CWE-94 · Code Injection

6541 CVEs classified under CWE-94 (Code Injection). Browse by severity and year.

Top CVEs for CWE-94
CVESeverityScorePublishedSummary
CVE-2026-10134Critical10.02026-06-30IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, messa…
CVE-2026-53576Critical10.02026-06-26Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) t…
CVE-2026-10561Critical10.02026-06-22IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows a…
CVE-2026-25470Critical10.02026-06-17Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusio…
CVE-2026-48836Critical10.02026-06-15Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
CVE-2026-52704Critical10.02026-06-15Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issu…
CVE-2026-45132Critical10.02026-06-01CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposes sensitiv…
CVE-2026-45131Critical10.02026-06-01CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-c…
CVE-2026-43898Critical10.02026-05-28SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal…
CVE-2026-45829Critical10.02026-05-18A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary…
CVE-2026-44006Critical10.02026-05-13vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototype…
CVE-2026-44005Critical10.02026-05-13vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forw…
CVE-2026-43997Critical10.02026-05-13vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to esca…
CVE-2026-42288Critical10.02026-05-12ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vu…
CVE-2026-42298Critical10.02026-05-08Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github…
CVE-2026-41196Critical10.02026-04-23Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially…
CVE-2026-40911Critical10.02026-04-21WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies…
CVE-2026-39337Critical10.02026-04-07ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wiza…
CVE-2026-28505Critical10.02026-03-30Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py impl…
CVE-2026-26954Critical10.02026-03-13SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an…