The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
View on MITREThe injected code could access restricted data / files.
Injected code can access resources that the attacker is directly prevented from accessing.
Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.
Often the actions performed by injected control code are unlogged.
Perform proper output validation and escaping to neutralize all code syntax from data written to code files.
No detection method information available for this CWE.
This example attempts to write user messages to a message file and allow users to view them.
While the programmer intends for the MessageFile to only include data, an attacker can provide a message such as:
Perl code directly injected into CGI library file from parameters to another CGI program.
View DetailsPHP code from User-Agent HTTP header directly inserted into log file implemented as PHP script.
View Detailschain: execution after redirect allows non-administrator to perform static code injection.
View DetailsNo relationship information available for this CWE.
CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
If exploited, CWE-96 (Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')) it can compromise Confidentiality, Access Control, Integrity, Availability, Other and Non-Repudiation, leading to outcomes such as Read Files or Directories, Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands and Hide Activities.
Recommended mitigations for CWE-96 include: Perform proper output validation and escaping to neutralize all code syntax from data written to code files.
CWE-96 commonly affects PHP, Perl and Interpreted. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-96, including CVE-2002-0495, CVE-2005-1876, CVE-2005-1894, CVE-2003-0395 and CVE-2007-6652. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-96 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.