CWE•Variant•Incomplete•20 recent CVEs
CWE-95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Common consequences
- Confidentiality→Read Files or Directories,Read Application DataThe injected code could access restricted data / files.
- Access Control→Bypass Protection MechanismIn some cases, injectable code controls authentication; this may lead to a remote vulnerability.
- Access Control→Gain Privileges or Assume IdentityInjected code can access resources that the attacker is directly prevented from accessing.
- Integrity,Confidentiality,Availability,Other→Execute Unauthorized Code or CommandsCode injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary cod
- Non-Repudiation→Hide ActivitiesOften the actions performed by injected control code are unlogged.
Potential mitigations
- Architecture and Design,ImplementationIf possible, refactor your code so that it does not need to use eval() at all.
- Implementation[object Object]
- Implementation[object Object]
- Implementation[object Object]
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-114227.12026-06-05CVE-2026-507338.82026-06-05CVE-2026-89142026-06-05CVE-2026-489627.32026-05-27CVE-2026-465868.82026-05-19CVE-2026-426038.82026-05-11CVE-2026-312547.32026-05-11CVE-2026-4464310.02026-05-11CVE-2026-441282026-05-08CVE-2026-420798.62026-05-04CVE-2026-66524.72026-04-20CVE-2026-403168.82026-04-15CVE-2026-394232026-04-14CVE-2026-336188.82026-04-10CVE-2026-59717.32026-04-09CVE-2026-48376.62026-04-08CVE-2026-226667.22026-04-07CVE-2026-49657.32026-03-27CVE-2026-40019.82026-03-24CVE-2026-330179.82026-03-20