CWE-172
Encoding Error
Description
The product does not properly encode or decode the data, resulting in unexpected values.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-120 · CAPEC-267 · CAPEC-3 · CAPEC-52 · CAPEC-53 · CAPEC-64 · CAPEC-71 · CAPEC-72 · CAPEC-78 · CAPEC-80
CVEs mapped to this weakness (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-6691 | Cri | 0.64 | 9.8 | 0.01 | Oct 10, 2016 | service/jni/com_android_server_wifi_Gbk2Utf.cpp in the Qualcomm Wi-Fi gbk2utf module in Android before 2016-10-05 allows remote attackers to cause a denial of service (framework crash) or possibly have unspecified other impact via an access point that has a malformed SSID with… | ||
| CVE-2026-42926 | Med | 0.38 | 5.8 | 0.00 | May 13, 2026 | When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical… | ||
| CVE-2018-7173 | Med | 0.36 | 5.5 | 0.01 | Feb 15, 2018 | A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an attacker to cause denial of service via a specific file due to inappropriate decoding. | ||
| CVE-2016-3829 | Med | 0.36 | 5.5 | 0.01 | Aug 5, 2016 | The ih264d decoder in mediaserver in Android 6.x before 2016-08-01 does not initialize certain structure members, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 29023649. | ||
| CVE-2016-3828 | Med | 0.36 | 5.5 | 0.01 | Aug 5, 2016 | decoder/ih264d_api.c in mediaserver in Android 6.x before 2016-08-01 mishandles invalid PPS and SPS NAL units, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 28835995. | ||
| CVE-2016-3827 | Med | 0.36 | 5.5 | 0.01 | Aug 5, 2016 | codecs/hevcdec/SoftHEVC.cpp in libstagefright in mediaserver in Android 6.0.1 before 2016-08-01 mishandles decoder errors, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 28816956. | ||
| CVE-2018-2415 | Med | 0.31 | 4.7 | 0.01 | May 9, 2018 | SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability… | ||
| CVE-2018-7289 | Low | 0.25 | 3.3 | 0.02 | Feb 21, 2018 | An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Malware with filenames containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to… | ||
| CVE-2025-12758 | 0.00 | — | 0.00 | Nov 27, 2025 | Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to… | |||
| CVE-2024-48909 | 0.00 | — | 0.00 | Oct 14, 2024 | SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a… | |||
| CVE-2021-33604 | 0.00 | — | 0.00 | Jun 24, 2021 | URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser. | |||
| CVE-2020-36213 | — | 0.00 | — | 0.01 | Jan 22, 2021 | An issue was discovered in the abi_stable crate before 0.9.1 for Rust. A retain call can create an invalid UTF-8 string, violating soundness. | ||
| CVE-2018-3777 | — | Cri | 0.00 | 9.8 | 0.02 | Aug 3, 2018 | Insufficient URI encoding in restforce before 3.0.0 allows attacker to inject arbitrary parameters into Salesforce API requests. |
- risk 0.64cvss 9.8epss 0.01
service/jni/com_android_server_wifi_Gbk2Utf.cpp in the Qualcomm Wi-Fi gbk2utf module in Android before 2016-10-05 allows remote attackers to cause a denial of service (framework crash) or possibly have unspecified other impact via an access point that has a malformed SSID with…
- risk 0.38cvss 5.8epss 0.00
When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical…
- risk 0.36cvss 5.5epss 0.01
A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an attacker to cause denial of service via a specific file due to inappropriate decoding.
- risk 0.36cvss 5.5epss 0.01
The ih264d decoder in mediaserver in Android 6.x before 2016-08-01 does not initialize certain structure members, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 29023649.
- risk 0.36cvss 5.5epss 0.01
decoder/ih264d_api.c in mediaserver in Android 6.x before 2016-08-01 mishandles invalid PPS and SPS NAL units, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 28835995.
- risk 0.36cvss 5.5epss 0.01
codecs/hevcdec/SoftHEVC.cpp in libstagefright in mediaserver in Android 6.0.1 before 2016-08-01 mishandles decoder errors, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 28816956.
- risk 0.31cvss 4.7epss 0.01
SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability…
- risk 0.25cvss 3.3epss 0.02
An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Malware with filenames containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to…
- CVE-2025-12758Nov 27, 2025risk 0.00cvss —epss 0.00
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to…
- CVE-2024-48909Oct 14, 2024risk 0.00cvss —epss 0.00
SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a…
- CVE-2021-33604Jun 24, 2021risk 0.00cvss —epss 0.00
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
- CVE-2020-36213Jan 22, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the abi_stable crate before 0.9.1 for Rust. A retain call can create an invalid UTF-8 string, violating soundness.
- risk 0.00cvss 9.8epss 0.02
Insufficient URI encoding in restforce before 3.0.0 allows attacker to inject arbitrary parameters into Salesforce API requests.