CWE-96 Static Code Injection

What this means

SiteShadow flagged a pattern where untrusted input is written into a file/template/config that is later executed or interpreted by the server (generated code, templates, cron/job definitions, server configs).

Why it matters

Attackers can inject server-side code that executes later.

• Persistent RCE: malicious payloads run on the next deploy/restart/job run.
• Stealth: code sits on disk and triggers later, making incidents harder to trace.
• Supply-chain style impact if generated artifacts are committed or shipped.

Safer examples

1) Don't generate executable code from user input

Store user content as data (e.g., JSON rows) and interpret it with a safe allowlisted interpreter.

2) If generating templates, keep user input in data positions only

Never place untrusted input into template directives/logic; treat it as text and escape/encode for the target context.

3) Lock down write locations and execution paths

• Write only to non-executable directories.
• Do not load/execute from user-writable locations (see CWE-494 / CWE-732).

How SiteShadow detects it (high level)

• Detects file writes that include untrusted input and later flows where those files are executed/loaded.
• Flags "write → later execute/interpret" chains as high severity.

References

• CWE-96: https://cwe.mitre.org/data/definitions/96.html

---

← Back to Vulnerability Library