CWE-791
AllowedIncomplete Filtering of Special Elements
Abstraction: Base · Status: Incomplete
The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.
63 vulnerabilities reference this CWE, most recent first.
GHSA-V5C9-PMXR-9VHC
Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 00:30A security vulnerability has been detected in Sanluan PublicCMS up to 6.202506.d. This affects the function AbstractFreemarkerView.doRender of the file publiccms-parent/publiccms-core/src/main/java/com/publiccms/common/base/AbstractFreemarkerView.java of the component FreeMarker Template Handler. Such manipulation leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-5987"
],
"database_specific": {
"cwe_ids": [
"CWE-791"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-09T23:17:02Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in Sanluan PublicCMS up to 6.202506.d. This affects the function AbstractFreemarkerView.doRender of the file publiccms-parent/publiccms-core/src/main/java/com/publiccms/common/base/AbstractFreemarkerView.java of the component FreeMarker Template Handler. Such manipulation leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-v5c9-pmxr-9vhc",
"modified": "2026-04-10T00:30:31Z",
"published": "2026-04-10T00:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5987"
},
{
"type": "WEB",
"url": "https://github.com/sanluan/PublicCMS/issues/113"
},
{
"type": "WEB",
"url": "https://github.com/sanluan/PublicCMS"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/792385"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/356541"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/356541/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VJGJ-42F6-7997
Vulnerability from github – Published: 2026-04-29 22:23 – Updated: 2026-04-29 22:23Summary
The optional flag --filter-system-calls was not applied even if specified.
Details
This is a defense in depth feature to apply additional seccomp filters after the binary has started. The example config also sandboxes the binary with systemd.
Impact
Reduced sandboxing of the netfoil binary.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/tinfoil-factory/netfoil"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-791"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-29T22:23:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe optional flag `--filter-system-calls` was not applied even if specified.\n\n### Details\nThis is a defense in depth feature to apply additional seccomp filters after the binary has started. The example config also sandboxes the binary with systemd.\n\n### Impact\nReduced sandboxing of the netfoil binary.",
"id": "GHSA-vjgj-42f6-7997",
"modified": "2026-04-29T22:23:41Z",
"published": "2026-04-29T22:23:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tinfoil-factory/netfoil/security/advisories/GHSA-vjgj-42f6-7997"
},
{
"type": "WEB",
"url": "https://github.com/tinfoil-factory/netfoil/commit/8c84f1b03adf1df5b4e6d07a49043d13dbbf9ee1"
},
{
"type": "PACKAGE",
"url": "https://github.com/tinfoil-factory/netfoil"
},
{
"type": "WEB",
"url": "https://github.com/tinfoil-factory/netfoil/releases/tag/v0.2.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "netfoil\u0027s optional seccomp sandboxing was not applied"
}
GHSA-VV7J-WQVH-7JXQ
Vulnerability from github – Published: 2023-08-31 18:30 – Updated: 2024-04-04 07:20An Incomplete Filtering of Special Elements vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.
See Instruction Manual Appendix A and Appendix E dated 20230615 for more details.
This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.
{
"affected": [],
"aliases": [
"CVE-2023-31172"
],
"database_specific": {
"cwe_ids": [
"CWE-791"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T16:15:09Z",
"severity": "HIGH"
},
"details": "\nAn Incomplete Filtering of Special Elements vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.\n\n\n\n\n\nSee Instruction Manual Appendix A and Appendix E dated 20230615 for more details.\n\n\nThis issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.\n\n",
"id": "GHSA-vv7j-wqvh-7jxq",
"modified": "2024-04-04T07:20:48Z",
"published": "2023-08-31T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31172"
},
{
"type": "WEB",
"url": "https://selinc.com/support/security-notifications/external-reports"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/blog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.