CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

4843 CVEs classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)). Browse by severity and year.

Top CVEs for CWE-74
CVESeverityScorePublishedSummary
CVE-2026-25586Critical10.02026-02-06SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables pro…
CVE-2026-25520Critical10.02026-02-06SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get a…
CVE-2025-20265Critical10.02025-08-14A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacke…
CVE-2025-20337Critical10.02025-07-16A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying op…
CVE-2025-20281Critical10.02025-06-25A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying op…
CVE-2024-42472Critical10.02024-08-15Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persis…
CVE-2024-42489Critical10.02024-08-12Pro Macros provides XWiki rendering macros. Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit…
CVE-2024-38366Critical10.02024-07-01trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. The part of trunk which verifies whether a user has a real email addres…
CVE-2023-1523Critical10.02023-09-01Using the TIOCLINUX ioctl request, a malicious snap could inject contents into the input of the controlling terminal which could allow it to cause arbitrary co…
CVE-2022-31126Critical10.02022-07-06Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated…
CVE-2022-24760Critical10.02022-03-12Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This…
CVE-2021-41163Critical10.02021-10-20Discourse is an open source platform for community discussion. In affected versions maliciously crafted requests could lead to remote code execution. This resu…
CVE-2021-21242Critical10.02021-01-15OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. At…
CVE-2021-21244Critical10.02021-01-15OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean…
CVE-2021-21243Critical10.02021-01-15OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from th…
CVE-2020-26282Critical10.02020-12-24BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works we…
CVE-2020-15164Critical10.02020-08-28in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same username with leading, trailing, or repeated unders…
CVE-2018-21268Critical10.02020-06-25The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.ex…
CVE-2025-55343Critical9.92025-11-05Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks via busqueda/busqueda.php txt_depe_codi, busqueda/busqueda.php txt_usu…
CVE-2024-46986Critical9.92024-09-18Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method…