Home/CWE/Improper Neutralization of Special Elements
Weakness

Improper Neutralization of Special Elements

CWE-138 · Class · Draft

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

Extended description

Most languages and protocols have their own special elements such as characters and reserved words. These special elements can carry control implications. If product does not prevent external control or influence over the inclusion of such special elements, the control flow of the program may be altered from what was intended.

For example, both Unix and Windows interpret the symbol < ("less than") as meaning "read input from a file".

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-707 · Improper Neutralization
Children (more specific)
ParentOfCWE-140 · Improper Neutralization of Delimiters
ParentOfCWE-147 · Improper Neutralization of Input Terminators
ParentOfCWE-148 · Improper Neutralization of Input Leaders
ParentOfCWE-149 · Improper Neutralization of Quoting Syntax
ParentOfCWE-150 · Improper Neutralization of Escape, Meta, or Control Sequences
ParentOfCWE-151 · Improper Neutralization of Comment Delimiters
ParentOfCWE-152 · Improper Neutralization of Macro Symbols
ParentOfCWE-153 · Improper Neutralization of Substitution Characters
ParentOfCWE-154 · Improper Neutralization of Variable Name Delimiters
ParentOfCWE-155 · Improper Neutralization of Wildcards or Matching Symbols
ParentOfCWE-156 · Improper Neutralization of Whitespace
ParentOfCWE-157 · Failure to Sanitize Paired Delimiters
ParentOfCWE-158 · Improper Neutralization of Null Byte or NUL Character
ParentOfCWE-159 · Improper Handling of Invalid Use of Special Elements
ParentOfCWE-160 · Improper Neutralization of Leading Special Elements
ParentOfCWE-162 · Improper Neutralization of Trailing Special Elements
ParentOfCWE-164 · Improper Neutralization of Internal Special Elements
ParentOfCWE-464 · Addition of Data Structure Sentinel
ParentOfCWE-790 · Improper Filtering of Special Elements

Attack Patterns (CAPEC)

3
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-105HTTP Request Splitting
CAPEC-15Command Delimiters
CAPEC-34HTTP Response Splitting

CVEs With This Weakness

13
A sample of the 13 CVEs tagged with this weakness.
CVECVE-2026-32178
CVECVE-2026-26129
CVECVE-2026-20009
CVECVE-2025-5878
CVECVE-2025-48939
CVECVE-2024-51500
CVECVE-2024-38133
CVECVE-2023-7012
CVECVE-2023-42117
CVECVE-2023-22288
CVECVE-2022-2429
CVECVE-2022-0024
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin