VYPR

CWE-149

Improper Neutralization of Quoting Syntax

VariantDraft

Description

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-468

CVEs mapped to this weakness (4)

  • CVE-2018-25135CriDec 24, 2025
    risk 0.64cvss 9.8epss 0.01

    Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like 'Name', 'Gender', or 'Position' to trigger Excel macro…

  • CVE-2025-1094HigFeb 13, 2025
    risk 0.62cvss 8.1epss 0.89

    Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires…

  • CVE-2026-42511HigApr 30, 2026
    risk 0.46cvss 8.1epss 0.00

    The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the…

  • CVE-2023-36479Sep 15, 2023
    risk 0.00cvss epss 0.01

    Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a…