Common Weakness Enumeration

CWE-140

Allowed

Improper Neutralization of Delimiters

Abstraction: Base · Status: Draft

The product does not neutralize or incorrectly neutralizes delimiters.

34 vulnerabilities reference this CWE, most recent first.

GHSA-2RM3-J8QF-6FG4

Vulnerability from github – Published: 2023-11-22 18:30 – Updated: 2023-11-22 18:30
VLAI
Details

Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-22T17:15:22Z",
    "severity": "HIGH"
  },
  "details": "Improper neutralization of livestatus command delimiters in ajax_search in Checkmk \u003c= 2.0.0p39, \u003c 2.1.0p37, and \u003c 2.2.0p15 allows arbitrary livestatus command execution for authorized users.",
  "id": "GHSA-2rm3-j8qf-6fg4",
  "modified": "2023-11-22T18:30:57Z",
  "published": "2023-11-22T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6157"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/16221"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3RWG-QHQC-M6RC

Vulnerability from github – Published: 2024-07-22 12:30 – Updated: 2024-07-22 12:30
VLAI
Details

Improper neutralization of livestatus command delimiters in mknotifyd in Checkmk <= 2.0.0p39, < 2.1.0p47, < 2.2.0p32 and < 2.3.0p11 allows arbitrary livestatus command execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-22T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Improper neutralization of livestatus command delimiters in mknotifyd in Checkmk \u003c= 2.0.0p39, \u003c 2.1.0p47, \u003c 2.2.0p32 and \u003c 2.3.0p11 allows arbitrary livestatus command execution.",
  "id": "GHSA-3rwg-qhqc-m6rc",
  "modified": "2024-07-22T12:30:37Z",
  "published": "2024-07-22T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6542"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/17013"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6P6G-X56F-467G

Vulnerability from github – Published: 2023-11-22 18:30 – Updated: 2023-11-22 18:30
VLAI
Details

Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-22T17:15:22Z",
    "severity": "HIGH"
  },
  "details": "Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk \u003c= 2.0.0p39, \u003c 2.1.0p37, and \u003c 2.2.0p15 allows arbitrary livestatus command execution for authorized users.",
  "id": "GHSA-6p6g-x56f-467g",
  "modified": "2023-11-22T18:30:57Z",
  "published": "2023-11-22T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6156"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/16221"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8GXR-C98H-CWXM

Vulnerability from github – Published: 2026-04-10 09:31 – Updated: 2026-04-20 18:31
VLAI
Details

Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-10T09:16:24Z",
    "severity": "MODERATE"
  },
  "details": "Livestatus injection in the prediction graph page in Checkmk \u003c2.5.0b4, \u003c2.4.0p26, and \u003c2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.",
  "id": "GHSA-8gxr-c98h-cwxm",
  "modified": "2026-04-20T18:31:43Z",
  "published": "2026-04-10T09:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33457"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/17990"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9WJ4-8H85-PGRW

Vulnerability from github – Published: 2025-06-10 20:14 – Updated: 2025-06-10 20:14
VLAI
Summary
OctoPrint Vulnerable to Denial of Service through malformed HTTP request in OctoPrint
Details

Impact

OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.

Patches

The vulnerability has been patched in version 1.11.2.

Workaround

OctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not.

Details

The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server.

The fix adds detection of invalid requests like that and ensures they are handled gracefully with an HTTP 400 Bad Request response.

Credits

This vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "OctoPrint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140",
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T20:14:43Z",
    "nvd_published_at": "2025-06-10T16:15:41Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken `multipart/form-data` request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.\n\n### Patches\n\nThe vulnerability has been patched in version 1.11.2.\n\n### Workaround\n\nOctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not.\n\n### Details\n\nThe issue can be triggered by a broken `multipart/form-data` request lacking an end boundary to any of OctoPrint\u0027s endpoints implemented through the `octoprint.server.util.tornado.UploadStorageFallbackHandler` request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server.\n\nThe fix adds detection of invalid requests like that and ensures they are handled gracefully with an HTTP 400 Bad Request response.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.",
  "id": "GHSA-9wj4-8h85-pgrw",
  "modified": "2025-06-10T20:14:44Z",
  "published": "2025-06-10T20:14:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48879"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OctoPrint/OctoPrint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OctoPrint Vulnerable to Denial of Service through malformed HTTP request in OctoPrint"
}

GHSA-CC76-VJ8R-JR9W

Vulnerability from github – Published: 2025-04-10 09:30 – Updated: 2025-08-22 00:30
VLAI
Details

Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command execution. Exploitation requires the attacker to have a contact group assigned to their user account and for an event to originate from a host with the same contact group or from an event generated with an unknown host.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-10T08:15:14Z",
    "severity": "MODERATE"
  },
  "details": "Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command execution. Exploitation requires the attacker to have a contact group assigned to their user account and for an event to originate from a host with the same contact group or from an event generated with an unknown host.",
  "id": "GHSA-cc76-vj8r-jr9w",
  "modified": "2025-08-22T00:30:31Z",
  "published": "2025-04-10T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38865"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/17028"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CPGC-JHJC-98R4

Vulnerability from github – Published: 2023-05-17 09:30 – Updated: 2024-04-04 04:13
VLAI
Details

Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140",
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-17T09:15:10Z",
    "severity": "HIGH"
  },
  "details": "Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk \u003c 2.0.0p36, \u003c 2.1.0p28, and \u003c 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users.",
  "id": "GHSA-cpgc-jhjc-98r4",
  "modified": "2024-04-04T04:13:24Z",
  "published": "2023-05-17T09:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31208"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/15191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJ5V-9MXJ-77QC

Vulnerability from github – Published: 2024-11-18 12:30 – Updated: 2024-11-18 12:30
VLAI
Details

Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42385"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T10:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.",
  "id": "GHSA-fj5v-9mxj-77qc",
  "modified": "2024-11-18T12:30:42Z",
  "published": "2024-11-18T12:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42385"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42385"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HXWV-VC7P-P66G

Vulnerability from github – Published: 2026-04-10 09:31 – Updated: 2026-04-20 18:31
VLAI
Details

Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33456"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-10T09:16:24Z",
    "severity": "MODERATE"
  },
  "details": "Livestatus injection in the notification test mode in Checkmk \u003c2.5.0b4 and \u003c2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description.",
  "id": "GHSA-hxwv-vc7p-p66g",
  "modified": "2026-04-20T18:31:43Z",
  "published": "2026-04-10T09:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33456"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/17989"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P2V5-GHX9-JG75

Vulnerability from github – Published: 2026-04-10 09:31 – Updated: 2026-04-20 18:31
VLAI
Details

Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33455"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-140"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-10T09:16:23Z",
    "severity": "MODERATE"
  },
  "details": "Livestatus injection in the monitoring quicksearch in Checkmk \u003c2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins.",
  "id": "GHSA-p2v5-ghx9-jg75",
  "modified": "2026-04-20T18:31:43Z",
  "published": "2026-04-10T09:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33455"
    },
    {
      "type": "WEB",
      "url": "https://checkmk.com/werk/17988"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Strategy: Input Validation

Developers should anticipate that delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-28
Implementation

Strategy: Output Encoding

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.