Code injection tricks an application into executing attacker-supplied code — SQL injection, OS command injection, LDAP injection, template injection, eval() injection in dynamic languages.
Root cause: user input passed to an interpreter without sanitization. Universal mitigations: parameterized queries (SQL), input validation + escaping (others), least privilege app accounts (limit blast radius). WAF provides defense-in-depth but is not a substitute for secure coding.