CWE-94 6626 個 CVE MITRE 定義 ↗

CWE-94:Improper Control of Generation of Code ('Code Injection')

概覽

CWE-94(Improper Control of Generation of Code ('Code Injection'))描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

適用平台

類型 名稱 普遍性 OS / CPE
language Interpreted Sometimes
technology AI/ML Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-55576 2026-07-15 MaaAssistantArknights is a one-click tool for daily Arknights tasks. In the current dev-v2 workflow, .github/workflows/release-preparation.yml inlined attacker-controlled github.event.pull_request.tit…
CVE-2026-45534 2026-07-15 DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase Redshift datasource connections can load attacker-controlled rsjdbc.ini configuration from System.getPropert…
CVE-2026-62350 2026-07-15 TDengine is an open source, time-series database optimized for Internet of Things devices. Prior to 3.4.1.15, a user with create udf privilege could upload a crafted shared library and install it as a…
CVE-2026-61446 2026-07-15 PraisonAI (praisonaiagents) before 1.6.78 contains a remote code execution vulnerability in the plugin manager, which loads and executes arbitrary Python (.py) files from project-level and user-home .…
CVE-2026-61433 2026-07-15 PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating Python source code for API servers. Attackers can inject arbitrary Python expressions through the deploy.…
CVE-2026-58655 2026-07-15 The bundled Grav Flex Objects plugin (getgrav/grav-plugin-flex-objects) before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles,…
CVE-2026-46640 2026-07-14 Twig is a template language for PHP. From 3.15.0 until 3.26.0, _self.(<string>) and import-alias dynamic attribute syntax can concatenate an attacker-controlled string into a MacroReferenceExpression …
CVE-2026-46633 2026-07-14 Twig is a template language for PHP. Prior to 3.26.0, Compiler::string() does not escape single quotes when a template name from a {% use %} tag is placed inside a PHP single-quoted string literal, al…
CVE-2026-42049 2026-07-14 jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization whe…
CVE-2026-38450 2026-07-14 An issue in Aetopia Digital Asset Management DAM v.1.0.0 allows a remote attacker to execute arbitrary code via the name and description parameter of the Add/Update Project function
CVE-2026-48322 2026-07-14 ColdFusion is affected by an Improper Control of Generation of Code ('Code Injection') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of t…
CVE-2026-50650 2026-07-14 Improper control of generation of code ('code injection') in .NET Framework allows an unauthorized attacker to elevate privileges locally.
CVE-2026-15410 2026-07-14 Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could pot…
CVE-2026-15715 2026-07-14 A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argum…
CVE-2026-56185 2026-07-14 Improper authentication in Windows Admin Center allows an authorized attacker to disclose information over a network.
CVE-2026-15702 2026-07-14 A security vulnerability has been detected in tamagui up to 2.3.0. This affects the function updateConfig of the file code/core/web/src/config.ts. Such manipulation leads to improperly controlled modi…
CVE-2026-15699 2026-07-14 A vulnerability was identified in spencermountain compromise up to 14.15.1. Affected is the function nlp.extend of the file src/API/extend.js of the component Public Root API. The manipulation of the …
CVE-2026-15698 2026-07-14 A vulnerability was determined in kofrasa mingo up to 7.2.1. This impacts the function update/updateOne/updateMany of the component Update API. Executing a manipulation of the argument Set can lead to…
CVE-2026-15697 2026-07-14 A vulnerability was found in svgdotjs svg.js up to 3.2.5. This affects the function EventTarget.on of the file svgdotjs/svg.js of the component npm Package API. Performing a manipulation results in im…
CVE-2026-15678 2026-07-14 A security vulnerability has been detected in code-projects Online Job Portal 1.0. This impacts an unknown function of the file /Admin/DetailJob.php. The manipulation leads to cross site scripting. Th…

曾用名

  • Code Injection (2009-01-12)
  • Failure to Control Generation of Code (aka 'Code Injection') (2009-05-27)
  • Failure to Control Generation of Code ('Code Injection') (2011-03-29)

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Applicable_Platforms, Relationships, Research_Gaps, Taxonomy_Mappings
2009-01-12 CWE Content Team 1.2 updated Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships
2009-03-10 CWE Content Team 1.3 updated Potential_Mitigations
2009-05-27 CWE Content Team 1.4 updated Demonstrative_Examples, Name
2010-02-16 CWE Content Team 1.8 updated Potential_Mitigations
2010-06-21 CWE Content Team 1.9 updated Description, Potential_Mitigations
2011-03-29 CWE Content Team 1.12 updated Name
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2013-02-21 CWE Content Team 2.4 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Demonstrative_Examples, Modes_of_Introduction, Relationships
2019-06-20 CWE Content Team 3.3 updated Related_Attack_Patterns, Type
2019-09-19 CWE Content Team 3.4 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Potential_Mitigations, Relationships
2020-06-25 CWE Content Team 4.1 updated Potential_Mitigations
2020-08-20 CWE Content Team 4.2 updated Relationships
2021-03-15 CWE Content Team 4.4 updated Demonstrative_Examples
2021-07-20 CWE Content Team 4.5 updated Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-04-28 CWE Content Team 4.7 updated Research_Gaps
2022-06-28 CWE Content Team 4.8 updated Observed_Examples, Relationships
2022-10-13 CWE Content Team 4.9 updated Observed_Examples
2023-01-31 CWE Content Team 4.10 updated Demonstrative_Examples, Description, Potential_Mitigations, Relationships
2023-04-27 CWE Content Team 4.11 updated Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships, Taxonomy_Mappings
2024-02-29 CWE Content Team 4.14 updated Demonstrative_Examples, Potential_Mitigations, References
2024-07-16 CWE Content Team 4.15 updated Applicable_Platforms, Observed_Examples
2024-11-19 CWE Content Team 4.16 updated Mapping_Notes, Relationships
2025-04-03 CWE Content Team 4.17 updated Alternate_Terms, Common_Consequences, Description, Diagram, Theoretical_Notes
2025-12-11 CWE Content Team 4.19 updated Demonstrative_Examples, Relationships, Weakness_Ordinalities
2026-04-30 CWE Content Team 4.20 updated Potential_Mitigations, Relationships

貢獻

類型 名稱 日期 評論
Content "Mapping CWE to 62443" Sub-Working Group 2023-06-29 Suggested mappings to ISA/IEC 62443.
Content Abhi Balakrishnan 2024-02-29 Contributed usability diagram concepts used by the CWE team.
Feedback Matthew A. Pagan 2025-08-22 Discovered a syntax issue in the Python3 demox (DX-156) and suggested a fix
cvelogic Threat Intelligence