CWE-74— Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.— MITRE CWE catalog
5,082 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-74page 18 of 102
- CVE-2022-37108HIGHCVSS 8.7EG 7.22022-09-07
An injection vulnerability in the syslog-ng configuration wizard in Securonix Snypr 6.4 allows an application user with the "Manage Ingesters" permission to execute arbitrary code on remote ingesters by appending arbitrary text to text fil…
- CVE-2022-3724MEDIUMCVSS 6.3EG 7.52022-12-09
Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows
- CVE-2022-37240CRITICALCVSS 9.8EG 9.82022-08-25
MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to HTTP Response splitting via the format parameter.
- CVE-2022-37242CRITICALCVSS 9.8EG 9.82022-08-25
MDaemon Technologies SecurityGateway for Email Servers 8.5.2, is vulnerable to HTTP Response splitting via the data parameter.
- CVE-2022-37933HIGHCVSS 7.3EG 7.82023-01-05
A potential security vulnerability has been identified in HPE Superdome Flex and Superdome Flex 280 servers. The vulnerability could be exploited to allow local unauthorized data injection. HPE has made the following software updates to re…
- CVE-2022-38191MEDIUMCVSS 6.1EG 5.42022-08-15
There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.
- CVE-2022-38357HIGHCVSS 8.8EG 8.82022-08-15
Improper neutralization of special elements leaves the Eyes of Network Web application vulnerable to an iFrame injection attack, via the url parameter of /module/module_frame/index.php.
- CVE-2022-3844LOWCVSS 3.5EG 6.12022-11-02
A vulnerability, which was classified as problematic, was found in Webmin 2.001. Affected is an unknown function of the file xterm/index.cgi. The manipulation leads to basic cross site scripting. It is possible to launch the attack remotel…
- CVE-2022-38796MEDIUMCVSS 6.1EG 6.12022-09-14
A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. This can be exploited by abusing password reset emails.
- CVE-2022-39016HIGHCVSS 8.2EG 8.82022-10-31
Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload.
- CVE-2022-3918HIGHCVSS 8.8EG 8.82023-01-20
A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header valu…
- CVE-2022-39217MEDIUMCVSS 5.8EG 5.82022-09-17
some-natalie/ghas-to-csv (GitHub Advanced Security to CSV) is a GitHub action which scrapes the GitHub Advanced Security API and shoves it into a CSV. In affected versions this GitHub Action creates a CSV file without sanitizing the output…
- CVE-2022-39265HIGHCVSS 7.2EG 7.22022-10-06
MyBB is a free and open source forum software. The _Mail Settings_ → Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access t…
- CVE-2022-39382CRITICALCVSS 9.8EG 9.82022-11-03
Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/[email protected] || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production builds are vulnerable to `NODE_ENV` being i…
- CVE-2022-3941MEDIUMCVSS 5.3EG 9.82022-11-11
A vulnerability has been found in Activity Log Plugin and classified as critical. This vulnerability affects unknown code of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutr…
- CVE-2022-3962MEDIUMCVSS 4.3EG 4.32023-09-23
A content spoofing vulnerability was found in Kiali. It was discovered that Kiali does not implement error handling when the page or endpoint being accessed cannot be found. This issue allows an attacker to perform arbitrary text injection…
- CVE-2022-3967MEDIUMCVSS 5.3EG 7.82022-11-13
A vulnerability, which was classified as critical, was found in Vesta Control Panel. Affected is an unknown function of the file func/main.sh of the component sed Handler. The manipulation leads to argument injection. An attack has to be a…
- CVE-2022-4011MEDIUMCVSS 6.5EG 9.82022-11-16
A vulnerability was found in Simple History Plugin. It has been rated as critical. This issue affects some unknown processing of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutra…
- CVE-2022-40145CRITICALCVSS 9.8EG 9.82022-12-21
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasourc…
- CVE-2022-40248MEDIUMCVSS 5.4EG 5.42022-10-10
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field.
- CVE-2022-40257MEDIUMCVSS 5.4EG 5.42022-10-10
An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field.
- CVE-2022-40434CRITICALCVSS 9.8EG 9.82022-12-19
Softr v2.0 was discovered to be vulnerable to HTML injection via the Name field of the Account page.
- CVE-2022-4064LOWCVSS 3.7EG 3.72022-11-19
A vulnerability was found in Dalli up to 3.2.2. It has been classified as problematic. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation…
- CVE-2022-4092MEDIUMCVSS 5.7EG 8.02023-01-26
An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input.
- CVE-2022-40958MEDIUMCVSS 6.5EG 6.52022-12-22
By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerab…
- CVE-2022-4145MEDIUMCVSS 4.3EG 4.32023-10-05
A content spoofing flaw was found in OpenShift's OAuth endpoint. This flaw allows a remote, unauthenticated attacker to inject text into a webpage, enabling the obfuscation of a phishing operation.
