CWE-74— Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.— MITRE CWE catalog
5,086 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-74page 27 of 102
- CVE-2024-13037MEDIUMCVSS 6.3EG 6.32024-12-30
A vulnerability was found in 1000 Projects Attendance Tracking Management System 1.0. It has been classified as critical. Affected is the function attendance_report of the file /admin/report.php. The manipulation of the argument course_id …
- CVE-2024-13038HIGHCVSS 7.3EG 7.32024-12-30
A vulnerability was found in CodeAstro Simple Loan Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login. The manipulation of the a…
- CVE-2024-13039MEDIUMCVSS 6.3EG 6.32024-12-30
A vulnerability was found in code-projects Simple Chat System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /add_user.php. The manipulation of the argument name/email/password/number l…
- CVE-2024-13070MEDIUMCVSS 6.3EG 6.32024-12-31
A vulnerability was found in CodeAstro Online Food Ordering System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/update_users.php of the component Update User Page. The…
- CVE-2024-13072MEDIUMCVSS 6.3EG 6.32024-12-31
A vulnerability was found in 1000 Projects Beauty Parlour Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add-customer-services.php of the component Customer Det…
- CVE-2024-13078MEDIUMCVSS 6.3EG 6.32024-12-31
A vulnerability has been found in PHPGurukul Land Record System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument searchdata leads to sql inj…
- CVE-2024-13079MEDIUMCVSS 6.3EG 6.32024-12-31
A vulnerability was found in PHPGurukul Land Record System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/property-details.php. The manipulation of the argument editid leads to sql i…
- CVE-2024-13084MEDIUMCVSS 6.3EG 6.32024-12-31
A vulnerability classified as critical was found in PHPGurukul Land Record System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/search-property.php. The manipulation of the argument searchdata leads to …
- CVE-2024-13085HIGHCVSS 7.3EG 7.32024-12-31
A vulnerability, which was classified as critical, has been found in PHPGurukul Land Record System 1.0. Affected by this issue is some unknown functionality of the file /admin/login.php. The manipulation of the argument username leads to s…
- CVE-2024-13092MEDIUMCVSS 6.3EG 6.32025-01-02
A vulnerability classified as critical was found in code-projects Job Recruitment 1.0. This vulnerability affects unknown code of the file /_parse/_call_job/search_ajax.php of the component Job Post Handler. The manipulation of the argumen…
- CVE-2024-13093MEDIUMCVSS 6.3EG 6.32025-01-02
A vulnerability, which was classified as critical, has been found in code-projects Job Recruitment 1.0. This issue affects some unknown processing of the file /_parse/_call_main_search_ajax.php of the component Seeker Profile Handler. The …
- CVE-2024-13187MEDIUMCVSS 5.3EG 5.32025-01-08
A vulnerability was found in Kingsoft WPS Office 6.14.0 on macOS. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component TCC Handler. The manipulation leads to code injection. It is po…
- CVE-2024-13190MEDIUMCVSS 6.3EG 6.32025-01-08
A vulnerability classified as critical was found in ZeroWdd myblog 1.0. This vulnerability affects unknown code of the file src/main/resources/mapper/BlogMapper.xml. The manipulation of the argument findBlogList/getTotalBlogs leads to xml …
- CVE-2024-13193MEDIUMCVSS 6.3EG 6.32025-01-08
A vulnerability has been found in SEMCMS up to 4.8 and classified as critical. Affected by this vulnerability is an unknown functionality of the file SEMCMS_Images.php of the component Image Library Management Page. The manipulation leads …
- CVE-2024-13194MEDIUMCVSS 6.3EG 6.32025-01-09
A vulnerability was found in Sucms 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/admin_members.php?ac=search. The manipulation of the argument uid leads to sql injection. The attack…
- CVE-2024-13204MEDIUMCVSS 5.5EG 5.52025-01-09
A vulnerability was found in kurniaramadhan E-Commerce-PHP 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /blog-details.php. The manipulation of the argument blog_id leads to s…
- CVE-2024-13205LOWCVSS 2.4EG 4.32025-01-09
A vulnerability was found in kurniaramadhan E-Commerce-PHP 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/create_product.php of the component Create Product Page. The manipula…
- CVE-2024-1545MEDIUMCVSS 5.9EG 5.92024-08-29
Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and…
- CVE-2024-1619MEDIUMCVSS 6.1EG 6.12024-02-29
Kaspersky has fixed a security issue in the Kaspersky Security 8.0 for Linux Mail Server. The issue was that an attacker could potentially force an administrator to click on a malicious link to perform unauthorized actions.
- CVE-2024-1773HIGHCVSS 8.8EG 8.82024-03-07
The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via the order_id parameter. This makes it poss…
- CVE-2024-1833HIGHCVSS 7.3EG 7.32024-02-23
A vulnerability was found in SourceCodester Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /Account/login.php. The manipulation of the argument txtusername/txtpho…
- CVE-2024-1882HIGHCVSS 7.2EG 7.22024-03-14
This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for remote code execution on the server hosting the PaperCut NG/MF application server.
