CWE-74— Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.— MITRE CWE catalog
5,087 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-74page 29 of 102
- CVE-2024-43393HIGHCVSS 8.1EG 6.52024-09-10
A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_INCOMING.FROM_IP FW_INCOMING.IN_IP FW_OUTGOING.FROM_IP FW…
- CVE-2024-43782HIGHCVSS 7.7EG 7.72024-08-23
This openedx-translations repository contains translation files from Open edX repositories to be kept in sync with Transifex. Before moving to pulling translations from the openedx-translations repository via openedx-atlas, translations in…
- CVE-2024-45302MEDIUMCVSS 6.1EG 6.12024-08-29
RestSharp is a Simple REST and HTTP API Client for .NET. The second argument to `RestRequest.AddHeader` (the header value) is vulnerable to CRLF injection. The same applies to `RestRequest.AddOrUpdateHeader` and `RestClient.AddDefaultHeade…
- CVE-2024-45312MEDIUMCVSS 5.3EG 5.32024-09-02
Overleaf is a web-based collaborative LaTeX editor. Overleaf Community Edition and Server Pro prior to version 5.0.7 (or 4.2.7 for the 4.x series) contain a vulnerability that allows an arbitrary language parameter in client spelling reque…
- CVE-2024-45612MEDIUMCVSS 5.3EG 5.32024-09-17
Contao is an Open Source CMS. In affected versions an untrusted user can inject insert tags into the canonical tag, which are then replaced on the web page (front end). Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users …
- CVE-2024-46452MEDIUMCVSS 6.1EG 6.12025-06-09
A Host Header injection vulnerability in the password reset function of VigyBag Open Source Online Shop commit 3f0e21b allows attackers to redirect victim users to a malicious site via a crafted URL.
- CVE-2024-46983CRITICALCVSS 9.8EG 9.82024-09-19
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there …
- CVE-2024-46986CRITICALCVSS 9.9EG 9.92024-09-18
Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to a…
- CVE-2024-46997CRITICALCVSS 9.8EG 9.82024-09-23
DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability has been fixed in …
- CVE-2024-47180HIGHCVSS 8.8EG 8.82024-09-26
Shields.io is a service for concise, consistent, and legible badges in SVG and raster format. Shields.io and users self-hosting their own instance of shields using version < `server-2024-09-25` are vulnerable to a remote execution vulnerab…
- CVE-2024-47764MEDIUMCVSS 6.9EG 6.92024-10-04
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could b…
- CVE-2024-48918HIGHCVSS 8.1EG 8.12024-10-16
RDS Light is a simplified version of the Reflective Dialogue System (RDS), a self-reflecting AI framework. Versions prior to 1.1.0 contain a vulnerability that involves a lack of input validation within the RDS AI framework, specifically w…
- CVE-2024-48927MEDIUMCVSS 4.6EG 4.62024-10-22
Umbraco, a free and open source .NET content management system, has a remote code execution issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. There is a potential risk of code execution f…
- CVE-2024-49380HIGHCVSS 7.5EG 7.52024-10-25
Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may…
- CVE-2024-49381HIGHCVSS 7.5EG 7.52024-10-25
Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a plenti user serves their website. This issue may l…
- CVE-2024-50340HIGHCVSS 7.3EG 9.02024-11-06
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string…
- CVE-2024-50572HIGHCVSS 7.2EG 7.22024-11-12
A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8…
- CVE-2024-5184MEDIUMCVSS 6.5EG 6.52024-06-05
The EmailGPT service contains a prompt injection vulnerability. The service uses an API service that allows a malicious user to inject a direct prompt and take over the service logic. Attackers can exploit the issue by forcing the AI serv…
- CVE-2024-5193MEDIUMCVSS 5.3EG 5.32024-05-22
A security vulnerability has been detected in Ritlabs TinyWeb Server 1.94. This vulnerability affects unknown code of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to initiate…
- CVE-2024-52004HIGHCVSS 8.7EG 8.72024-11-08
MediaCMS is an open source video and media CMS, written in Python/Django and React, featuring a REST API. MediaCMS has been prone to vulnerabilities that upon special cases can lead to remote code execution. All versions before v4.1.0 are …
- CVE-2024-53263HIGHCVSS 8.5EG 8.52025-01-14
Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control …
- CVE-2024-53860HIGHCVSS 8.6EG 8.62024-11-27
sp-php-email-handler is a PHP package for handling contact form submissions. Messages sent using this script are vulnerable to abuse, as the script allows anybody to specify arbitrary email recipients and include user-provided content in c…
- CVE-2024-56835HIGHCVSS 8.8EG 8.82025-12-09
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM …
- CVE-2024-56838HIGHCVSS 7.2EG 7.22025-12-09
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM …
- CVE-2024-56839HIGHCVSS 7.2EG 7.22025-12-09
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM …
- CVE-2024-56840HIGHCVSS 7.2EG 7.22025-12-09
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.0), RUGGEDCOM ROX MX5000RE (All versions < V2.17.0), RUGGEDCOM ROX RX1400 (All versions < V2.17.0), RUGGEDCOM ROX RX1500 (All versions < V2.17.0), RUGGEDCOM …
- CVE-2024-6331HIGHCVSS 7.5EG 7.52024-08-04
stitionai/devika main branch as of commit cdfb782b0e634b773b10963c8034dc9207ba1f9f is vulnerable to Local File Read (LFI) by Prompt Injection. The integration of Google Gimini 1.0 Pro with `HarmBlockThreshold.BLOCK_NONE` for `HarmCategory.…
- CVE-2024-6469LOWCVSS 2.7EG 2.72024-07-03
A vulnerability was found in playSMS 1.4.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?app=main&inc=feature_firewall&op=firewall_list of the component Template Han…
- CVE-2024-6470LOWCVSS 2.7EG 2.72024-07-03
A vulnerability was found in playSMS 1.4.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /index.php?app=main&inc=feature_inboxgroup&op=list of the component Template Handler. The manipu…
- CVE-2024-6702MEDIUMCVSS 5.2EG 5.22024-09-12
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an HTML Injection issue with Stage.
