CWE-75
DiscouragedFailure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Abstraction: Class · Status: Draft
The product does not adequately filter user-controlled input for special elements with control implications.
59 vulnerabilities reference this CWE, most recent first.
GHSA-C8Q2-82X8-W4XJ
Vulnerability from github – Published: 2024-10-17 03:31 – Updated: 2024-10-17 03:31The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email.
{
"affected": [],
"aliases": [
"CVE-2024-9940"
],
"database_specific": {
"cwe_ids": [
"CWE-75",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-17T02:15:04Z",
"severity": "MODERATE"
},
"details": "The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email.",
"id": "GHSA-c8q2-82x8-w4xj",
"modified": "2024-10-17T03:31:31Z",
"published": "2024-10-17T03:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9940"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3168950%40calculated-fields-form\u0026new=3168950%40calculated-fields-form\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2c9f6a5-8698-4452-bf0a-c1d796b2fdad?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CVG2-7C3J-G36J
Vulnerability from github – Published: 2023-12-18 19:31 – Updated: 2023-12-18 19:31Keycloak prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This could permit an attacker to submit a specially crafted request leading to XSS or possibly further attacks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "23.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-6134"
],
"database_specific": {
"cwe_ids": [
"CWE-75"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-18T19:31:02Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Keycloak prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This could permit an attacker to submit a specially crafted request leading to XSS or possibly further attacks.",
"id": "GHSA-cvg2-7c3j-g36j",
"modified": "2023-12-18T19:31:02Z",
"published": "2023-12-18T19:31:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-cvg2-7c3j-g36j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6134"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/15a21bf8e4fb71f006ba9caf25b9c9d1d152cd20"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7854"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7855"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7856"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7857"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7860"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7861"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-6134"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249673"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri"
}
GHSA-F52W-FF63-7F4C
Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 21:30A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-23912"
],
"database_specific": {
"cwe_ids": [
"CWE-75",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability.",
"id": "GHSA-f52w-ff63-7f4c",
"modified": "2023-02-17T21:30:41Z",
"published": "2023-02-09T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23912"
},
{
"type": "WEB",
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-028-028/696e4e3b-718c-4da4-9a21-965a85633b5f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FG3W-VV3R-VRGH
Vulnerability from github – Published: 2024-03-05 15:32 – Updated: 2025-03-28 18:32A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code.
{
"affected": [],
"aliases": [
"CVE-2024-27622"
],
"database_specific": {
"cwe_ids": [
"CWE-75"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-05T14:15:49Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19. This vulnerability arises from inadequate sanitization of user-supplied input in the \u0027Code\u0027 section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code.",
"id": "GHSA-fg3w-vv3r-vrgh",
"modified": "2025-03-28T18:32:49Z",
"published": "2024-03-05T15:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27622"
},
{
"type": "WEB",
"url": "https://github.com/capture0x/CMSMadeSimple"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/177241/CMS-Made-Simple-2.2.19-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/pwning-cmsms-via-user-defined-tags-for-fun-and-learning-cve-2024-27622-27623"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJ7X-Q9J7-G6Q6
Vulnerability from github – Published: 2024-03-19 06:30 – Updated: 2024-03-20 15:24Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.
Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "black"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "24.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21503"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-75"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-20T15:24:01Z",
"nvd_published_at": "2024-03-19T05:15:09Z",
"severity": "MODERATE"
},
"details": "Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.\n\nExploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.",
"id": "GHSA-fj7x-q9j7-g6q6",
"modified": "2024-03-20T15:24:01Z",
"published": "2024-03-19T06:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21503"
},
{
"type": "WEB",
"url": "https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8"
},
{
"type": "PACKAGE",
"url": "https://github.com/psf/black"
},
{
"type": "WEB",
"url": "https://github.com/psf/black/releases/tag/24.3.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/black/PYSEC-2024-48.yaml"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Black vulnerable to Regular Expression Denial of Service (ReDoS)"
}
GHSA-G359-P277-83P3
Vulnerability from github – Published: 2025-01-22 00:33 – Updated: 2025-01-22 15:32A remote code injection vulnerability exists in the Ambari Metrics and AMS Alerts feature, allowing authenticated users to inject and execute arbitrary code. The vulnerability occurs when processing alert definitions, where malicious input can be injected into the alert script execution path. An attacker with authenticated access can exploit this vulnerability to execute arbitrary commands on the server. The issue has been fixed in the latest versions of Ambari.
{
"affected": [],
"aliases": [
"CVE-2024-51941"
],
"database_specific": {
"cwe_ids": [
"CWE-75",
"CWE-77",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T22:15:12Z",
"severity": "HIGH"
},
"details": "A remote code injection vulnerability exists in the Ambari Metrics and \nAMS Alerts feature, allowing authenticated users to inject and execute \narbitrary code. The vulnerability occurs when processing alert \ndefinitions, where malicious input can be injected into the alert script\n execution path. An attacker with authenticated access can exploit this \nvulnerability to execute arbitrary commands on the server. The issue has\n been fixed in the latest versions of Ambari.",
"id": "GHSA-g359-p277-83p3",
"modified": "2025-01-22T15:32:33Z",
"published": "2025-01-22T00:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51941"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/xq50nlff7o7z1kq3y637clzzl6mjhl8j"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/01/21/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H2C6-38HV-3JWX
Vulnerability from github – Published: 2023-01-15 03:30 – Updated: 2023-01-24 18:30Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository radareorg/radare2 prior to 5.8.2.
