VYPR

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ClassIncompleteLikelihood: High

Description

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-105 · CAPEC-108 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-14 · CAPEC-24 · CAPEC-250 · CAPEC-267 · CAPEC-273 · CAPEC-28 · CAPEC-3 · CAPEC-34 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-51 · CAPEC-52 · CAPEC-53 · CAPEC-6 · CAPEC-64 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-76 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-83 · CAPEC-84 · CAPEC-9

CVEs mapped to this weakness (3,116)

page 1 of 156
  • CVE-2013-2251CriKEVJul 20, 2013
    risk 0.80cvss 9.8epss 1.00

    Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

  • CVE-2016-4010CriJan 23, 2017
    risk 0.74cvss 9.8epss 0.93

    Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.

  • CVE-2018-16763CriSep 9, 2018
    risk 0.73cvss 9.8epss 0.83

    FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.

  • CVE-2018-14009CriJul 12, 2018
    risk 0.70cvss 9.8epss 0.38

    Codiad through 2.8.4 allows Remote Code Execution, a different vulnerability than CVE-2017-11366 and CVE-2017-15689.

  • CVE-2017-0372CriApr 13, 2018
    risk 0.68cvss 9.8epss 0.12

    Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.

  • CVE-2018-6220CriMar 15, 2018
    risk 0.68cvss 9.8epss 0.10

    An arbitrary file write vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to inject arbitrary data, which may lead to gaining code execution on vulnerable systems.

  • CVE-2017-14094CriJan 19, 2018
    risk 0.68cvss 9.8epss 0.20

    A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a cron job injection on a vulnerable system.

  • CVE-2015-3253CriAug 13, 2015
    risk 0.67cvss 9.8epss 0.44

    The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

  • CVE-2017-15708CriDec 11, 2017
    risk 0.65cvss 9.8epss 0.18

    In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially…

  • CVE-2016-9832CriDec 10, 2016
    risk 0.65cvss 9.9epss 0.04

    PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communication Framework (ICF) over HTTP or HTTPS, as demonstrated by WEBGUI or Report.

  • CVE-2026-6279CriMay 21, 2026
    risk 0.64cvss 9.8epss 0.02

    The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value(…

  • CVE-2026-4164CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.02

    A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack…

  • CVE-2026-4163CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.02

    A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. It is possible to initiate the attack…

  • CVE-2024-34919CriMay 17, 2024
    risk 0.64cvss 9.8epss 0.01

    An arbitrary file upload vulnerability in the component \modstudent\controller.php of Pisay Online E-Learning System using PHP/MySQL v1.0 allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2020-7489CriApr 22, 2020
    risk 0.64cvss 9.8epss 0.02

    A CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability exists on EcoStruxure Machine Expert – Basic or SoMachine Basic programming software (versions in security notification). The result of this…

  • CVE-2018-4995CriJul 9, 2018
    risk 0.64cvss 9.8epss 0.08

    Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an XFA '\n' POST injection vulnerability. Successful exploitation could lead to a security bypass.

  • CVE-2017-7788CriJun 11, 2018
    risk 0.64cvss 9.8epss 0.02

    When an "iframe" has a "sandbox" attribute and its content is specified using "srcdoc", that content does not inherit the containing page's Content Security Policy (CSP) as it should unless the sandbox attribute included "allow-same-origin". This vulnerability affects Firefox <…

  • CVE-2016-10498CriApr 18, 2018
    risk 0.64cvss 9.8epss 0.01

    In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9635M, MDM9645, MDM9650, MDM9655, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SDM630, SDM636,…

  • CVE-2014-2294CriApr 17, 2018
    risk 0.64cvss 9.8epss 0.03

    Open Web Analytics (OWA) before 1.5.7 allows remote attackers to conduct PHP object injection attacks via a crafted serialized object in the owa_event parameter to queue.php.

  • CVE-2018-6289CriFeb 6, 2018
    risk 0.64cvss 9.8epss 0.07

    Configuration file injection leading to Code Execution as Root in Kaspersky Secure Mail Gateway version 1.1.