VariantIncomplete

CWE-644Improper Neutralization of HTTP Headers for Scripting Syntax

Category: other

Description

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Common consequences· 2

  • Integrity / Confidentiality / Availability — Execute Unauthorized Code or Commands
    Run arbitrary code.
  • Confidentiality — Read Application Data
    Attackers may be able to obtain sensitive information.

Potential mitigations· 2

  • [Architecture and Design]Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.
  • [Architecture and Design]Disable script execution functionality in the clients' browser.

References

  1. https://cwe.mitre.org/data/definitions/644.html

(incoming)8

TypeTargetConfidenceTier
VulnerabilityCVE-2025-52660cve-2025-526600%live
VulnerabilityCVE-2025-64425cve-2025-644250%live
VulnerabilityCVE-2025-64484cve-2025-644840%live
VulnerabilityCVE-2025-70948cve-2025-709480%live
VulnerabilityCVE-2026-26234cve-2026-262340%live
VulnerabilityCVE-2026-26747cve-2026-267470%live
VulnerabilityCVE-2026-33149cve-2026-331490%live
VulnerabilityCVE-2026-48126cve-2026-481260%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Neutralization of Alternate XSS Syntax
CWE
Improper Neutralization of Script in an Error Message Web Page
CWE
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.