Sign in Get started

CWE-75

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

ClassDraft

Description

The product does not adequately filter user-controlled input for special elements with control implications.

Hierarchy (View 1000)

Parents

CWE-74

Children

CWE-76

Related attack patterns (CAPEC)

CAPEC-81 · CAPEC-93

CVEs mapped to this weakness (6)

CVE	Sev	Risk	CVSS	EPSS	KEV	Published	Description
CVE-2026-31908	Cri	0.59	9.1	0.00		Apr 14, 2026	Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
CVE-2024-37779	Hig	0.58	8.8	0.05		Sep 23, 2024	WoodWing Elvis DAM v6.98.1 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the Apache Ant script functionality.
CVE-2024-23274	Hig	0.51	7.8	0.00		Mar 8, 2024	An injection issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. An app may be able to elevate privileges.
CVE-2024-23268	Hig	0.51	7.8	0.00		Mar 8, 2024	An injection issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. An app may be able to elevate privileges.
CVE-2024-24257	Hig	0.49	7.5	0.00		Jul 26, 2024	An issue in skteco.com Central Control Attendance Machine web management platform v.3.0 allows an attacker to obtain sensitive information via a crafted script to the csl/user component.
CVE-2024-21503	Med	0.27	5.3	0.00		Mar 19, 2024	Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.