CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description

If exploited, CWE-74 (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')) it can compromise Read Application Data, Bypass Protection Mechanism, Alter Execution Logic, Other and Hide Activities, leading to outcomes such as Scope: Confidentiality Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation., Scope: Access Control In some cases, injectable code controls authentication, this may lead to a remote vulnerability., Scope: Other Injection attacks are characterized by the ability to significantly change the flow of a given process and and in some cases.

Recommended mitigations for CWE-74 include: Programming languages and supporting technologies might be chosen which are not subject to these issues. Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

CWE-74 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

A CWE (Common Weakness Enumeration) like CWE-74 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.