CWE-74β€”Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

PUBLISHEDweakness recordHigh
released 2006-07-19 Β· last modified 2026-04-30
CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') - Diagram

Metadata

CWE ID:
CWE-74
Abstraction:
Class
Structure:
Simple
Status:
Incomplete
Release Date:
2006-07-19
Latest Modification Date:
2026-04-30

Weakness Name

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Description

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Common Consequences

Scope:
Confidentiality
Impact:
Read Application Data
Notes:
Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
Scope:
Access Control
Impact:
Bypass Protection Mechanism
Notes:
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Scope:
Other
Impact:
Alter Execution Logic
Notes:
Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
Scope:
Integrity, Other
Impact:
Other
Notes:
Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
Scope:
Non-Repudiation
Impact:
Hide Activities
Notes:
Often the actions performed by injected control code are unlogged.

Related Weaknesses

Related Alerts