CWE-506: Embedded Malicious Code
The product contains code that appears to be malicious in nature.
Last updated
Overview
Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.
Real-world CVEs
86 recorded CVEs are caused by CWE-506 (Embedded Malicious Code), including 9 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 13 new CWE-506 CVEs have been recorded so far in 2026 (24 in 2025).
- CVE-2026-45321CISA KEV
Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Critical · CVSS 9.6 · EPSS 82th2026-05-12 - CVE-2026-33634CISA KEV
Trivy ecosystem supply chain briefly compromised
Critical · CVSS 9.4 · EPSS 99th2026-03-23 - CVE-2024-4978CISA KEV
Malicious Code in Justice AV Solutions (JAVS) Viewer
Critical · CVSS 9.4 · EPSS 98th2024-05-23 - CVE-2026-48027CISA KEV
Compromised Nx Console version 18.95.0
Critical · CVSS 9.3 · EPSS 77th2026-05-27 - CVE-2026-8398CISA KEVCritical · CVSS 9.3 · EPSS 71th2026-05-15
- CVE-2025-59374CISA KEVCritical · CVSS 9.3 · EPSS 62th2025-12-17
- CVE-2025-30066CISA KEVCritical · CVSS 9.3 · EPSS 99th2025-03-15
- CVE-2025-30154CISA KEV
Multiple Reviewdog actions were compromised during a specific time period
High · CVSS 7.7 · EPSS 81th2025-03-19 - CVE-2025-54313CISA KEVMedium · CVSS 6.8 · EPSS 90th2025-07-19
- CVE-2026-28353
Trivy Vulnerability Scanner: Unauthorized AI Agent Execution Code Included in OpenVSX Extension Release
Critical · CVSS 10.0 · EPSS 37th2026-03-05 - CVE-2024-3094
Xz: malicious code in distributed source
Critical · CVSS 10.0 · EPSS 100th2024-03-29 - CVE-2026-6443
Essentialplugin Plugins (Various Versions) - Injected Backdoor
Critical · CVSS 9.8 · EPSS 39th2026-04-17
Showing 12 of 86 recorded CWE-506 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-506 vulnerabilitiesCommon consequences
What can happen when CWE-506 is exploited.
Execute Unauthorized Code or Commands
Affects: Confidentiality, Integrity, Availability
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-506, grouped by where in the lifecycle they apply.
Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
How to detect it
Manual Static Analysis - Binary or Bytecode
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Dynamic Analysis with Manual Results Interpretation
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Manual Static Analysis - Source Code
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Automated Static Analysis
According to SOAR [REF-1479], the following detection techniques may be useful:
Effectiveness: SOAR Partial
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address.
Vulnerable example
boolean authorizeCard(String ccn) {Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-30877 — A command history tool was shipped with a code-execution backdoor inserted by a malicious party.
Terminology & mappings
Mapped taxonomies
- Landwehr: Malicious
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-506.
- What is CWE-506?
- The product contains code that appears to be malicious in nature.
- What CVEs are caused by CWE-506?
- 86 recorded CVEs are attributed to CWE-506, including CVE-2026-45321, CVE-2026-33634, CVE-2024-4978. 9 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-506?
- Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
- How is CWE-506 detected?
- Manual Static Analysis - Binary or Bytecode: According to SOAR [REF-1479], the following detection techniques may be useful:
- What are the consequences of CWE-506?
- Exploiting CWE-506 can lead to: Execute Unauthorized Code or Commands.
- Is CWE-506 actively exploited?
- Yes. 9 CWE-506 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 86 recorded CVEs.
References
- MITRE CWE definition (CWE-506) (opens in a new tab)
- CWE-506 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-506
Get alerted the moment a new CWE-506 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.