- CVE-2022-4170CRITICALCVSS 9.8EG 9.82022-12-09
The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set.
- CVE-2022-41716HIGHCVSS 7.5EG 7.52022-11-02
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A ma…
- CVE-2022-41878HIGHCVSS 7.2EG 7.22022-11-10
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected …
- CVE-2022-4188MEDIUMCVSS 4.3EG 4.32022-11-30
Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2022-41934CRITICALCVSS 9.9EG 9.92022-11-23
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity c…
- CVE-2022-42268HIGHCVSS 7.8EG 7.82023-01-13
Omniverse Kit contains a vulnerability in the reference applications Create, Audio2Face, Isaac Sim, View, Code, and Machinima. These applications allow executable Python code to be embedded in Universal Scene Description (USD) files to cu…
- CVE-2022-42468CRITICALCVSS 9.8EG 9.82022-10-26
Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java pro…
- CVE-2022-42471MEDIUMCVSS 5.4EG 5.42023-01-03
An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.4.0 through 6.4.2, FortiWeb version 6.3.6 through 6.3.20 may allow…
- CVE-2022-42472MEDIUMCVSS 4.2EG 5.42023-02-16
A improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.11, 6.2.0 through 6.2.12, 6.0.0 through 6.0.16, FortiProxy 7.2…
- CVE-2022-42544HIGHCVSS 7.8EG 7.82022-12-16
In getView of AddAppNetworksFragment.java, there is a possible way to mislead the user about network add requests due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges ne…
- CVE-2022-4257MEDIUMCVSS 6.3EG 9.82022-12-01
A vulnerability was found in C-DATA Web Management System. It has been rated as critical. This issue affects some unknown processing of the file cgi-bin/jumpto.php of the component GET Parameter Handler. The manipulation of the argument ho…
- CVE-2022-42797HIGHCVSS 7.8EG 7.82023-02-27
An injection issue was addressed with improved input validation. This issue is fixed in Xcode 14.1. An app may be able to gain root privileges.
- CVE-2022-4282MEDIUMCVSS 4.7EG 7.22022-12-05
A vulnerability was found in SpringBootCMS and classified as critical. Affected by this issue is some unknown functionality of the component Template Management. The manipulation leads to injection. The attack may be launched remotely. The…
- CVE-2022-4300MEDIUMCVSS 6.3EG 8.82022-12-06
A vulnerability was found in FastCMS. It has been rated as critical. This issue affects some unknown processing of the file /template/edit of the component Template Handler. The manipulation leads to injection. The attack may be initiated …
- CVE-2022-4322MEDIUMCVSS 6.3EG 7.22022-12-07
A vulnerability, which was classified as critical, was found in maku-boot up to 2.2.0. This affects the function doExecute of the file AbstractScheduleJob.java of the component Scheduled Task Handler. The manipulation leads to injection. I…
- CVE-2022-43562LOWCVSS 3.0EG 5.42022-11-04
In Splunk Enterprise versions below 8.1.12, 8.2.9, and 9.0.2, Splunk Enterprise fails to properly validate and escape the Host header, which could let a remote authenticated user conduct various attacks against the system, including cross-…
- CVE-2022-4364HIGHCVSS 7.3EG 9.82022-12-08
A vulnerability has been found in Teledyne FLIR AX8 up to 1.46.16. Affected by this issue is some unknown functionality of the file palette.php of the component Web Service Handler. The manipulation of the argument palette leads to command…
- CVE-2022-43720MEDIUMCVSS 5.4EG 5.42023-01-16
An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue …
- CVE-2022-43756MEDIUMCVSS 5.9EG 5.92023-02-07
A Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in SUSE Rancher allows remote attackers to cause denial of service by supplying specially crafted git credentials. This issu…
- CVE-2022-43769HIGHCVSS 8.8EG 9.0⚠ KEV2023-04-03
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
- CVE-2022-43883MEDIUMCVSS 6.5EG 7.52022-12-19
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to a Log Injection attack by constructing URLs from user-controlled data. This could enable attackers to make arbitrary requests to the internal network or to the local f…
- CVE-2022-43932HIGHCVSS 7.5EG 7.52023-01-05
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to read arbitra…
- CVE-2022-45048HIGHCVSS 8.4EG 8.42023-05-05
Authenticated users with appropriate privileges can create policies having expressions that can exploit code execution vulnerability. This issue affects Apache Ranger: 2.3.0. Users are recommended to update to version 2.4.0.
- CVE-2022-45550CRITICALCVSS 9.8EG 9.82022-12-07
AyaCMS 3.1.2 is vulnerable to Remote Code Execution (RCE).
Map vulnerabilities like CWE-74 to your infrastructure
EchelonGraph correlates every CVE — across CWE-74 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →