SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-96 Static Code Injection

Coverage: 7 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 7 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged a pattern where untrusted input is written into a file/template/config that is later executed or interpreted by the server (generated code, templates, cron/job definitions, server configs).

Why it matters

Attackers can inject server-side code that executes later.

Safer examples

1) Don't generate executable code from user input

Store user content as data (e.g., JSON rows) and interpret it with a safe allowlisted interpreter.

2) If generating templates, keep user input in data positions only

Never place untrusted input into template directives/logic; treat it as text and escape/encode for the target context.

3) Lock down write locations and execution paths

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.