Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-140 (分隔符转义处理不恰当) — Vulnerability Class 17

17 vulnerabilities classified as CWE-140 (分隔符转义处理不恰当). AI Chinese analysis included.

CWE-140 represents a critical input validation weakness where software fails to properly neutralize delimiters, such as quotes, semicolons, or brackets, within user-supplied data. This flaw typically enables attackers to inject malicious syntax into commands, queries, or configuration files, thereby altering the intended execution flow. For instance, an attacker might use a quote character to break out of a string context, allowing for SQL injection or command injection attacks that compromise data integrity or system control. To mitigate this risk, developers must implement strict input validation and encoding strategies. By consistently escaping or quoting special characters based on the specific context of the destination parser, programmers ensure that delimiters are treated as literal data rather than executable instructions, effectively neutralizing the threat before it can be exploited.

MITRE CWE Description
The product does not neutralize or incorrectly neutralizes delimiters.
Common Consequences (1)
IntegrityUnexpected State
Mitigations (4)
ImplementationDevelopers should anticipate that delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationWhile it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or whit…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2026-33457 Potential livestatus injection in prediction graph page — Checkmk 8.8 -2026-04-10
CVE-2026-33456 Potential livestatus injection in notification test — Checkmk 8.8 -2026-04-10
CVE-2026-33455 Livestatus injection in monitoring quicksearch — Checkmk 8.8 -2026-04-10
CVE-2025-52989 Junos OS and Junos OS Evolved: Annotate configuration command can be used to change the configuration — Junos OS 5.1 Medium2025-07-11
CVE-2025-32918 Livestatus injection in autocomplete endpoint — Checkmk 8.8 -2025-07-04
CVE-2025-48879 OctoPrint Vulnerable to Denial of Service through malformed HTTP request — OctoPrint 6.5 Medium2025-06-10
CVE-2024-38866 Livestatus Injection in dynmaps — Nagvis 8.8AIHighAI2025-05-27
CVE-2025-47779 Using malformed From header can forge identity with ";" or NULL in name portion — asterisk 7.7 High2025-05-22
CVE-2024-38865 Livestatus command injection in RestAPI — Checkmk 8.8AIHighAI2025-04-10
CVE-2024-42392 Improper Neutralization of Delimiters in Mongoose Web Server library — Mongoose Web Server 4.0 Medium2024-11-18
CVE-2024-42385 Improper Neutralization of Delimiters in Mongoose Web Server library — Mongoose Web Server 4.0 Medium2024-11-18
CVE-2024-42482 fish-shop/syntax-check Improper Neutralization of Delimiters — syntax-check 4.8 Medium2024-08-12
CVE-2024-6542 Livestatus injection in mknotifyd — Checkmk 6.5 Medium2024-07-22
CVE-2023-6157 Livestatus injection in ajax_search — Checkmk 7.6 High2023-11-22
CVE-2023-6156 Livestatus injection in availability timeline — Checkmk 7.6 High2023-11-22
CVE-2023-38488 Kirby vulnerable to field injection in the KirbyData text storage handler — kirby 7.1 High2023-07-27
CVE-2023-31208 Livestatus command injection in RestAPI — Checkmk 8.3 High2023-05-17

Vulnerabilities classified as CWE-140 (分隔符转义处理不恰当) represent 17 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.