- CVE-2024-1883MEDIUMCVSS 6.3EG 6.32024-03-14
This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. An attacker can exploit this weakness by crafting a malicious URL that contains a script. When an unsuspecting user clicks on this malicious l…
- CVE-2024-20429MEDIUMCVSS 6.5EG 6.52024-07-17
A vulnerability in the web-based management interface of Cisco AsyncOS for Secure Email Gateway could allow an authenticated, remote attacker to execute arbitrary system commands on an affected device. This vulnerability is due to insuf…
- CVE-2024-2064MEDIUMCVSS 4.3EG 4.32024-03-01
A vulnerability has been found in rahman SelectCours 1.0 and classified as problematic. Affected by this vulnerability is the function getCacheNames of the file CacheController.java of the component Template Handler. The manipulation of th…
- CVE-2024-21623CRITICALCVSS 9.8EG 9.82024-01-02
OTCLient is an alternative tibia client for otserv. Prior to commit db560de0b56476c87a2f967466407939196dd254, the /mehah/otclient "`Analysis - SonarCloud`" workflow is vulnerable to an expression injection in Actions, allowing an attacker …
- CVE-2024-21645MEDIUMCVSS 5.3EG 5.32024-01-08
pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged…
- CVE-2024-21742MEDIUMCVSS 5.3EG 5.32024-02-27
Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages.
- CVE-2024-21797CRITICALCVSS 9.1EG 9.12025-01-14
A command execution vulnerability exists in the adm.cgi set_TR069() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP re…
- CVE-2024-21838MEDIUMCVSS 6.8EG 6.82024-03-05
Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. This issue affects: Gallagher Comm…
- CVE-2024-21900MEDIUMCVSS 4.3EG 4.32024-03-08
An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in t…
- CVE-2024-22319HIGHCVSS 8.1EG 9.02024-02-02
IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, 8.11.1 and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145…
- CVE-2024-23268HIGHCVSS 7.8EG 7.82024-03-08
An injection issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. An app may be able to elevate privileges.
- CVE-2024-23274HIGHCVSS 7.8EG 7.82024-03-08
An injection issue was addressed with improved input validation. This issue is fixed in macOS Monterey 12.7.4, macOS Sonoma 14.4, macOS Ventura 13.6.5. An app may be able to elevate privileges.
- CVE-2024-23280MEDIUMCVSS 6.5EG 7.52024-03-08
An injection issue was addressed with improved validation. This issue is fixed in Safari 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, watchOS 10.4. A maliciously crafted webpage may be able to fingerprint the user.
- CVE-2024-23333HIGHCVSS 7.9EG 7.92024-03-18
LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP f…
- CVE-2024-23648HIGHCVSS 8.8EG 8.82024-01-24
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a uni…
- CVE-2024-23828HIGHCVSS 8.8EG 8.82024-01-29
Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to an authenticated arbitrary command execution via CRLF attack when changing the value of test_config_cmd or start_cmd. This vulnerability exists due to an incom…
- CVE-2024-23830HIGHCVSS 8.3EG 8.32024-02-20
MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user's email address and username can hijack the user's account by poisoning the link in the password reset notification message. A …
- CVE-2024-2445MEDIUMCVSS 6.1EG 6.12024-03-15
Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacke…
- CVE-2024-25625HIGHCVSS 8.1EG 8.12024-02-19
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the…
- CVE-2024-25673MEDIUMCVSS 6.1EG 6.12024-09-19
Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earlier versions allows HTTP Host header injection.
- CVE-2024-26020CRITICALCVSS 9.6EG 9.62024-07-22
An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send malicious flashcard to trigger this vulnerabili…
- CVE-2024-2769MEDIUMCVSS 6.3EG 6.32024-03-21
A vulnerability was detected in Campcodes Complete Online Beauty Parlor Management System 1.0. The affected element is an unknown function of the file /admin/admin-profile.php. The manipulation of the argument adminname/email results in sq…
- CVE-2024-27708CRITICALCVSS 9.6EG 9.62025-12-22
Iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET v.26.06 and before allows a remote attacker to execute arbitrary code via the src parameter.
- CVE-2024-2777MEDIUMCVSS 6.3EG 6.32024-03-22
A vulnerability has been found in Campcodes/PHPGurukul Online Marriage Registration System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/application-bwdates-reports-details.ph…
- CVE-2024-28114HIGHCVSS 8.1EG 8.12024-03-12
Peering Manager is a BGP session management tool. There is a Server Side Template Injection vulnerability that leads to Remote Code Execution in Peering Manager <=1.8.2. As a result arbitrary commands can be executed on the operating syste…
- CVE-2024-28181HIGHCVSS 8.1EG 8.12024-03-14
turbo_boost-commands is a set of commands to help you build robust reactive applications with Rails & Hotwire. TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; …
- CVE-2024-28191LOWCVSS 3.1EG 3.12024-04-09
Contao is an open source content management system. Starting in version 4.0.0 and prior to version 4.13.40 and 5.3.4, it is possible to inject insert tags in frontend forms if the output is structured in a very specific way. Contao version…
- CVE-2024-28192MEDIUMCVSS 5.3EG 5.32024-03-13
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 is vulnerable to NoSQL injection in the public access token processing logic. Attackers can fully bypass the public token authentication mec…
Map vulnerabilities like CWE-74 to your infrastructure
EchelonGraph correlates every CVE — across CWE-74 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →