Description
The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.
Extended Description
The product may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the product may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the product might filter a dangerous "-e" command-line switch when calling an external program, but it might not account for "--exec" or other switches that have the same semantics.
CVE vulnerabilities with CWE-76 (11)
9.8
CVSS
CRITICAL
CVE-2026-28292
pub. 2026-03-10
9.8
CVSS
CRITICAL
CVE-2024-2952
pub. 2024-04-10
9.6
CVSS
CRITICAL
CVE-2024-34359
pub. 2024-05-14
8.6
CVSS
HIGH
CVE-2026-11311
pub. 2026-06-17
8.4
CVSS
HIGH
CVE-2024-4897
pub. 2024-07-02
7.2
CVSS
HIGH
CVE-2024-1882
pub. 2024-03-14
6.5
CVSS
MEDIUM
CVE-2024-21600
pub. 2024-01-12
6.3
CVSS
MEDIUM
CVE-2024-1883
pub. 2024-03-14
5.4
CVSS
MEDIUM
CVE-2023-1149
pub. 2023-03-02
5.3
CVSS
MEDIUM
CVE-2023-0493
pub. 2023-01-26
3.1
CVSS
LOW
CVE-2024-1221
pub. 2024-03-14