CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-134 · CAPEC-41 · CAPEC-81 · CAPEC-93
CVEs mapped to this weakness (43)
page 1 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-11362 | Cri | 0.64 | 9.8 | 0.00 | Jun 5, 2026 | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the… | ||
| CVE-2026-9270 | Cri | 0.59 | 9.1 | 0.00 | Jun 5, 2026 | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable),… | ||
| CVE-2026-26149 | Cri | 0.59 | 9.0 | 0.01 | Apr 14, 2026 | Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network. | ||
| CVE-2017-0899 | Cri | 0.58 | 9.8 | 0.11 | Aug 31, 2017 | RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. | ||
| CVE-2025-25286 | Cri | 0.57 | 9.8 | 0.01 | Feb 13, 2025 | Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been… | ||
| CVE-2025-55754 | Cri | 0.56 | 9.6 | 0.10 | Oct 27, 2025 | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was… | ||
| CVE-2024-32986 | Cri | 0.55 | 9.6 | 0.01 | May 3, 2024 | PWAsForFirefox is a tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox. Due to improper sanitization of web app properties (such as name, description, shortcuts), web apps were able to inject additional lines into XDG Desktop Entries (on Linux) and… | ||
| CVE-2026-54057 | Hig | 0.44 | 7.8 | 0.00 | Jun 12, 2026 | Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue. | ||
| CVE-2026-45038 | Hig | 0.44 | 7.8 | 0.00 | May 15, 2026 | Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233. | ||
| CVE-2025-62845 | Med | 0.44 | 6.7 | 0.00 | Mar 20, 2026 | An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior. We have already fixed the vulnerability in… | ||
| CVE-2024-9774 | Med | 0.42 | 6.5 | 0.01 | Dec 27, 2024 | A vulnerability was found in python-sql where unary operators do not escape non-Expression. | ||
| CVE-2026-41526 | Med | 0.35 | 6.5 | 0.00 | Apr 28, 2026 | In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a… | ||
| CVE-2025-30089 | Med | 0.35 | 5.4 | 0.00 | Mar 17, 2025 | gurk (aka gurk-rs) through 0.6.3 mishandles ANSI escape sequences. | ||
| CVE-2026-6019 | Med | 0.33 | 6.1 | 0.00 | Apr 22, 2026 | http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow… | ||
| CVE-2025-23026 | Med | 0.33 | 6.1 | 0.00 | Jan 13, 2025 | jte (Java Template Engine) is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with `script` tags or script attributes that include a Javascript template string (backticks) are subject to XSS. The `javaScriptBlock` and… | ||
| CVE-2026-47090 | Med | 0.23 | 4.6 | 0.00 | May 18, 2026 | Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal… | ||
| CVE-2025-64494 | Med | 0.23 | 4.6 | 0.00 | Nov 8, 2025 | Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same… | ||
| CVE-2024-28085 | Low | 0.22 | 3.3 | 0.02 | Mar 27, 2024 | wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.)… | ||
| CVE-2026-35651 | Med | 0.21 | 4.3 | 0.00 | Apr 10, 2026 | OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling… | ||
| CVE-2026-45803 | Low | 0.16 | 3.5 | 0.00 | May 15, 2026 | `gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view… |
- risk 0.64cvss 9.8epss 0.00
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the…
- risk 0.59cvss 9.1epss 0.00
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable),…
- risk 0.59cvss 9.0epss 0.01
Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network.
- risk 0.58cvss 9.8epss 0.11
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
- risk 0.57cvss 9.8epss 0.01
Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been…
- risk 0.56cvss 9.6epss 0.10
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was…
- risk 0.55cvss 9.6epss 0.01
PWAsForFirefox is a tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox. Due to improper sanitization of web app properties (such as name, description, shortcuts), web apps were able to inject additional lines into XDG Desktop Entries (on Linux) and…
- risk 0.44cvss 7.8epss 0.00
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue.
- risk 0.44cvss 7.8epss 0.00
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code execution can be achieved. This vulnerability is fixed in 1.0.233.
- risk 0.44cvss 6.7epss 0.00
An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior. We have already fixed the vulnerability in…
- risk 0.42cvss 6.5epss 0.01
A vulnerability was found in python-sql where unary operators do not escape non-Expression.
- risk 0.35cvss 6.5epss 0.00
In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a…
- risk 0.35cvss 5.4epss 0.00
gurk (aka gurk-rs) through 0.6.3 mishandles ANSI escape sequences.
- risk 0.33cvss 6.1epss 0.00
http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow…
- risk 0.33cvss 6.1epss 0.00
jte (Java Template Engine) is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with `script` tags or script attributes that include a Javascript template string (backticks) are subject to XSS. The `javaScriptBlock` and…
- risk 0.23cvss 4.6epss 0.00
Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal…
- risk 0.23cvss 4.6epss 0.00
Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same…
- risk 0.22cvss 3.3epss 0.02
wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.)…
- risk 0.21cvss 4.3epss 0.00
OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling…
- risk 0.16cvss 3.5epss 0.00
`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view…