Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-116 (对输出编码和转义不恰当) — Vulnerability Class 128

128 vulnerabilities classified as CWE-116 (对输出编码和转义不恰当). AI Chinese analysis included.

CWE-116 represents a critical input validation weakness where software fails to properly encode or escape output data before transmitting it to another component. This oversight disrupts the intended message structure, allowing attackers to inject malicious commands or alter data semantics by exploiting the parsing ambiguity. Exploitation typically occurs when unescaped special characters are interpreted as control sequences rather than literal data, leading to severe consequences such as cross-site scripting, command injection, or protocol manipulation. To mitigate this risk, developers must strictly enforce context-aware encoding strategies, ensuring that all output is sanitized according to the specific receiving component’s parsing rules. Implementing robust escaping libraries and validating data boundaries before transmission are essential practices to preserve message integrity and prevent unauthorized command execution.

MITRE CWE Description
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead. Most products follow a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, "GET /index.html HTTP/1.1" is a structured message containing a command ("GET") with a single argument ("/index.html") and metadata about which protocol version is being used ("HTTP/1.1"). If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perform the wrong operations, or otherwise interpret the data incorrectly.
Common Consequences (3)
IntegrityModify Application Data
The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
Integrity, Confidentiality, Availability, Access ControlExecute Unauthorized Code or Commands
The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
ConfidentialityBypass Protection Mechanism
The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
Mitigations (5)
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. Alternately, use built-in functions, but consider using wrappers in case t…
Architecture and DesignIf available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. For example, stored procedures can enforce database query structure and reduce the likel…
Architecture and Design, ImplementationUnderstand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required e…
Architecture and DesignIn some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting…
Architecture and DesignUse input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
Examples (2)
This code displays an email address that was submitted as part of a form.
<% String email = request.getParameter("email"); %> ... Email Address: <%= email %>
Bad · JSP
Consider a chat application in which a front-end web application communicates with a back-end server. The back-end is legacy code that does not perform authentication or authorization, so the front-end must implement it. The chat protocol supports two commands, SAY and BAN, although only administrators can use the BAN command. Each argument must be separated by a single space. The raw inputs are U…
$inputString = readLineFromFileHandle($serverFH); # generate an array of strings separated by the "|" character. @commands = split(/\|/, $inputString); foreach $cmd (@commands) { # separate the operator from its arguments based on a single whitespace ($operator, $args) = split(/ /, $cmd, 2); $args = UrlDecode($args); if ($operator eq "BAN") { ExecuteBan($args); } elsif ($operator eq "SAY") { ExecuteSay($args); } }
Bad · Perl
$inputString = GetUntrustedArgument("command"); ($cmd, $argstr) = split(/\s+/, $inputString, 2); # removes extra whitespace and also changes CRLF's to spaces $argstr =~ s/\s+/ /gs; $argstr = UrlEncode($argstr); if (($cmd eq "BAN") && (! IsAdministrator($username))) { die "Error: you are not the admin.\n"; } # communicate with file server using a file handle $fh = GetServerFileHandle("myserver"); print $fh "$cmd $argstr\n";
Bad · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2026-42810 Apache Polaris: could broaden vended S3 credentials through wildcard-bearing namespace or table names — Apache Polaris 9.9 Critical2026-05-04
CVE-2026-42040 Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams — axios 3.7 Low2026-04-24
CVE-2026-40567 FreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature Variables — freescout 5.8 Medium2026-04-21
CVE-2026-6058 Zyxel WRE6505 安全漏洞 — WRE6505 v2 firmware 4.5 Medium2026-04-21
CVE-2026-20136 Cisco Identity Services Engine Authenticated Privilege Escalation Vulnerability — Cisco Identity Services Engine Software 6.0 Medium2026-04-15
CVE-2026-2404 Schneider Electric PowerChute Serial Shutdown 安全漏洞 — PowerChute™ Serial Shutdown 7.5 -2026-04-14
CVE-2026-40023 Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters — Apache Log4cxx 5.3 -2026-04-10
CVE-2026-40021 Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters — Apache Log4net 9.1 -2026-04-10
CVE-2026-34481 Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout — Apache Log4j JSON Template Layout 4.8 -2026-04-10
CVE-2026-34480 Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters — Apache Log4j Core 5.8AIMediumAI2026-04-10
CVE-2026-34479 Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters — Apache Log4j 1 to Log4j 2 bridge 6.5AIMediumAI2026-04-10
CVE-2026-34483 Apache Tomcat: Incomplete escaping of JSON access logs — Apache Tomcat 9.8AICriticalAI2026-04-09
CVE-2026-25932 GLPI has Stored XSS in Supplier 'Website' field — glpi 7.2 High2026-04-06
CVE-2026-32811 Heimdall: Path received via Envoy gRPC corrupted when containing query string — heimdall 8.2 High2026-03-20
CVE-2026-33301 OpenEMR has arbitrary image file read via PDF generator — openemr 3.5 -2026-03-19
CVE-2026-31898 jsPDF has a PDF Object Injection via FreeText color — jsPDF 8.1 High2026-03-18
CVE-2025-12697 Improper Encoding or Escaping of Output in GitLab — GitLab 2.2 Low2026-03-11
CVE-2026-28350 lxml_html_clean: <base> tag injection through default Cleaner configuration — lxml_html_clean 6.1 Medium2026-03-05
CVE-2026-28348 lxml_html_clean: CSS @import Filter Bypass via Unicode Escapes — lxml_html_clean 6.1 Medium2026-03-05
CVE-2026-27812 Sub2API Vulnerable to Password Reset Poisoning via Host Header Trust Issue, Leading to Account Takeover — sub2api 8.8AIHighAI2026-02-26
CVE-2026-21443 OpenEMR allows inconsistent escaping of translation function output — openemr 6.1 -2026-02-25
CVE-2026-25940 jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property) — jsPDF 8.1 High2026-02-19
CVE-2025-15312 Tanium addressed an improper output sanitization vulnerability in TanOS. — Tanium Appliance 6.6 Medium2026-02-05
CVE-2026-25543 HtmlSanitizer has a bypass via template tag — HtmlSanitizer 6.1AIMediumAI2026-02-04
CVE-2026-24737 jsPDF has a PDF Injection in AcroFormChoiceField which allows Arbitrary JavaScript Execution — jsPDF 8.1 High2026-02-02
CVE-2025-66488 Discourse allows script execution in uploaded HTML/XML files on S3 — discourse 4.6 Medium2026-01-28
CVE-2026-24439 Tenda W30E V2 Lacks X-Content-Type-Options Header — W30E V2 9.4AICriticalAI2026-01-26
CVE-2026-22792 5ire vulnerable to Remote Code Execution (RCE) — 5ire 9.7 Critical2026-01-21
CVE-2026-22712 ApprovedRevs allows bypassing the inline CSS sanitizer — Mediawiki - ApprovedRevs Extension 9.1 -2026-01-09
CVE-2025-59158 Coolify has Stored XSS in Project Name — coolify 5.4 -2026-01-05

Vulnerabilities classified as CWE-116 (对输出编码和转义不恰当) represent 128 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.