- CVE-2024-6933MEDIUMCVSS 6.3EG 6.32024-07-21
A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the compo…
- CVE-2024-7219HIGHCVSS 7.3EG 7.32024-07-30
A vulnerability has been found in SourceCodester/Campcodes School Log Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login. The manipulation of the argument Username lea…
- CVE-2024-7220MEDIUMCVSS 6.3EG 6.32024-07-30
A vulnerability was found in SourceCodester/Campcodes School Log Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/print_barcode.php. The manipulation of the argument tbl results in sql injectio…
- CVE-2024-7221MEDIUMCVSS 6.3EG 6.32024-07-30
A vulnerability was determined in SourceCodester/Campcodes School Log Management System 1.0. This affects an unknown part of the file /admin/manage_user.php. This manipulation of the argument ID causes sql injection. The attack can be init…
- CVE-2024-7472MEDIUMCVSS 6.5EG 5.32024-10-29
lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassi…
- CVE-2024-8309CRITICALCVSS 9.8EG 9.82024-10-29
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service …
- CVE-2024-8367LOWCVSS 3.5EG 3.52024-09-01
A vulnerability was found in HM Courts & Tribunals Service Probate Back Office up to c1afe0cdb2b2766d9e24872c4e827f8b82a6cd31. It has been classified as problematic. Affected is an unknown function of the file src/main/java/uk/gov/hmcts/pr…
- CVE-2024-9324MEDIUMCVSS 6.3EG 6.32024-09-29
A vulnerability was found in Intelbras InControl up to 2.21.57. It has been rated as critical. Affected by this issue is some unknown functionality of the file /v1/operador/ of the component Relatório de Operadores Page. The manipulation …
- CVE-2025-0168MEDIUMCVSS 6.3EG 6.32025-01-01
A vulnerability classified as critical has been found in code-projects Job Recruitment 1.0. This affects an unknown part of the file /_parse/_feedback_system.php. The manipulation of the argument person leads to sql injection. It is possib…
- CVE-2025-0171MEDIUMCVSS 6.3EG 6.32025-01-02
A vulnerability, which was classified as critical, was found in code-projects Chat System 1.0. Affected is an unknown function of the file /admin/deleteuser.php. The manipulation of the argument id leads to sql injection. It is possible to…
- CVE-2025-0172MEDIUMCVSS 6.3EG 6.32025-01-02
A vulnerability has been found in code-projects Chat System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/deleteroom.php. The manipulation of the argument id leads to sql inje…
- CVE-2025-0173MEDIUMCVSS 6.3EG 6.32025-01-02
A vulnerability was found in SourceCodester Online Eyewear Shop 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /orders/view_order.php. The manipulation of the argument id leads to sql injec…
- CVE-2025-0174MEDIUMCVSS 6.3EG 6.32025-01-03
A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been classified as critical. This affects an unknown part of the file /user/search_result2.php of the component Parameter Handler. The ma…
- CVE-2025-0176MEDIUMCVSS 6.3EG 6.32025-01-03
A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /user/add_cart.php. The manipulation of the argument id/qt…
- CVE-2025-0195MEDIUMCVSS 6.3EG 6.32025-01-03
A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /user/del_product.php. The manipulation of the a…
- CVE-2025-0196MEDIUMCVSS 6.3EG 6.32025-01-03
A vulnerability classified as critical has been found in code-projects Point of Sales and Inventory Management System 1.0. This affects an unknown part of the file /user/plist.php. The manipulation of the argument cat leads to sql injectio…
- CVE-2025-0197MEDIUMCVSS 6.3EG 6.32025-01-03
A vulnerability classified as critical was found in code-projects Point of Sales and Inventory Management System 1.0. This vulnerability affects unknown code of the file /user/search.php. The manipulation of the argument name leads to sql …
- CVE-2025-0198MEDIUMCVSS 6.3EG 6.32025-01-03
A vulnerability, which was classified as critical, has been found in code-projects Point of Sales and Inventory Management System 1.0. This issue affects some unknown processing of the file /user/search_result.php. The manipulation of the …
- CVE-2025-0199MEDIUMCVSS 6.3EG 6.32025-01-03
A vulnerability, which was classified as critical, was found in code-projects Point of Sales and Inventory Management System 1.0. Affected is an unknown function of the file /user/minus_cart.php. The manipulation of the argument id leads t…
- CVE-2025-0200MEDIUMCVSS 6.3EG 6.32025-01-04
A vulnerability has been found in code-projects Point of Sales and Inventory Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /user/search_num.php. The manipulation of…
Map vulnerabilities like CWE-74 to your infrastructure
EchelonGraph correlates every CVE — across CWE-74 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →