VYPR

CWE-138

Improper Neutralization of Special Elements

ClassDraft

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If product does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended. For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-105 · CAPEC-15 · CAPEC-34

CVEs mapped to this weakness (6)

  • CVE-2026-26129HigMay 7, 2026
    risk 0.49cvss 7.5epss 0.01

    Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

  • CVE-2026-32178HigApr 14, 2026
    risk 0.42cvss 7.5epss 0.01

    Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2025-5878HigJun 29, 2025
    risk 0.41cvss 7.3epss 0.00

    A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an…

  • CVE-2026-20009MedMar 4, 2026
    risk 0.34cvss 5.3epss 0.00

    A vulnerability in the implementation of the proprietary SSH stack with SSH key-based authentication in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to log in to a Cisco Secure Firewall ASA device and execute…

  • CVE-2016-0750MedSep 11, 2018
    risk 0.20cvss 4.2epss 0.02

    The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

  • CVE-2025-48939Jul 3, 2025
    risk 0.00cvss epss 0.00

    tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual element. If an attacker injected an HTML…