Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-75 (特殊命令到另一不同平面时的净化处理不恰当(特殊命令注入)) — Vulnerability Class 17

17 vulnerabilities classified as CWE-75 (特殊命令到另一不同平面时的净化处理不恰当(特殊命令注入)). AI Chinese analysis included.

CWE-75 represents a critical input validation weakness where software fails to properly sanitize special elements that carry control implications, such as HTML tags, script blocks, or command-line arguments. This flaw typically allows attackers to inject malicious content into a different execution plane, enabling cross-site scripting, command injection, or code execution attacks. By bypassing expected input boundaries, adversaries can manipulate application behavior or steal sensitive user data. Developers mitigate this risk by implementing rigorous input validation and output encoding strategies. Specifically, they should strictly whitelist allowed characters, escape special symbols before rendering them in different contexts, and utilize parameterized queries for database interactions. Consistently applying these defensive coding practices ensures that user-controlled data remains inert, preventing unintended interpretation by the underlying system or client-side environment.

MITRE CWE Description
The product does not adequately filter user-controlled input for special elements with control implications.
Common Consequences (1)
Integrity, Confidentiality, AvailabilityModify Application Data, Execute Unauthorized Code or Commands
Mitigations (2)
RequirementsProgramming languages and supporting technologies might be chosen which are not subject to these issues.
ImplementationUtilize an appropriate mix of allowlist and denylist parsing to filter special element syntax from all input.
CVE IDTitleCVSSSeverityPublished
CVE-2026-31908 Apache APISIX: forward auth plugin allows header injection — Apache APISIX 8.2 -2026-04-14
CVE-2026-29042 Nuclio Shell Runtime Command Injection Leading to Privilege Escalation — nuclio 9.8 -2026-03-06
CVE-2026-27120 Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster — leaf-kit 6.1 Medium2026-02-20
CVE-2025-61911 python-ldap has sanitization bypass in ldap.filter.escape_filter_chars — python-ldap 9.1AICriticalAI2025-10-10
CVE-2025-50213 Apache Airflow Providers Snowflake: Potential SQL injection in CopyFromExternalStageToSnowflakeOperator — Apache Airflow Providers Snowflake 9.8AICriticalAI2025-06-24
CVE-2024-9940 Calculated Fields Form <= 5.2.45 - HTML Injection — Calculated Fields Form 5.3 Medium2024-10-17
CVE-2023-1758 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in thorsten/phpmyfaq — thorsten/phpmyfaq 8.2 -2023-04-05
CVE-2023-27533 curl 注入漏洞 — https://github.com/curl/curl 9.8 -2023-03-30
CVE-2023-23912 Ubiquiti EdgeRouters 代码注入漏洞 — Ubiquiti EdgeRouter(s) and USG(s) 8.8 -2023-02-09
CVE-2023-0302 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in radareorg/radare2 — radareorg/radare2 7.8 -2023-01-15
CVE-2022-4721 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in ikus060/rdiffweb — ikus060/rdiffweb 7.6 -2022-12-23
CVE-2022-3607 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in octoprint/octoprint — octoprint/octoprint 6.9 -2022-10-19
CVE-2022-24039 Siemens Desigo PXC4 安全漏洞 — Desigo PXC4 8.0 -2022-05-10
CVE-2021-39174 Configuration leak — Cachet 8.8 High2021-08-27
CVE-2021-22910 Rocket.Chat 安全漏洞 — Rocket.Chat server 9.8 -2021-08-09
CVE-2021-22911 Rocket.Chat 安全漏洞 — Rocket.Chat server 9.8 -2021-05-27
CVE-2016-9471 Revive Adserver 安全漏洞 — Revive Adserver All versions before 3.2.5 and 4.0.0 4.8 -2017-03-28

Vulnerabilities classified as CWE-75 (特殊命令到另一不同平面时的净化处理不恰当(特殊命令注入)) represent 17 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.