Skip to main content

CWE-94

Code Injection

3139 CVEs Avg CVSS 8.3 MITRE
1262
CRITICAL
1373
HIGH
451
MEDIUM
44
LOW
1105
POC
56
KEV

Monthly

CVE-2026-45534 CRITICAL PATCH Act Now

Reflection-based remote code execution in DataEase before 2.10.23 lets an authenticated operator who can configure a Redshift datasource achieve arbitrary code execution on the server. The Redshift JDBC driver loads an attacker-controlled rsjdbc.ini from the system temp directory and honors a malicious socketFactory pointing at Spring's FileSystemXmlApplicationContext, turning a normal JDBC connection into a code-execution chain. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor has confirmed and patched the flaw in 2.10.23.

RCE Code Injection Dataease
NVD GitHub
CVSS 4.0
9.0
CVE-2026-62350 HIGH PATCH This Week

Server-side arbitrary code execution in TDengine time-series database (versions prior to 3.4.1.15) allows a database user holding the 'create udf' privilege to upload a malicious shared library, register it as a user-defined function (e.g. named 'eval'), and execute attacker-controlled native C code on the server by invoking that function through ordinary SQL queries. This is a privileged-user code injection issue (CWE-94) with high confidentiality, integrity, and availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw is fixed in version 3.4.1.15.

RCE Code Injection
NVD GitHub
CVSS 3.1
7.2
CVE-2026-61446 HIGH PATCH This Week

Arbitrary code execution in PraisonAI (praisonaiagents) before 1.6.78 lets an attacker who can drop a Python file into a plugin directory run their own code. The plugin manager auto-discovers and executes any .py file found in project-level or user-home .praisonai/plugins/ directories at initialization, with no code signing, integrity checks, or sandboxing. VulnCheck reported it under CWE-94; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python Path Traversal RCE Code Injection Praisonai
NVD GitHub
CVSS 4.0
8.6
CVE-2026-61433 HIGH PATCH This Week

Code injection in PraisonAI before 4.6.78 lets attackers who control deployment configuration achieve arbitrary Python execution because the API-server deployment generator fails to safely encode the deploy.api.host and agents_file values before emitting them into generated Python source (CWE-94). Injected expressions run when the generated API server starts or handles requests, yielding full code execution in the server process. No public exploit is identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.

Python RCE Code Injection Praisonai
NVD GitHub
CVSS 4.0
8.5
CVE-2026-58655 HIGH PATCH This Week

Stored server-side template injection in Grav's bundled Flex Objects plugin (getgrav/grav-plugin-flex-objects) before 1.4.0 lets a low-privileged content author inject Twig code through the dynamic collection/object title frontmatter, which is passed unsanitized to template_from_string() and executed. Because the title path bypasses Grav's Security::cleanDangerousTwig() filter, an attacker can reach internal Grav services such as the scheduler and escalate arbitrary Twig evaluation to full remote command execution. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV.

RCE Code Injection Grav
NVD GitHub
CVSS 4.0
8.7
CVE-2026-42049 HIGH PATCH This Week

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6.

Google Java RCE Code Injection
NVD GitHub
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-38450 CRITICAL Act Now

Remote code execution in Aetopia Digital Asset Management (DAM) v1.0.0 is achievable through a server-side template injection flaw: attacker-controlled input in the 'name' and 'description' parameters of the Add/Update Project function is evaluated by the server-side template engine, letting an attacker run arbitrary code on the host. NVD scores this CVSS 9.8 (network, low complexity, no privileges required), and a public researcher writeup detailing the SSTI exists on the eslam3kl GitBook; however, there is no public exploit identified as weaponized code and it is not listed in CISA KEV, so it is not confirmed as actively exploited. Note the CVSS PR:N rating conflicts with the fact that Add/Update Project is normally an authenticated application feature.

RCE Code Injection
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-48322 CRITICAL Act Now

Code injection (CWE-94) in Adobe ColdFusion 2023 (Update 21 and earlier) and ColdFusion 2025 (Update 10 and earlier) allows a low-privileged, network-adjacent attacker to execute arbitrary code in the context of the current user without any user interaction. Because the CVSS scope is changed, successful exploitation can extend impact beyond the vulnerable component to the underlying host. There is no public exploit identified at time of analysis and the EPSS probability is low (0.43%, 35th percentile), but the near-maximum CVSS of 9.9 and Adobe's own PSIRT reporting make this a high-priority patch.

RCE Code Injection Coldfusion
NVD VulDB
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-15410 HIGH POC KEV THREAT NEWS Act Now

Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.

RCE Code Injection Sma1000
NVD VulDB
CVSS 3.1
7.2
EPSS
1.6%
Threat
5.4
CVE-2026-50650 HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft .NET Framework (and .NET 8.0/9.0 plus Visual Studio 2022/2026) via code injection (CWE-94) that lets an unauthorized attacker run code with full confidentiality, integrity, and availability impact after a victim is tricked into interacting with attacker-supplied content. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation requires local access and user interaction (UI:R), which meaningfully limits mass-exploitation despite the high 7.8 CVSS score.

