VYPR

CWE-172

Encoding Error

ClassDraft

Description

The product does not properly encode or decode the data, resulting in unexpected values.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-120 · CAPEC-267 · CAPEC-3 · CAPEC-52 · CAPEC-53 · CAPEC-64 · CAPEC-71 · CAPEC-72 · CAPEC-78 · CAPEC-80

CVEs mapped to this weakness (13)

  • CVE-2016-6691CriOct 10, 2016
    risk 0.64cvss 9.8epss 0.01

    service/jni/com_android_server_wifi_Gbk2Utf.cpp in the Qualcomm Wi-Fi gbk2utf module in Android before 2016-10-05 allows remote attackers to cause a denial of service (framework crash) or possibly have unspecified other impact via an access point that has a malformed SSID with…

  • CVE-2026-42926MedMay 13, 2026
    risk 0.38cvss 5.8epss 0.00

    When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical…

  • CVE-2018-7173MedFeb 15, 2018
    risk 0.36cvss 5.5epss 0.01

    A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an attacker to cause denial of service via a specific file due to inappropriate decoding.

  • CVE-2016-3829MedAug 5, 2016
    risk 0.36cvss 5.5epss 0.01

    The ih264d decoder in mediaserver in Android 6.x before 2016-08-01 does not initialize certain structure members, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 29023649.

  • CVE-2016-3828MedAug 5, 2016
    risk 0.36cvss 5.5epss 0.01

    decoder/ih264d_api.c in mediaserver in Android 6.x before 2016-08-01 mishandles invalid PPS and SPS NAL units, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 28835995.

  • CVE-2016-3827MedAug 5, 2016
    risk 0.36cvss 5.5epss 0.01

    codecs/hevcdec/SoftHEVC.cpp in libstagefright in mediaserver in Android 6.0.1 before 2016-08-01 mishandles decoder errors, which allows remote attackers to cause a denial of service (device hang or reboot) via a crafted media file, aka internal bug 28816956.

  • CVE-2018-2415MedMay 9, 2018
    risk 0.31cvss 4.7epss 0.01

    SAP NetWeaver Application Server Java Web Container and HTTP Service (Engine API, from 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50; J2EE Engine Server Core 7.11, 7.30, 7.31, 7.40, 7.50) do not sufficiently encode user controlled inputs, resulting in a content spoofing vulnerability…

  • CVE-2018-7289LowFeb 21, 2018
    risk 0.25cvss 3.3epss 0.02

    An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Malware with filenames containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to…

  • CVE-2025-12758Nov 27, 2025
    risk 0.00cvss epss 0.00

    Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to…

  • CVE-2024-48909Oct 14, 2024
    risk 0.00cvss epss 0.00

    SpiceDB is an open source database for scalably storing and querying fine-grained authorization data. Starting in version 1.35.0 and prior to version 1.37.1, clients that have enabled `LookupResources2` and have caveats in the evaluation path for their requests can return a…

  • CVE-2021-33604Jun 24, 2021
    risk 0.00cvss epss 0.00

    URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.

  • CVE-2020-36213Jan 22, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the abi_stable crate before 0.9.1 for Rust. A retain call can create an invalid UTF-8 string, violating soundness.

  • CVE-2018-3777CriAug 3, 2018
    risk 0.00cvss 9.8epss 0.02

    Insufficient URI encoding in restforce before 3.0.0 allows attacker to inject arbitrary parameters into Salesforce API requests.