CWE-138
Improper Neutralization of Special Elements
Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-105 · CAPEC-15 · CAPEC-34
CVEs mapped to this weakness (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-26129 | Hig | 0.49 | 7.5 | 0.01 | May 7, 2026 | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-32178 | Hig | 0.42 | 7.5 | 0.01 | Apr 14, 2026 | Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2025-5878 | Hig | 0.41 | 7.3 | 0.00 | Jun 29, 2025 | A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an… | ||
| CVE-2026-20009 | Med | 0.34 | 5.3 | 0.00 | Mar 4, 2026 | A vulnerability in the implementation of the proprietary SSH stack with SSH key-based authentication in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to log in to a Cisco Secure Firewall ASA device and execute… | ||
| CVE-2016-0750 | Med | 0.20 | 4.2 | 0.02 | Sep 11, 2018 | The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks. | ||
| CVE-2025-48939 | 0.00 | — | 0.00 | Jul 3, 2025 | tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual element. If an attacker injected an HTML… |
- risk 0.49cvss 7.5epss 0.01
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 7.5epss 0.01
Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.
- risk 0.41cvss 7.3epss 0.00
A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an…
- risk 0.34cvss 5.3epss 0.00
A vulnerability in the implementation of the proprietary SSH stack with SSH key-based authentication in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to log in to a Cisco Secure Firewall ASA device and execute…
- risk 0.20cvss 4.2epss 0.02
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
- CVE-2025-48939Jul 3, 2025risk 0.00cvss —epss 0.00
tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual element. If an attacker injected an HTML…