VYPR

CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences

VariantIncomplete

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-134 · CAPEC-41 · CAPEC-81 · CAPEC-93

CVEs mapped to this weakness (43)

page 1 of 3
  • CVE-2026-11362CriJun 5, 2026
    risk 0.64cvss 9.8epss 0.00

    DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the…

  • CVE-2026-9270CriJun 5, 2026
    risk 0.59cvss 9.1epss 0.00

    DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable),…

  • CVE-2026-26149CriApr 14, 2026
    risk 0.59cvss 9.0epss 0.01

    Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network.

  • CVE-2017-0899CriAug 31, 2017
    risk 0.58cvss 9.8epss 0.11

    RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

  • CVE-2025-25286CriFeb 13, 2025
    risk 0.57cvss 9.8epss 0.01

    Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been…

  • CVE-2025-55754CriOct 27, 2025
    risk 0.56cvss 9.6epss 0.10

    Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was…

  • CVE-2024-32986CriMay 3, 2024
    risk 0.55cvss 9.6epss 0.01

    PWAsForFirefox is a tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox. Due to improper sanitization of web app properties (such as name, description, shortcuts), web apps were able to inject additional lines into XDG Desktop Entries (on Linux) and…

  • CVE-2026-54057HigJun 12, 2026
    risk 0.44cvss 7.8epss 0.00

    Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.

  • CVE-2026-45038HigMay 15, 2026
    risk 0.44cvss 7.8epss 0.00

    Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.

  • CVE-2025-62845MedMar 20, 2026
    risk 0.44cvss 6.7epss 0.00

    An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior. We have already fixed the vulnerability in…

  • CVE-2024-9774MedDec 27, 2024
    risk 0.42cvss 6.5epss 0.01

    A vulnerability was found in python-sql where unary operators do not escape non-Expression.

  • CVE-2026-41526MedApr 28, 2026
    risk 0.35cvss 6.5epss 0.00

    In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a…

  • CVE-2025-30089MedMar 17, 2025
    risk 0.35cvss 5.4epss 0.00

    gurk (aka gurk-rs) through 0.6.3 mishandles ANSI escape sequences.

  • CVE-2026-6019MedApr 22, 2026
    risk 0.33cvss 6.1epss 0.00

    http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow…

  • CVE-2025-23026MedJan 13, 2025
    risk 0.33cvss 6.1epss 0.00

    jte (Java Template Engine) is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with `script` tags or script attributes that include a Javascript template string (backticks) are subject to XSS. The `javaScriptBlock` and…

  • CVE-2026-47090MedMay 18, 2026
    risk 0.23cvss 4.6epss 0.00

    Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal…

  • CVE-2025-64494MedNov 8, 2025
    risk 0.23cvss 4.6epss 0.00

    Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same…

  • CVE-2024-28085LowMar 27, 2024
    risk 0.22cvss 3.3epss 0.02

    wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.)…

  • CVE-2026-35651MedApr 10, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling…

  • CVE-2026-45803LowMay 15, 2026
    risk 0.16cvss 3.5epss 0.00

    `gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view…