SFP Secondary Cluster: Tainted Input to Environment

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

The product does not prevent the definition of control spheres from external actors.

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.

The product does not properly protect an assumed-immutable element from being modified by an attacker.

A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the appli...

Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) o...

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes ...

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).