CWE-791: Incomplete Filtering of Special Elements
The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.
Last updated
Overview
CWE-791 (Incomplete Filtering of Special Elements) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
22 recorded CVEs are caused by CWE-791 (Incomplete Filtering of Special Elements). The highest-severity and most recent are shown first. 8 new CWE-791 CVEs have been recorded so far in 2026 (5 in 2025).
- CVE-2025-0324Critical · CVSS 9.4 · EPSS 26th2025-06-02
- CVE-2024-47590High · CVSS 8.8 · EPSS 51th2024-11-12
- CVE-2026-44232
dssrf: every IPv6 category bypasses is_url_safe
High · CVSS 8.7 · EPSS 27th2026-05-12 - CVE-2022-2132High · CVSS 8.6 · EPSS 76th2022-08-31
- CVE-2024-45481High · CVSS 8.5 · EPSS 4th2025-03-25
- CVE-2024-39283High · CVSS 8.5 · EPSS 8th2024-08-14
- CVE-2026-11998
AngularJS XSS via SCE resource URL sanitization bypass
High · CVSS 7.6 · EPSS 26th2026-06-24 - CVE-2026-7164
pf can overflow the stack parsing crafted SCTP packets
High · CVSS 7.5 · EPSS 35th2026-04-30 - CVE-2023-31172High · CVSS 7.4 · EPSS 23th2023-08-31
- CVE-2026-48208
Denial-of-Service via SVG Rendering in Ticket
Medium · CVSS 6.5 · EPSS 25th2026-06-01 - CVE-2025-59303Medium · CVSS 6.4 · EPSS 15th2025-10-08
- CVE-2023-1076Medium · CVSS 5.5 · EPSS 17th2023-03-27
Showing 12 of 22 recorded CWE-791 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-791 vulnerabilitiesCommon consequences
What can happen when CWE-791 is exploited.
Unexpected State
Affects: Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
Vulnerable example
my $Username = GetUntrustedInput();Attack input
../../../etc/passwdResulting query
../../etc/passwdResulting query
/home/user/../../etc/passwdFrequently asked questions
Common questions about CWE-791.
- What is CWE-791?
- The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.
- What CVEs are caused by CWE-791?
- 22 recorded CVEs are attributed to CWE-791, including CVE-2025-0324, CVE-2024-47590, CVE-2026-44232.
- What are the consequences of CWE-791?
- Exploiting CWE-791 can lead to: Unexpected State.
- Is CWE-791 actively exploited?
- 22 recorded CVEs are caused by CWE-791; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-791) (opens in a new tab)
- CWE-791 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-791
Get alerted the moment a new CWE-791 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.