CWE-96
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Common consequences5
- ConfidentialityRead Files or DirectoriesRead Application Data
The injected code could access restricted data / files.
- Access ControlBypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
- Access ControlGain Privileges or Assume Identity
Injected code can access resources that the attacker is directly prevented from accessing.
- IntegrityConfidentialityAvailabilityOtherExecute Unauthorized Code or Commands
Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.
- Non-RepudiationHide Activities
Often the actions performed by injected control code are unlogged.
Potential mitigations2
- Implementation
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- Implementation
Perform proper output validation and escaping to neutralize all code syntax from data written to code files.
Relationships1
- ChildOfCWE-94
CVEs referencing this CWE25
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2022-43938 | Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager. | HIGH8.8 | 27%p98 | 2025-02-11 | |
| CVE-2024-37900 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. | MEDIUM4.6 | 15%p96 | 2025-01-10 | |
| CVE-2020-6144 | A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The username variable which is set at line 121 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to trigger this vulnerability. | CRITICAL9.8 | 6.34%p93 | 2024-11-21 | |
| CVE-2020-6143 | A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The password variable which is set at line 122 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to trigger this vulnerability. | CRITICAL9.8 | 6.17%p93 | 2024-11-21 | |
| CVE-2021-39115 | Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0. | HIGH7.2 | 4.41%p90 | PoC | 2024-11-21 |
| CVE-2022-24840 | django-s3file is a lightweight file upload input for Django and Amazon S3 . In versions prior to 5.5.1 it was possible to traverse the entire AWS S3 bucket and in most cases to access or delete files. If the `AWS_LOCATION` setting was set, traversal was limited to that location only. The issue was discovered by the maintainer. There were no reports of the vulnerability being known to or exploited by a third party, prior to the release of the patch. The vulnerability has been fixed in version 5.5.1 and above. There is no feasible workaround. We must urge all users to immediately updated to a patched version. | CRITICAL9.8 | 1.89%p77 | 2025-04-22 | |
| CVE-2022-0895 | Static Code Injection in GitHub repository microweber/microweber prior to 1.3. | CRITICAL9.8 | 1.69%p74 | 2024-11-21 | |
| CVE-2024-55877 | XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround. | HIGH8.8 | 1.56%p72 | 2025-04-30 | |
| CVE-2023-39726 | An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal. | CRITICAL9.8 | 1.03%p59 | 2024-11-21 | |
| CVE-2015-2079 | Usermin 0.980 through 1.x before 1.660 allows uconfig_save.cgi sig_file_free remote code execution because it uses the two argument (not three argument) form of Perl open. | HIGH8.8 | 1.00%p58 | 2025-05-14 | |
| CVE-2024-55662 | XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`. | HIGH8.8 | 0.75%p50 | 2025-04-30 | |
| CVE-2025-30091 | In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers to inject and execute arbitrary code. Attacker-controlled data to InstallCommand can be inserted into config.php, and InstallCommand is available after an installation has completed. | NONE | 0.70%p48 | 2026-04-15 | |
| CVE-2025-57707 | An improper neutralization of directives in statically saved code ('Static Code Injection') vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to access restricted data / files. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later | HIGH8.8 | 0.66%p46 | 2026-02-12 | |
| CVE-2024-32487 | less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. | HIGH8.6 | 0.63%p45 | 2025-06-17 | |
| CVE-2025-36595 | Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution. | HIGH7.2 | 0.55%p41 | 2026-02-26 | |
| CVE-2024-13267 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno TinCan Question Type allows PHP Local File Inclusion.This issue affects Opigno TinCan Question Type: from 7.X-1.0 before 7.X-1.3. | HIGH7.5 | 0.54%p41 | 2025-08-27 | |
| CVE-2024-13265 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno Learning path allows PHP Local File Inclusion.This issue affects Opigno Learning path: from 0.0.0 before 3.1.2. | HIGH7.5 | 0.54%p41 | 2025-08-27 | |
| CVE-2024-43400 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. | MEDIUM5.4 | 0.46%p36 | PoC | 2024-08-22 |
| CVE-2024-13268 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno allows PHP Local File Inclusion.This issue affects Opigno: from 7.X-1.0 before 7.X-1.23. | MEDIUM6.8 | 0.45%p36 | 2025-08-27 | |
| CVE-2022-3960 | Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin. | MEDIUM6.3 | 0.45%p36 | 2025-02-11 | |
| CVE-2024-13264 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno module allows PHP Local File Inclusion.This issue affects Opigno module: from 0.0.0 before 3.1.2. | CRITICAL9.8 | 0.44%p35 | 2025-08-27 | |
| CVE-2023-0566 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in froxlor/froxlor prior to 2.0.10. | MEDIUM4.8 | 0.44%p35 | 2025-03-28 | |
| CVE-2024-13263 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno group manager allows PHP Local File Inclusion.This issue affects Opigno group manager: from 0.0.0 before 3.1.1. | MEDIUM5.5 | 0.25%p16 | 2025-08-27 | |
| CVE-2025-7825 | The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | MEDIUM6.3 | 0.24%p15 | 2026-04-15 | |
| CVE-2024-0788 | SUPERAntiSpyware Pro X v10.0.1260 is vulnerable to kernel-level API parameters manipulation and Denial of Service vulnerabilities by triggering the 0x9C402140 IOCTL code of the saskutil64.sys driver. | MEDIUM6.6 | 0.24%p14 | 2025-05-20 |