# Code Injection via eval/exec

- ID: python-code-injection
- Severity: CRITICAL
- CWE: Code Injection (CWE-94)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects untrusted user input flowing into code evaluation functions
(eval, exec, compile).

## Remediation

Use ast.literal_eval() for safe evaluation of literals.

```python
import ast
parsed = ast.literal_eval(user_input)
```

Learn more: https://shoulder.dev/learn/python/cwe-94/code-injection

## Documentation

[object Object]

## Related Rules

- **Code Injection via os/exec** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: 
- **Server-Side Template Injection** [CRITICAL]: 
- **Code Injection via eval() and Function constructor** [CRITICAL]: 
- **LLM Insecure Output Handling** [HIGH]: