CVEbaza.plSłownik CWECWE-76
Common Weakness Enumeration

CWE-76

Improper Neutralization of Equivalent Special Elements

Kategoria: BaseCVE: 11
Opis

Produkt prawidłowo neutralizuje określone elementy specjalne, ale nieprawidłowo neutralizuje równoważne elementy specjalne. To może prowadzić do obejścia mechanizmów bezpieczeństwa lub wykonania niezamierzonego kodu.

Description (EN)

The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.

Podatności CVE z CWE-76 (11)
9.8
CVSS
CRITICAL
CVE-2026-28292

Biblioteka `simple-git` (wersje 3.15.0–3.22.x oraz 3.23.1–3.32.2) zawiera podatność umożliwiającą zdalne wykonanie kodu (RCE) poprzez command injection. Podatność pozwala atakującemu ominąć poprawki wprowadzone dla dwóch wcześniejszych podatności (CVE-2022-25860 i CVE-2022-25912) i przejąć pełną kontrolę nad maszyną hosta.

pub. 2026-03-10
9.8
CVSS
CRITICAL
CVE-2024-2952

BerriAI LiteLLM zawiera podatność Server-Side Template Injection (SSTI) w endpoincie `/completions`, pozwalającą nieuwierzytelnionemu atakującemu na zdalne wykonanie kodu na serwerze. Podatność posiada krytyczny wynik CVSS 9.8, co czyni ją zagrożeniem najwyższego priorytetu.

pub. 2024-04-10
9.6
CVSS
CRITICAL
CVE-2024-34359

Biblioteka llama-cpp-python zawiera podatność klasy Server Side Template Injection (SSTI) w mechanizmie przetwarzania szablonów czatu Jinja2, która umożliwia wykonanie dowolnego kodu na serwerze (RCE). Wynika to z braku piaskownicy (sandbox) podczas renderowania szablonów pobieranych z metadanych plików modeli .gguf.

pub. 2024-05-14
8.6
CVSS
HIGH
CVE-2026-11311

When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

pub. 2026-06-17
8.4
CVSS
HIGH
CVE-2024-4897

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not been patched in lollms-webui as of commit b454f40a. The vulnerability is exploitable through the application's handling of model files in the 'bindings_zoo' feature, specifically when processing gguf format model files.

pub. 2024-07-02
7.2
CVSS
HIGH
CVE-2024-1882

This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for remote code execution on the server hosting the PaperCut NG/MF application server.

pub. 2024-03-14
6.5
CVSS
MEDIUM
CVE-2024-21600

An Improper Neutralization of Equivalent Special Elements vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on PTX Series allows a unauthenticated, adjacent attacker to cause a Denial of Service (DoS). When MPLS packets are meant to be sent to a flexible tunnel interface (FTI) and if the FTI tunnel is down, these will hit the reject NH, due to which the packets get sent to the CPU and cause a host path wedge condition. This will cause the FPC to hang and requires a manual restart to recover. Please note that this issue specifically affects PTX1000, PTX3000, PTX5000 with FPC3, PTX10002-60C, and PTX10008/16 with LC110x. Other PTX Series devices and Line Cards (LC) are not affected. The following log message can be seen when the issue occurs: Cmerror Op Set: Host Loopback: HOST LOOPBACK WEDGE DETECTED IN PATH ID <id> (URI: /fpc/<fpc>/pfe/<pfe>/cm/<cm>/Host_Loopback/<cm>/HOST_LOOPBACK_MAKE_CMERROR_ID[<id>]) This issue affects Juniper Networks Junos OS: * All versions earlier than 20.4R3-S8; * 21.1 versions earlier than 21.1R3-S4; * 21.2 versions earlier than 21.2R3-S6; * 21.3 versions earlier than 21.3R3-S3; * 21.4 versions earlier than 21.4R3-S5; * 22.1 versions earlier than 22.1R2-S2, 22.1R3; * 22.2 versions earlier than 22.2R2-S1, 22.2R3.

pub. 2024-01-12
6.3
CVSS
MEDIUM
CVE-2024-1883

This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. An attacker can exploit this weakness by crafting a malicious URL that contains a script. When an unsuspecting user clicks on this malicious link, it could potentially lead to limited loss of confidentiality, integrity or availability.

pub. 2024-03-14
5.4
CVSS
MEDIUM
CVE-2023-1149

Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0.

pub. 2023-03-02
5.3
CVSS
MEDIUM
CVE-2023-0493

Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5.

pub. 2023-01-26
3.1
CVSS
LOW
CVE-2024-1221

This vulnerability potentially allows files on a PaperCut NG/MF server to be exposed using a specifically formed payload against the impacted API endpoint. The attacker must carry out some reconnaissance to gain knowledge of a system token. This CVE only affects Linux and macOS PaperCut NG/MF servers.

pub. 2024-03-14
Informacje
ID: CWE-76
Typ: Base
Podatności: 11
MITRE CWE ↗
← Słownik CWE
CWE-76 — Niewłaściwa neutralizacja równoważnych elementów specjalnych | Słownik CWE | CVEbaza.pl