CWE-116
Improper Encoding or Escaping of Output
Description
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-104 · CAPEC-73 · CAPEC-81 · CAPEC-85
CVEs mapped to this weakness (216)
page 6 of 11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-40021 | Med | 0.27 | 5.3 | 0.01 | Apr 10, 2026 | Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters… | ||
| CVE-2017-12340 | Med | 0.27 | 4.2 | 0.00 | Nov 30, 2017 | A vulnerability in Cisco NX-OS System Software running on Cisco MDS Multilayer Director Switches, Cisco Nexus 7000 Series Switches, and Cisco Nexus 7700 Series Switches could allow an authenticated, local attacker to access the Bash shell of an affected device's operating… | ||
| CVE-2026-33597 | Low | 0.24 | 3.7 | 0.00 | Apr 22, 2026 | PRSD detection denial of service | ||
| CVE-2026-33657 | Med | 0.23 | 4.6 | 0.00 | Apr 13, 2026 | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email… | ||
| CVE-2026-44458 | Med | 0.21 | 4.3 | 0.00 | May 13, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS… | ||
| CVE-2026-35651 | Med | 0.21 | 4.3 | 0.00 | Apr 10, 2026 | OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling… | ||
| CVE-2023-28362 | Med | 0.19 | 4.0 | 0.00 | Jan 9, 2025 | The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. | ||
| CVE-2026-42040 | Low | 0.17 | 3.7 | 0.00 | Apr 24, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After… | ||
| CVE-2026-47188 | Low | 0.15 | — | 0.00 | Jun 11, 2026 | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the latest release suppresses mentions in several moderation commands, but /unban and /unwarn still echo user-controlled reason text in public bot messages without… | ||
| CVE-2026-47175 | Low | 0.15 | — | 0.00 | Jun 11, 2026 | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to… | ||
| CVE-2026-48485 | Low | 0.14 | — | 0.00 | Jun 12, 2026 | Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a… | ||
| CVE-2026-33436 | Low | 0.13 | 3.1 | 0.00 | Apr 17, 2026 | Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft… | ||
| CVE-2025-60787 | — | 0.08 | — | 0.24 | Oct 3, 2025 | MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when… | ||
| CVE-2025-1795 | Low | 0.08 | — | 0.01 | Feb 28, 2025 | During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header… | ||
| CVE-2013-4547 | 0.08 | — | 0.68 | Nov 23, 2013 | nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI. | |||
| CVE-2026-48598 | Low | 0.07 | — | 0.00 | Jun 2, 2026 | Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no… | ||
| CVE-2022-30781 | 0.03 | — | 0.88 | May 16, 2022 | Gitea before 1.16.7 does not escape git fetch remote. | |||
| CVE-2026-52846 | 0.00 | — | 0.00 | Jun 16, 2026 | ### Summary Caddy’s `stripHTML` template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as `<<>img src=x onerror=alert()>`, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later… | |||
| CVE-2026-54287 | 0.00 | — | 0.00 | Jun 16, 2026 | ### Summary On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple `Set-Cookie` headers into one comma-separated value. Because commas also appear inside cookie attributes (for example `Expires` dates), clients cannot split the value back… | |||
| CVE-2026-44311 | 0.00 | — | 0.00 | Jun 12, 2026 | ### Summary A potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the `toSVG()` method. Specifically, the `color` field within the `colorStops` array of a `fabric.Gradient` object… |
- risk 0.27cvss 5.3epss 0.01
Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters…
- risk 0.27cvss 4.2epss 0.00
A vulnerability in Cisco NX-OS System Software running on Cisco MDS Multilayer Director Switches, Cisco Nexus 7000 Series Switches, and Cisco Nexus 7700 Series Switches could allow an authenticated, local attacker to access the Bash shell of an affected device's operating…
- risk 0.24cvss 3.7epss 0.00
PRSD detection denial of service
- risk 0.23cvss 4.6epss 0.00
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email…
- risk 0.21cvss 4.3epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS…
- risk 0.21cvss 4.3epss 0.00
OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling…
- risk 0.19cvss 4.0epss 0.00
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.
- risk 0.17cvss 3.7epss 0.00
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After…
- risk 0.15cvss —epss 0.00
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the latest release suppresses mentions in several moderation commands, but /unban and /unwarn still echo user-controlled reason text in public bot messages without…
- risk 0.15cvss —epss 0.00
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to…
- risk 0.14cvss —epss 0.00
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a…
- risk 0.13cvss 3.1epss 0.00
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML using unsafe methods like innerHTML without sanitization. An attacker can craft…
- CVE-2025-60787Oct 3, 2025risk 0.08cvss —epss 0.24
MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when…
- risk 0.08cvss —epss 0.01
During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header…
- CVE-2013-4547Nov 23, 2013risk 0.08cvss —epss 0.68
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.
- risk 0.07cvss —epss 0.00
Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no…
- CVE-2022-30781May 16, 2022risk 0.03cvss —epss 0.88
Gitea before 1.16.7 does not escape git fetch remote.
- CVE-2026-52846Jun 16, 2026risk 0.00cvss —epss 0.00
### Summary Caddy’s `stripHTML` template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as `<<>img src=x onerror=alert()>`, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later…
- CVE-2026-54287Jun 16, 2026risk 0.00cvss —epss 0.00
### Summary On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple `Set-Cookie` headers into one comma-separated value. Because commas also appear inside cookie attributes (for example `Expires` dates), clients cannot split the value back…
- CVE-2026-44311Jun 12, 2026risk 0.00cvss —epss 0.00
### Summary A potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the `toSVG()` method. Specifically, the `color` field within the `colorStops` array of a `fabric.Gradient` object…