CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-134 · CAPEC-41 · CAPEC-81 · CAPEC-93
CVEs mapped to this weakness (43)
page 2 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-58251 | Low | 0.16 | 2.5 | 0.00 | Apr 23, 2025 | In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim. | ||
| CVE-2024-43785 | Low | 0.16 | 2.5 | 0.00 | Aug 22, 2024 | gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape… | ||
| CVE-2026-40505 | Low | 0.14 | 3.3 | 0.00 | Apr 16, 2026 | MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal… | ||
| CVE-2025-55193 | Low | 0.11 | — | 0.01 | Aug 13, 2025 | Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has… | ||
| CVE-2025-58160 | — | Low | 0.08 | — | 0.00 | Aug 29, 2025 | tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be… | |
| CVE-2026-3108 | 0.00 | — | 0.00 | Mar 26, 2026 | Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and… | |||
| CVE-2026-25996 | 0.00 | — | 0.01 | Feb 12, 2026 | Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI… | |||
| CVE-2026-23829 | 0.00 | — | 0.01 | Jan 18, 2026 | Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers… | |||
| CVE-2026-21439 | 0.00 | — | 0.00 | Jan 5, 2026 | badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the… | |||
| CVE-2025-47284 | 0.00 | — | 0.00 | May 19, 2025 | Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in the `gardenlet` component of Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0. It could allow a user with administrative… | |||
| CVE-2025-31651 | — | 0.00 | — | 0.04 | Apr 28, 2025 | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced… | ||
| CVE-2025-1693 | — | 0.00 | — | 0.00 | Feb 27, 2025 | The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh… | ||
| CVE-2025-1692 | — | 0.00 | — | 0.00 | Feb 27, 2025 | The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious… | ||
| CVE-2024-56201 | 0.00 | — | 0.00 | Dec 23, 2024 | Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit… | |||
| CVE-2024-27936 | 0.00 | — | 0.01 | Mar 6, 2024 | Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence… | |||
| CVE-2023-40185 | 0.00 | — | 0.01 | Aug 23, 2023 | shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the… | |||
| CVE-2023-30844 | 0.00 | — | 0.01 | May 8, 2023 | Mutagen provides real-time file synchronization and flexible network forwarding for developers. Prior to versions 0.16.6 and 0.17.1 in `mutagen` and prior to version 0.17.1 in `mutagen-compose`, Mutagen `list` and `monitor` commands are susceptible to control characters that… | |||
| CVE-2023-28446 | 0.00 | — | 0.01 | Mar 24, 2023 | Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with… | |||
| CVE-2023-26055 | 0.00 | — | 0.01 | Mar 2, 2023 | XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in… | |||
| CVE-2022-43756 | 0.00 | — | 0.01 | Feb 7, 2023 | A Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in SUSE Rancher allows remote attackers to cause denial of service by supplying specially crafted git credentials. This issue affects: SUSE Rancher wrangler version… |
- risk 0.16cvss 2.5epss 0.00
In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.
- risk 0.16cvss 2.5epss 0.00
gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. gitoxide-core, which provides most underlying functionality of the gix and ein commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape…
- risk 0.14cvss 3.3epss 0.00
MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal…
- risk 0.11cvss —epss 0.01
Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has…
- risk 0.08cvss —epss 0.00
tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be…
- CVE-2026-3108Mar 26, 2026risk 0.00cvss —epss 0.00
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and…
- CVE-2026-25996Feb 12, 2026risk 0.00cvss —epss 0.01
Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI…
- CVE-2026-23829Jan 18, 2026risk 0.00cvss —epss 0.01
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers…
- CVE-2026-21439Jan 5, 2026risk 0.00cvss —epss 0.00
badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the…
- CVE-2025-47284May 19, 2025risk 0.00cvss —epss 0.00
Gardener implements the automated management and operation of Kubernetes clusters as a service. A security vulnerability was discovered in the `gardenlet` component of Gardener prior to versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0. It could allow a user with administrative…
- CVE-2025-31651Apr 28, 2025risk 0.00cvss —epss 0.04
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced…
- CVE-2025-1693Feb 27, 2025risk 0.00cvss —epss 0.00
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh…
- CVE-2025-1692Feb 27, 2025risk 0.00cvss —epss 0.00
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to paste text into mongosh that evaluates arbitrary code. Control characters in the pasted text can be used to obfuscate malicious…
- CVE-2024-56201Dec 23, 2024risk 0.00cvss —epss 0.00
Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit…
- CVE-2024-27936Mar 6, 2024risk 0.00cvss —epss 0.01
Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41.0 of the deno library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence…
- CVE-2023-40185Aug 23, 2023risk 0.00cvss —epss 0.01
shescape is simple shell escape library for JavaScript. This may impact users that use Shescape on Windows in a threaded context. The vulnerability can result in Shescape escaping (or quoting) for the wrong shell, thus allowing attackers to bypass protections depending on the…
- CVE-2023-30844May 8, 2023risk 0.00cvss —epss 0.01
Mutagen provides real-time file synchronization and flexible network forwarding for developers. Prior to versions 0.16.6 and 0.17.1 in `mutagen` and prior to version 0.17.1 in `mutagen-compose`, Mutagen `list` and `monitor` commands are susceptible to control characters that…
- CVE-2023-28446Mar 24, 2023risk 0.00cvss —epss 0.01
Deno is a simple, modern and secure runtime for JavaScript and TypeScript that uses V8 and is built in Rust. Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a `op_spawn_child` or `op_kill` prompt and replace it with…
- CVE-2023-26055Mar 2, 2023risk 0.00cvss —epss 0.01
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in…
- CVE-2022-43756Feb 7, 2023risk 0.00cvss —epss 0.01
A Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in SUSE Rancher allows remote attackers to cause denial of service by supplying specially crafted git credentials. This issue affects: SUSE Rancher wrangler version…