RCE Code Injection Net 8 0 Net 9 0 Microsoft Net Framework 3 5 +8
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVSS 9.0
CRITICAL PATCH Act Now

Reflection-based remote code execution in DataEase before 2.10.23 lets an authenticated operator who can configure a Redshift datasource achieve arbitrary code execution on the server. The Redshift JDBC driver loads an attacker-controlled rsjdbc.ini from the system temp directory and honors a malicious socketFactory pointing at Spring's FileSystemXmlApplicationContext, turning a normal JDBC connection into a code-execution chain. No public exploit is identified at time of analysis and it is not in CISA KEV, but the vendor has confirmed and patched the flaw in 2.10.23.

RCE Code Injection Dataease
NVD GitHub
CVSS 7.2
HIGH PATCH This Week

Server-side arbitrary code execution in TDengine time-series database (versions prior to 3.4.1.15) allows a database user holding the 'create udf' privilege to upload a malicious shared library, register it as a user-defined function (e.g. named 'eval'), and execute attacker-controlled native C code on the server by invoking that function through ordinary SQL queries. This is a privileged-user code injection issue (CWE-94) with high confidentiality, integrity, and availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw is fixed in version 3.4.1.15.

RCE Code Injection
NVD GitHub
CVSS 8.6
HIGH PATCH This Week

Arbitrary code execution in PraisonAI (praisonaiagents) before 1.6.78 lets an attacker who can drop a Python file into a plugin directory run their own code. The plugin manager auto-discovers and executes any .py file found in project-level or user-home .praisonai/plugins/ directories at initialization, with no code signing, integrity checks, or sandboxing. VulnCheck reported it under CWE-94; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python Path Traversal RCE +2
NVD GitHub
CVSS 8.5
HIGH PATCH This Week

Code injection in PraisonAI before 4.6.78 lets attackers who control deployment configuration achieve arbitrary Python execution because the API-server deployment generator fails to safely encode the deploy.api.host and agents_file values before emitting them into generated Python source (CWE-94). Injected expressions run when the generated API server starts or handles requests, yielding full code execution in the server process. No public exploit is identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.

Python RCE Code Injection +1
NVD GitHub
CVSS 8.7
HIGH PATCH This Week

Stored server-side template injection in Grav's bundled Flex Objects plugin (getgrav/grav-plugin-flex-objects) before 1.4.0 lets a low-privileged content author inject Twig code through the dynamic collection/object title frontmatter, which is passed unsanitized to template_from_string() and executed. Because the title path bypasses Grav's Security::cleanDangerousTwig() filter, an attacker can reach internal Grav services such as the scheduler and escalate arbitrary Twig evaluation to full remote command execution. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (High); no public exploit identified at time of analysis and it is not listed in CISA KEV.

RCE Code Injection Grav
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6.

Google Java RCE +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Aetopia Digital Asset Management (DAM) v1.0.0 is achievable through a server-side template injection flaw: attacker-controlled input in the 'name' and 'description' parameters of the Add/Update Project function is evaluated by the server-side template engine, letting an attacker run arbitrary code on the host. NVD scores this CVSS 9.8 (network, low complexity, no privileges required), and a public researcher writeup detailing the SSTI exists on the eslam3kl GitBook; however, there is no public exploit identified as weaponized code and it is not listed in CISA KEV, so it is not confirmed as actively exploited. Note the CVSS PR:N rating conflicts with the fact that Add/Update Project is normally an authenticated application feature.

RCE Code Injection
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Code injection (CWE-94) in Adobe ColdFusion 2023 (Update 21 and earlier) and ColdFusion 2025 (Update 10 and earlier) allows a low-privileged, network-adjacent attacker to execute arbitrary code in the context of the current user without any user interaction. Because the CVSS scope is changed, successful exploitation can extend impact beyond the vulnerable component to the underlying host. There is no public exploit identified at time of analysis and the EPSS probability is low (0.43%, 35th percentile), but the near-maximum CVSS of 9.9 and Adobe's own PSIRT reporting make this a high-priority patch.

RCE Code Injection Coldfusion
NVD VulDB
EPSS 2% 5.4 CVSS 7.2
HIGH POC KEV THREAT Act Now

Post-authentication improper control of generation of code ('Code Injection') vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) which in specific conditions could potentially enable a remote authenticated attacker as administrator to execute arbitrary OS commands.

RCE Code Injection Sma1000
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft .NET Framework (and .NET 8.0/9.0 plus Visual Studio 2022/2026) via code injection (CWE-94) that lets an unauthorized attacker run code with full confidentiality, integrity, and availability impact after a victim is tricked into interacting with attacker-supplied content. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation requires local access and user interaction (UI:R), which meaningfully limits mass-exploitation despite the high 7.8 CVSS score.

RCE Code Injection Net 8 0 +10
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy