CWE-140
AllowedImproper Neutralization of Delimiters
Abstraction: Base · Status: Draft
The product does not neutralize or incorrectly neutralizes delimiters.
34 vulnerabilities reference this CWE, most recent first.
GHSA-2RM3-J8QF-6FG4
Vulnerability from github – Published: 2023-11-22 18:30 – Updated: 2023-11-22 18:30Improper neutralization of livestatus command delimiters in ajax_search in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
{
"affected": [],
"aliases": [
"CVE-2023-6157"
],
"database_specific": {
"cwe_ids": [
"CWE-140"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-22T17:15:22Z",
"severity": "HIGH"
},
"details": "Improper neutralization of livestatus command delimiters in ajax_search in Checkmk \u003c= 2.0.0p39, \u003c 2.1.0p37, and \u003c 2.2.0p15 allows arbitrary livestatus command execution for authorized users.",
"id": "GHSA-2rm3-j8qf-6fg4",
"modified": "2023-11-22T18:30:57Z",
"published": "2023-11-22T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6157"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/16221"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3RWG-QHQC-M6RC
Vulnerability from github – Published: 2024-07-22 12:30 – Updated: 2024-07-22 12:30Improper neutralization of livestatus command delimiters in mknotifyd in Checkmk <= 2.0.0p39, < 2.1.0p47, < 2.2.0p32 and < 2.3.0p11 allows arbitrary livestatus command execution.
{
"affected": [],
"aliases": [
"CVE-2024-6542"
],
"database_specific": {
"cwe_ids": [
"CWE-140"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-22T10:15:08Z",
"severity": "MODERATE"
},
"details": "Improper neutralization of livestatus command delimiters in mknotifyd in Checkmk \u003c= 2.0.0p39, \u003c 2.1.0p47, \u003c 2.2.0p32 and \u003c 2.3.0p11 allows arbitrary livestatus command execution.",
"id": "GHSA-3rwg-qhqc-m6rc",
"modified": "2024-07-22T12:30:37Z",
"published": "2024-07-22T12:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6542"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/17013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6P6G-X56F-467G
Vulnerability from github – Published: 2023-11-22 18:30 – Updated: 2023-11-22 18:30Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15 allows arbitrary livestatus command execution for authorized users.
{
"affected": [],
"aliases": [
"CVE-2023-6156"
],
"database_specific": {
"cwe_ids": [
"CWE-140"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-22T17:15:22Z",
"severity": "HIGH"
},
"details": "Improper neutralization of livestatus command delimiters in the availability timeline in Checkmk \u003c= 2.0.0p39, \u003c 2.1.0p37, and \u003c 2.2.0p15 allows arbitrary livestatus command execution for authorized users.",
"id": "GHSA-6p6g-x56f-467g",
"modified": "2023-11-22T18:30:57Z",
"published": "2023-11-22T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6156"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/16221"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8GXR-C98H-CWXM
Vulnerability from github – Published: 2026-04-10 09:31 – Updated: 2026-04-20 18:31Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.
{
"affected": [],
"aliases": [
"CVE-2026-33457"
],
"database_specific": {
"cwe_ids": [
"CWE-140"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-10T09:16:24Z",
"severity": "MODERATE"
},
"details": "Livestatus injection in the prediction graph page in Checkmk \u003c2.5.0b4, \u003c2.4.0p26, and \u003c2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.",
"id": "GHSA-8gxr-c98h-cwxm",
"modified": "2026-04-20T18:31:43Z",
"published": "2026-04-10T09:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33457"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/17990"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9WJ4-8H85-PGRW
Vulnerability from github – Published: 2025-06-10 20:14 – Updated: 2025-06-10 20:14Impact
OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.
Patches
The vulnerability has been patched in version 1.11.2.
Workaround
OctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not.
Details
The issue can be triggered by a broken multipart/form-data request lacking an end boundary to any of OctoPrint's endpoints implemented through the octoprint.server.util.tornado.UploadStorageFallbackHandler request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server.
The fix adds detection of invalid requests like that and ensures they are handled gracefully with an HTTP 400 Bad Request response.
