Common Weakness Enumeration

CWE-791

Allowed

Incomplete Filtering of Special Elements

Abstraction: Base · Status: Incomplete

The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.

63 vulnerabilities reference this CWE, most recent first.

GHSA-V5C9-PMXR-9VHC

Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 00:30
VLAI
Details

A security vulnerability has been detected in Sanluan PublicCMS up to 6.202506.d. This affects the function AbstractFreemarkerView.doRender of the file publiccms-parent/publiccms-core/src/main/java/com/publiccms/common/base/AbstractFreemarkerView.java of the component FreeMarker Template Handler. Such manipulation leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5987"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-791"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-09T23:17:02Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been detected in Sanluan PublicCMS up to 6.202506.d. This affects the function AbstractFreemarkerView.doRender of the file publiccms-parent/publiccms-core/src/main/java/com/publiccms/common/base/AbstractFreemarkerView.java of the component FreeMarker Template Handler. Such manipulation leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
  "id": "GHSA-v5c9-pmxr-9vhc",
  "modified": "2026-04-10T00:30:31Z",
  "published": "2026-04-10T00:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5987"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sanluan/PublicCMS/issues/113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sanluan/PublicCMS"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/792385"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/356541"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/356541/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VJGJ-42F6-7997

Vulnerability from github – Published: 2026-04-29 22:23 – Updated: 2026-04-29 22:23
VLAI
Summary
netfoil's optional seccomp sandboxing was not applied
Details

Summary

The optional flag --filter-system-calls was not applied even if specified.

Details

This is a defense in depth feature to apply additional seccomp filters after the binary has started. The example config also sandboxes the binary with systemd.

Impact

Reduced sandboxing of the netfoil binary.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tinfoil-factory/netfoil"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-791"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T22:23:41Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe optional flag `--filter-system-calls` was not applied even if specified.\n\n### Details\nThis is a defense in depth feature to apply additional seccomp filters after the binary has started. The example config also sandboxes the binary with systemd.\n\n### Impact\nReduced sandboxing of the netfoil binary.",
  "id": "GHSA-vjgj-42f6-7997",
  "modified": "2026-04-29T22:23:41Z",
  "published": "2026-04-29T22:23:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tinfoil-factory/netfoil/security/advisories/GHSA-vjgj-42f6-7997"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tinfoil-factory/netfoil/commit/8c84f1b03adf1df5b4e6d07a49043d13dbbf9ee1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tinfoil-factory/netfoil"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tinfoil-factory/netfoil/releases/tag/v0.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "netfoil\u0027s optional seccomp sandboxing was not applied"
}

GHSA-VV7J-WQVH-7JXQ

Vulnerability from github – Published: 2023-08-31 18:30 – Updated: 2024-04-04 07:20
VLAI
Details

An Incomplete Filtering of Special Elements vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.

See Instruction Manual Appendix A and Appendix E dated 20230615 for more details.

This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-791"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-31T16:15:09Z",
    "severity": "HIGH"
  },
  "details": "\nAn Incomplete Filtering of Special Elements vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.\n\n\n\n\n\nSee Instruction Manual Appendix A and Appendix E dated 20230615 for more details.\n\n\nThis issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.\n\n",
  "id": "GHSA-vv7j-wqvh-7jxq",
  "modified": "2024-04-04T07:20:48Z",
  "published": "2023-08-31T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31172"
    },
    {
      "type": "WEB",
      "url": "https://selinc.com/support/security-notifications/external-reports"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/blog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.