CWE-74 4743 CVEs MITRE definition ↗

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview

CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.

Security impact
Security impact: Depends on product and context; use CVE records, severity scores, and MITRE guidance to prioritize.

Description

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Applicable platforms

Kind Name Class Prevalence OS / CPE
language Not Language-Specific Undetermined

Related CVEs in this database

These CVEs are mapped to this weakness in this database and kept for traceability and search.

CVE Published Summary
CVE-2026-11457 2026-06-07 A security flaw has been discovered in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This vulnerability affects unknown code of the file /base-boot/jmreport/testConnection of the c…
CVE-2026-11456 2026-06-07 A vulnerability was identified in Chanjet CRM 1.0. This affects an unknown part of the file /tools/jxf_dump_systable.php of the component HTTP GET Request Handler. Such manipulation of the argument gb…
CVE-2026-11455 2026-06-07 A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. Affected by this issue is the function check_cmd_exists of the file metagpt/utils/common.py. This manipulation of the argument m…
CVE-2026-11453 2026-06-07 A vulnerability was found in Tiobon Employee Self-Service System up to 7.2. Affected by this vulnerability is an unknown functionality of the file /Blog/BlogSearch.aspx of the component Login Endpoint…
CVE-2026-11452 2026-06-07 A vulnerability has been found in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function FUN_0042e200 of the file /cgi-bin/glc of the component SET_USER_PWD Handler. The manipulation of the argument …
CVE-2026-11451 2026-06-07 A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir …
CVE-2026-11450 2026-06-07 A vulnerability was detected in GL.iNet GL-MT3000 4.4.5. This affects the function dlopen in the library /usr/lib/oui-httpd/rpc/ of the component Path Normalization Handler. Performing a manipulation …
CVE-2026-11449 2026-06-07 A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpc_sys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipul…
CVE-2026-11448 2026-06-07 A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. The affected element is the function realpath of the file /rpc of the component Minidlna Service. This manipulation of the argument kub…
CVE-2026-11447 2026-06-07 A security flaw has been discovered in GL.iNet GL-MT3000 up to 4.4.5. Impacted is the function iwinfo_backend of the file iwinfo.so of the component MTK Backend. The manipulation of the argument devic…
CVE-2026-11435 2026-06-06 A security vulnerability has been detected in Jinher OA 1.0. This affects an unknown function of the file nextselectplan.aspx. Such manipulation of the argument httpOID leads to sql injection. The att…
CVE-2026-11412 2026-06-06 A weakness has been identified in Jinher OA C6. The affected element is an unknown function of the file /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx. Executing a manipulation of the argument queryID can …
CVE-2026-11406 2026-06-06 A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation cause…
CVE-2026-11342 2026-06-05 A vulnerability has been found in code-projects Hotel and Tourism Reservation System 1.0. This affects an unknown function of the file /details.php. Such manipulation of the argument room leads to sql…
CVE-2026-11339 2026-06-05 A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in c…
CVE-2026-11334 2026-06-05 A vulnerability was detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This affects an unknown function of the file da…
CVE-2026-10878 2026-06-05 A vulnerability was detected in D-Link DWR-M920 1.1.50/1.1.70. Affected is the function sub_41C8E8 of the file /boafrm/formSmsManage. Performing a manipulation of the argument action_value results in …
CVE-2026-10877 2026-06-05 A security vulnerability has been detected in SourceCodester Ship Ferry Ticket Reservation System up to 1.0. This impacts an unknown function of the file /admin/login.php of the component Admin Login.…
CVE-2026-47644 2026-06-04 Improper neutralization of special elements in output used by a downstream component ('injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a netwo…
CVE-2026-10875 2026-06-04 A security flaw has been discovered in projectworlds Online Art Gallery Shop Project 1.0. The impacted element is an unknown function of the file /admin/adminHome.ph. The manipulation of the argument …

Previous names

  • Injection (2008-04-11)
  • Failure to Sanitize Data into a Different Plane (aka 'Injection') (2009-05-27)
  • Failure to Sanitize Data into a Different Plane ('Injection') (2010-06-21)

Content submission

Name
CLASP
Date
2006-07-19
Version
Draft 3

Content modifications

Date Name Version Importance Comment
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-08-15 1.0 Suggested OWASP Top Ten 2004 mapping
2008-09-08 CWE Content Team 1.0 updated Common_Consequences, Description, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2009-01-12 CWE Content Team 1.2 updated Relationships
2009-05-27 CWE Content Team 1.4 updated Name, Related_Attack_Patterns
2009-07-27 CWE Content Team 1.5 updated Relationships
2009-10-29 CWE Content Team 1.6 updated Description, Other_Notes
2010-02-16 CWE Content Team 1.8 updated Relationships
2010-04-05 CWE Content Team 1.8.1 updated Related_Attack_Patterns
2010-06-21 CWE Content Team 1.9 updated Description, Name
2010-12-13 CWE Content Team 1.11 updated Common_Consequences, Relationship_Notes
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Related_Attack_Patterns, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-02-18 CWE Content Team 2.6 updated Related_Attack_Patterns
2014-06-23 CWE Content Team 2.7 updated Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-01-19 CWE Content Team 2.10 updated Relationships
2017-05-03 CWE Content Team 2.11 updated Potential_Mitigations, Related_Attack_Patterns
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships
2018-03-27 CWE Content Team 3.1 updated Relationships
2019-01-03 CWE Content Team 3.2 updated Related_Attack_Patterns
2019-06-20 CWE Content Team 3.3 updated Related_Attack_Patterns, Relationships
2020-02-24 CWE Content Team 4.0 updated References, Relationship_Notes, Relationships, Theoretical_Notes
2020-06-25 CWE Content Team 4.1 updated Potential_Mitigations
2020-08-20 CWE Content Team 4.2 updated Related_Attack_Patterns, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-04-28 CWE Content Team 4.7 updated Demonstrative_Examples, Related_Attack_Patterns
2022-06-28 CWE Content Team 4.8 updated Observed_Examples
2022-10-13 CWE Content Team 4.9 updated Observed_Examples
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2024-07-16 CWE Content Team 4.15 updated Observed_Examples
2024-11-19 CWE Content Team 4.16 updated Demonstrative_Examples, Observed_Examples
2025-09-09 CWE Content Team 4.18 updated Demonstrative_Examples
2025-12-11 CWE Content Team 4.19 updated Demonstrative_Examples, Description, Diagram, Maintenance_Notes, Other_Notes, References, Relationships
2026-04-30 CWE Content Team 4.20 updated Mapping_Notes

Contributions

Type Name Date Comment
Content Nadav Noy, Roy Blit 2022-10-24 Suggested CI/CD coverage and provided demonstrative example
cvelogic Threat Intelligence