CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)
4843 CVEs classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-25586 | Critical | 10.0 | 2026-02-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables pro… |
CVE-2026-25520 | Critical | 10.0 | 2026-02-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get a… |
CVE-2025-20265 | Critical | 10.0 | 2025-08-14 | A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacke… |
CVE-2025-20337 | Critical | 10.0 | 2025-07-16 | A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying op… |
CVE-2025-20281 | Critical | 10.0 | 2025-06-25 | A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying op… |
CVE-2024-42472 | Critical | 10.0 | 2024-08-15 | Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persis… |
CVE-2024-42489 | Critical | 10.0 | 2024-08-12 | Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit… |
CVE-2024-38366 | Critical | 10.0 | 2024-07-01 | trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email addres… |
CVE-2023-1523 | Critical | 10.0 | 2023-09-01 | Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary co… |
CVE-2022-31126 | Critical | 10.0 | 2022-07-06 | Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated… |
CVE-2022-24760 | Critical | 10.0 | 2022-03-12 | Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This… |
CVE-2021-41163 | Critical | 10.0 | 2021-10-20 | Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resu… |
CVE-2021-21242 | Critical | 10.0 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. At… |
CVE-2021-21244 | Critical | 10.0 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean… |
CVE-2021-21243 | Critical | 10.0 | 2021-01-15 | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from th… |
CVE-2020-26282 | Critical | 10.0 | 2020-12-24 | BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works we… |
CVE-2020-15164 | Critical | 10.0 | 2020-08-28 | in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same username with leading, trailing, or repeated unders… |
CVE-2018-21268 | Critical | 10.0 | 2020-06-25 | The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.ex… |
CVE-2025-55343 | Critical | 9.9 | 2025-11-05 | Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks via busqueda/busqueda.php txt_depe_codi, busqueda/busqueda.php txt_usu… |
CVE-2024-46986 | Critical | 9.9 | 2024-09-18 | Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method… |