2 import endpoint /v3/import/{token}_{clusterId}.yaml through unsanitized YAML parameters could allow remote attackers to … |
| CVE-2026-53875 | 2026-06-17 | picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. Attack… |
| CVE-2026-47103 | 2026-06-17 | Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted… |
| CVE-2026-52858 | 2026-06-11 | Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pytho… |
| CVE-2026-47167 | 2026-06-11 | Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vi… |
| CVE-2026-11422 | 2026-06-05 | Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embeddi… |
| CVE-2026-50733 | 2026-06-05 | Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the… |
| CVE-2026-8914 | 2026-06-05 | In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerabilit… |
| CVE-2026-48962 | 2026-05-27 | IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in d… |
| CVE-2026-46586 | 2026-05-19 | Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apa… |
| CVE-2026-42603 | 2026-05-11 | OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_tar… |
| CVE-2026-31254 | 2026-05-11 | The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains a code injection vulnerability (CWE-94) in its training script. The script registers the Python e… |
| CVE-2026-44643 | 2026-05-11 | Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to… |
| CVE-2026-44128 | 2026-05-08 | SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an endpoint passes attacker-controlled input from a parameter to Perl's ev… |
| CVE-2026-42079 | 2026-05-04 | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python eval() of LLM-generated code with builtins… |
| CVE-2026-6652 | 2026-04-20 | A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the component StringStorage Template Handler. Thi… |
| CVE-2026-40316 | 2026-04-15 | OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflo… |
| CVE-2026-39423 | 2026-04-14 | MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with … |
| CVE-2026-33618 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An att… |
| CVE-2026-5971 | 2026-04-09 | A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Exec… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-08-15 | — | 1.0 | — | Suggested OWASP Top Ten 2004 mapping |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Applicable_Platforms, Description, Modes_of_Introduction, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
| 2009-01-12 | CWE Content Team | 1.2 | — | updated Description, Observed_Examples, Other_Notes, Research_Gaps |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Description, Name, References |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Potential_Mitigations |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Description, Name |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Common_Consequences, Demonstrative_Examples, References, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Observed_Examples |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Causal_Nature, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Taxonomy_Mappings |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Type |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Potential_Mitigations, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Potential_Mitigations |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-04-28 | CWE Content Team | 4.7 | — | updated Research_Gaps |
| 2022-06-28 | CWE Content Team | 4.8 | — | updated Observed_Examples |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Observed_Examples |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Demonstrative_Examples, Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2024-02-29 | CWE Content Team | 4.14 | — | updated Demonstrative_Examples, Potential_Mitigations, References |
| 2024-07-16 | CWE Content Team | 4.15 | — | updated Applicable_Platforms, Observed_Examples |
| 2025-04-03 | CWE Content Team | 4.17 | — | updated Common_Consequences, Description, Diagram |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Demonstrative_Examples, Relationships |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Applicable_Platforms, Potential_Mitigations, Relationships |