{
"affected": [],
"aliases": [
"CVE-2023-0302"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-75"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-15T01:15:00Z",
"severity": "HIGH"
},
"details": "Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository radareorg/radare2 prior to 5.8.2.",
"id": "GHSA-h2c6-38hv-3jwx",
"modified": "2023-01-24T18:30:32Z",
"published": "2023-01-15T03:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0302"
},
{
"type": "WEB",
"url": "https://github.com/radareorg/radare2/commit/961f0e723903011d4f54c2396e44efa91fcc74ce"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/583133af-7ae6-4a21-beef-a4b0182cf82e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HWVQ-6GJX-J797
Vulnerability from github – Published: 2021-08-23 19:40 – Updated: 2024-10-01 21:17Impact
Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
Patches
5.7.11, 6.4.1
References
OWASP Page on Injection Prevention
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.
Credit: Guillaume Jeanne from Google
Example:
A notebook with the following content in a cell and it would display an alert when opened for the first time in Notebook (in an untrusted state):
```
{ "cell_type": "code", "execution_count": 0, "metadata": {}, "outputs": [ { "data": { "text/html": [ "\n"], "text/plain": [] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "" ] }
````
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "notebook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.7.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "notebook"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32798"
],
"database_specific": {
"cwe_ids": [
"CWE-75",
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-23T16:44:43Z",
"nvd_published_at": "2021-08-09T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nUntrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.\n\n### Patches\n\n5.7.11, 6.4.1\n\n### References\n\n[OWASP Page on Injection Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html#injection-prevention-rules)\n\n### For more information\n\nIf you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.\n\nCredit: Guillaume Jeanne from Google\n\n\n### Example:\n\nA notebook with the following content in a cell and it would display an alert when opened for the first time in Notebook (in an untrusted state):\n\n```\n{ \"cell_type\": \"code\", \"execution_count\": 0, \"metadata\": {}, \"outputs\": [ { \"data\": { \"text/html\": [ \"\u003cselect\u003e\u003ciframe\u003e\u003c/select\u003e\u003cimg src=x: onerror=alert(\u0027xss\u0027)\u003e\\n\"], \"text/plain\": [] }, \"metadata\": {}, \"output_type\": \"display_data\" } ], \"source\": [ \"\" ] }\n````",
"id": "GHSA-hwvq-6gjx-j797",
"modified": "2024-10-01T21:17:37Z",
"published": "2021-08-23T19:40:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32798"
},
{
"type": "WEB",
"url": "https://github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter/notebook"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2021-118.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Special Element Injection in notebook"
}
GHSA-J7G3-QM5C-2J6R
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2025-04-20 03:34Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren't properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver.
{
"affected": [],
"aliases": [
"CVE-2016-9471"
],
"database_specific": {
"cwe_ids": [
"CWE-75"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-28T02:59:00Z",
"severity": "LOW"
},
"details": "Revive Adserver before 3.2.5 and 4.0.0 suffers from Special Element Injection. Usernames weren\u0027t properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver.",
"id": "GHSA-j7g3-qm5c-2j6r",
"modified": "2025-04-20T03:34:57Z",
"published": "2022-05-13T01:38:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9471"
},
{
"type": "WEB",
"url": "https://github.com/revive-adserver/revive-adserver/commit/05b1eceb"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/128181"
},
{
"type": "WEB",
"url": "https://www.revive-adserver.com/security/revive-sa-2016-002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JV22-34XC-W9X6
Vulnerability from github – Published: 2026-04-14 09:30 – Updated: 2026-04-16 15:31Header injection vulnerability in Apache APISIX.
The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0.
Users are recommended to upgrade to version 3.16.0, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-31908"
],
"database_specific": {
"cwe_ids": [
"CWE-75"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T09:16:35Z",
"severity": "CRITICAL"
},
"details": "Header injection vulnerability in Apache APISIX.\n\nThe attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers.\nThis issue affects Apache APISIX: from 2.12.0 through 3.15.0.\n\nUsers are recommended to upgrade to version 3.16.0, which fixes the issue.",
"id": "GHSA-jv22-34xc-w9x6",
"modified": "2026-04-16T15:31:29Z",
"published": "2026-04-14T09:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31908"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/sob643s5lztov7x579j8o0c444t36n6b"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/14/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Programming languages and supporting technologies might be chosen which are not subject to these issues.
Mitigation
Utilize an appropriate mix of allowlist and denylist parsing to filter special element syntax from all input.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-93: Log Injection-Tampering-Forging
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.