Credits
This vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "OctoPrint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48879"
],
"database_specific": {
"cwe_ids": [
"CWE-140",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-10T20:14:43Z",
"nvd_published_at": "2025-06-10T16:15:41Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken `multipart/form-data` request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server.\n\n### Patches\n\nThe vulnerability has been patched in version 1.11.2.\n\n### Workaround\n\nOctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not.\n\n### Details\n\nThe issue can be triggered by a broken `multipart/form-data` request lacking an end boundary to any of OctoPrint\u0027s endpoints implemented through the `octoprint.server.util.tornado.UploadStorageFallbackHandler` request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-threaded, that will effectively block the whole web server.\n\nThe fix adds detection of invalid requests like that and ensures they are handled gracefully with an HTTP 400 Bad Request response.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.",
"id": "GHSA-9wj4-8h85-pgrw",
"modified": "2025-06-10T20:14:44Z",
"published": "2025-06-10T20:14:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-9wj4-8h85-pgrw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48879"
},
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/commit/c9c35c17bd820f19c6b12e6c0359fc0cfdd0c1ec"
},
{
"type": "PACKAGE",
"url": "https://github.com/OctoPrint/OctoPrint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OctoPrint Vulnerable to Denial of Service through malformed HTTP request in OctoPrint"
}
GHSA-CC76-VJ8R-JR9W
Vulnerability from github – Published: 2025-04-10 09:30 – Updated: 2025-08-22 00:30Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command execution. Exploitation requires the attacker to have a contact group assigned to their user account and for an event to originate from a host with the same contact group or from an event generated with an unknown host.
{
"affected": [],
"aliases": [
"CVE-2024-38865"
],
"database_specific": {
"cwe_ids": [
"CWE-140"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-10T08:15:14Z",
"severity": "MODERATE"
},
"details": "Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command execution. Exploitation requires the attacker to have a contact group assigned to their user account and for an event to originate from a host with the same contact group or from an event generated with an unknown host.",
"id": "GHSA-cc76-vj8r-jr9w",
"modified": "2025-08-22T00:30:31Z",
"published": "2025-04-10T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38865"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/17028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CPGC-JHJC-98R4
Vulnerability from github – Published: 2023-05-17 09:30 – Updated: 2024-04-04 04:13Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users.
{
"affected": [],
"aliases": [
"CVE-2023-31208"
],
"database_specific": {
"cwe_ids": [
"CWE-140",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-17T09:15:10Z",
"severity": "HIGH"
},
"details": "Improper neutralization of livestatus command delimiters in the RestAPI in Checkmk \u003c 2.0.0p36, \u003c 2.1.0p28, and \u003c 2.2.0b8 (beta) allows arbitrary livestatus command execution for authorized users.",
"id": "GHSA-cpgc-jhjc-98r4",
"modified": "2024-04-04T04:13:24Z",
"published": "2023-05-17T09:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31208"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/15191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJ5V-9MXJ-77QC
Vulnerability from github – Published: 2024-11-18 12:30 – Updated: 2024-11-18 12:30Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.
{
"affected": [],
"aliases": [
"CVE-2024-42385"
],
"database_specific": {
"cwe_ids": [
"CWE-140"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T10:15:07Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.",
"id": "GHSA-fj5v-9mxj-77qc",
"modified": "2024-11-18T12:30:42Z",
"published": "2024-11-18T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42385"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42385"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HXWV-VC7P-P66G
Vulnerability from github – Published: 2026-04-10 09:31 – Updated: 2026-04-20 18:31Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description.
{
"affected": [],
"aliases": [
"CVE-2026-33456"
],
"database_specific": {
"cwe_ids": [
"CWE-140"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-10T09:16:24Z",
"severity": "MODERATE"
},
"details": "Livestatus injection in the notification test mode in Checkmk \u003c2.5.0b4 and \u003c2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description.",
"id": "GHSA-hxwv-vc7p-p66g",
"modified": "2026-04-20T18:31:43Z",
"published": "2026-04-10T09:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33456"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/17989"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P2V5-GHX9-JG75
Vulnerability from github – Published: 2026-04-10 09:31 – Updated: 2026-04-20 18:31Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins.
{
"affected": [],
"aliases": [
"CVE-2026-33455"
],
"database_specific": {
"cwe_ids": [
"CWE-140"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-10T09:16:23Z",
"severity": "MODERATE"
},
"details": "Livestatus injection in the monitoring quicksearch in Checkmk \u003c2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins.",
"id": "GHSA-p2v5-ghx9-jg75",
"modified": "2026-04-20T18:31:43Z",
"published": "2026-04-10T09:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33455"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/17988"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Input Validation
Developers should anticipate that delimiters will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-28
Strategy: Output Encoding
While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.