CWE · MITRE source
CWE-94Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 16 mapping(s) from 5 framework(s): ATT&CK 10 (partial) · CAPEC 3 (partial) · OWASP-Web 1 (full) · ASVS 5.0 1 (mostly) · CSF 2.0 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A05:2025 Injection.
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-34 | Non-modifiable Executable Programs | SC | Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media. |
SC-44 | Detonation Chambers | SC | Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads. |
SI-10 | Information Input Validation | SI | Validates inputs used in dynamic code generation to block injected directives. |
SI-16 | Memory Protection | SI | Directly prevents execution of attacker-supplied code written into data memory regions. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2008-4250 KEV | 10.0 | 9.8 | 0.9875 | 2008-10-23 |
CVE-2009-0238 KEV | 10.0 | 8.8 | 0.4306 | 2009-02-25 |
CVE-2009-1151 KEV | 10.0 | 9.8 | 0.9544 | 2009-03-26 |
CVE-2009-0556 KEV | 10.0 | 8.8 | 0.6754 | 2009-04-03 |
CVE-2009-0557 KEV | 10.0 | 7.8 | 0.5855 | 2009-06-10 |
CVE-2012-0391 KEV | 10.0 | 9.8 | 0.7507 | 2012-01-08 |
CVE-2012-0158 KEV | 10.0 | 8.8 | 0.9997 | 2012-04-10 |
CVE-2012-1535 KEV | 10.0 | 7.8 | 0.7038 | 2012-08-15 |
CVE-2013-4810 KEV | 10.0 | 9.8 | 0.7900 | 2013-09-16 |
CVE-2013-3906 KEV | 10.0 | 7.8 | 0.8497 | 2013-11-06 |
CVE-2014-6287 KEV | 10.0 | 9.8 | 0.9932 | 2014-10-07 |
CVE-2014-4148 KEV | 10.0 | 8.8 | 0.5070 | 2014-10-15 |
CVE-2015-1635 KEV | 10.0 | 9.8 | 1.0000 | 2015-04-14 |
CVE-2017-7494 KEV | 10.0 | 9.8 | 0.9945 | 2017-05-30 |
CVE-2017-9841 KEV | 10.0 | 9.8 | 1.0000 | 2017-06-27 |
CVE-2017-9822 KEV | 10.0 | 8.8 | 0.9479 | 2017-07-20 |
CVE-2017-8759 KEV | 10.0 | 7.8 | 0.8870 | 2017-09-13 |
CVE-2018-1273 KEV UPD | 10.0 | 9.8 | 0.9565 | 2018-04-11 |
CVE-2018-7602 KEV | 10.0 | 9.8 | 0.9924 | 2018-07-19 |
CVE-2018-14667 KEV | 10.0 | 9.8 | 0.7417 | 2018-11-06 |
CVE-2019-9082 KEV | 10.0 | 8.8 | 0.9742 | 2019-02-24 |
CVE-2019-7609 KEV | 10.0 | 10.0 | 0.9534 | 2019-03-25 |
CVE-2019-0193 KEV | 10.0 | 7.2 | 0.8355 | 2019-08-01 |
CVE-2019-16759 KEV | 10.0 | 9.8 | 0.9973 | 2019-09-24 |
CVE-2019-4716 KEV | 10.0 | 9.8 | 0.8644 | 2019-12-18 |