CWE · MITRE source
CWE-94Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-34 | Non-modifiable Executable Programs | SC | Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media. |
SC-44 | Detonation Chambers | SC | Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads. |
SI-10 | Information Input Validation | SI | Validates inputs used in dynamic code generation to block injected directives. |
SI-16 | Memory Protection | SI | Directly prevents execution of attacker-supplied code written into data memory regions. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2019-7609 KEV | 9.7 | 10.0 | 0.9443 | 2019-03-25 |
CVE-2021-22205 KEV | 9.7 | 10.0 | 0.9447 | 2021-04-23 |
CVE-2022-22947 KEV | 9.7 | 10.0 | 0.9446 | 2022-03-03 |
CVE-2014-6287 KEV | 9.6 | 9.8 | 0.9436 | 2014-10-07 |
CVE-2015-1635 KEV | 9.6 | 9.8 | 0.9431 | 2015-04-14 |
CVE-2017-7494 KEV | 9.6 | 9.8 | 0.9418 | 2017-05-30 |
CVE-2017-9841 KEV | 9.6 | 9.8 | 0.9421 | 2017-06-27 |
CVE-2018-1273 KEV | 9.6 | 9.8 | 0.9429 | 2018-04-11 |
CVE-2018-7602 KEV | 9.6 | 9.8 | 0.9438 | 2018-07-19 |
CVE-2019-16759 KEV | 9.6 | 9.8 | 0.9443 | 2019-09-24 |
CVE-2019-4716 KEV | 9.6 | 9.8 | 0.9337 | 2019-12-18 |
CVE-2019-10758 KEV | 9.6 | 9.9 | 0.9435 | 2019-12-24 |
CVE-2020-8644 KEV | 9.6 | 9.8 | 0.9406 | 2020-02-05 |
CVE-2021-44529 KEV | 9.6 | 9.8 | 0.9446 | 2021-12-08 |
CVE-2022-22963 KEV | 9.6 | 9.8 | 0.9446 | 2022-04-01 |
CVE-2022-22965 KEV | 9.6 | 9.8 | 0.9443 | 2022-04-01 |
CVE-2022-22954 KEV | 9.6 | 9.8 | 0.9444 | 2022-04-11 |
CVE-2022-24816 KEV | 9.6 | 10.0 | 0.9371 | 2022-04-13 |
CVE-2023-25717 KEV | 9.6 | 9.8 | 0.9424 | 2023-02-13 |
CVE-2023-33246 KEV | 9.6 | 9.8 | 0.9439 | 2023-05-24 |
CVE-2023-3519 KEV | 9.6 | 9.8 | 0.9384 | 2023-07-19 |
CVE-2024-4040 KEV | 9.6 | 9.8 | 0.9443 | 2024-04-22 |
CVE-2024-23692 KEV | 9.6 | 9.8 | 0.9430 | 2024-05-31 |
CVE-2024-36401 KEV | 9.6 | 9.8 | 0.9443 | 2024-07-01 |
CVE-2024-56145 KEV | 9.6 | 9.8 | 0.9415 | 2024-12-18 |