CWE-794: Incomplete Filtering of Multiple Instances of Special Elements
The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.
Last updated
Overview
Incomplete filtering of this nature may be applied to: sequential elements (special elements that appear next to each other) or non-sequential elements (special elements that appear multiple times in different locations).
Real-world CVEs
4 recorded CVEs are caused by CWE-794 (Incomplete Filtering of Multiple Instances of Special Elements). The highest-severity and most recent are shown first. 1 new CWE-794 CVE has been recorded so far in 2026.
Common consequences
What can happen when CWE-794 is exploited.
Unexpected State
Affects: Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code takes untrusted input and uses a regular expression to filter "../" from the input. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.
Vulnerable example
my $Username = GetUntrustedInput();Attack input
../../../etc/passwdResulting query
../../etc/passwdResulting query
/home/user/../../etc/passwdFrequently asked questions
Common questions about CWE-794.
- What is CWE-794?
- The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.
- What CVEs are caused by CWE-794?
- 4 recorded CVEs are attributed to CWE-794, including CVE-2019-0002, CVE-2026-21876, CVE-2021-0203.
- What are the consequences of CWE-794?
- Exploiting CWE-794 can lead to: Unexpected State.
- Is CWE-794 actively exploited?
- 4 recorded CVEs are caused by CWE-794; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-794) (opens in a new tab)
- CWE-794 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-794
Get alerted the moment a new CWE-794 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.