VYPR

CWE-176

Improper Handling of Unicode Encoding

VariantDraft

Description

The product does not properly handle when an input contains Unicode encoding.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-71

CVEs mapped to this weakness (19)

  • CVE-2025-71316CriJun 4, 2026
    risk 0.64cvss 9.8epss 0.00

    SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file…

  • CVE-2026-4116HigApr 9, 2026
    risk 0.47cvss 7.2epss 0.00

    Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user to bypass Workplace/Connect Tunnel TOTP authentication.

  • CVE-2026-45062HigJun 10, 2026
    risk 0.46cvss 8.1epss 0.01

    FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an…

  • CVE-2026-20202MedApr 15, 2026
    risk 0.43cvss 6.6epss 0.00

    In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability…

  • CVE-2026-4114MedApr 9, 2026
    risk 0.43cvss 6.6epss 0.01

    Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN admin to bypass AMC TOTP authentication.

  • CVE-2026-7040HigApr 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for…

  • CVE-2026-45135higMay 18, 2026
    risk 0.38cvss epss 0.00

    ### Summary The FastCGI transport's `splitPos()` in [`modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go`](https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go) misuses `golang.org/x/text/search` with `search.IgnoreCase` when the…

  • CVE-2024-8067MedSep 25, 2024
    risk 0.38cvss epss 0.00

    In versions of Helix Core prior to 2024.1 Patch 2 (2024.1/2655224) a Windows ANSI API Unicode "best fit" argument injection was identified.

  • CVE-2026-44288MedMay 13, 2026
    risk 0.34cvss 5.3epss 0.00

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who…

  • CVE-2024-47611MedOct 2, 2024
    risk 0.34cvss epss 0.01

    XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode…

  • CVE-2026-35375LowApr 22, 2026
    risk 0.14cvss 3.3epss 0.00

    A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes to_string_lossy() when constructing chunk filenames, which automatically rewrites invalid byte…

  • CVE-2026-35373LowApr 22, 2026
    risk 0.14cvss 3.3epss 0.00

    A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the…

  • CVE-2026-35346LowApr 22, 2026
    risk 0.14cvss 3.3epss 0.00

    The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::from_utf8_lossy(), which replaces invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD). This behavior…

  • CVE-2026-49401Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to `--deny-read`, `--deny-write`, `--deny-run`, or `--deny-ffi`. On macOS, that comparison was done at the raw-byte level while the APFS…

  • CVE-2026-25480Feb 9, 2026
    risk 0.00cvss epss 0.00

    Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend,…

  • CVE-2026-23950Jan 20, 2026
    risk 0.00cvss epss 0.00

    node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS…

  • CVE-2017-20190Mar 27, 2024
    risk 0.00cvss epss 0.00

    Some Microsoft technologies as used in Windows 8 through 11 allow a temporary client-side performance degradation during processing of multiple Unicode combining characters, aka a "Zalgo text" attack. NOTE: third parties dispute whether the computational cost of interpreting…

  • CVE-2023-52081Dec 28, 2023
    risk 0.00cvss epss 0.01

    ffcss is a CLI interface to apply and configure Firefox CSS themes. Prior to 0.2.0, the function `lookupPreprocess()` is meant to apply some transformations to a string by disabling characters in the regex `[-_ .]`. However, due to the use of late Unicode normalization of type…

  • CVE-2020-8929Oct 19, 2020
    risk 0.00cvss epss 0.00

    A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with…