CWE-146: Improper Neutralization of Expression/Command Delimiters
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
Last updated
Overview
As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.
Real-world CVEs
9 recorded CVEs are caused by CWE-146 (Improper Neutralization of Expression/Command Delimiters). The highest-severity and most recent are shown first. 1 new CWE-146 CVE has been recorded so far in 2026 (2 in 2025).