Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-116

CWE-116

High likelihood

Improper Encoding or Escaping of Output

Parent: CWE-707 - Improper Neutralization

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

414 vulnerabilities with CWE-116

CVE-2026-41426 MEDIUM

pretalx: Email injection via unescaped user-controlled placeholders in pretalx mail templates

CVE-2026-42040 LOW

Axios <1.15.1, <0.31.1 - Info Disclosure

CVE-2026-41318 MEDIUM

AnythingLLM < 1.12.1 - Stored DOM XSS in Chart Caption Renderer

CVE-2026-33597 LOW

PRSD detection denial of service

CVE-2026-40871 HIGH

mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API

CVE-2026-40568 HIGH

FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization

CVE-2026-40567 MEDIUM

FreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature Variables

CVE-2026-6058 MEDIUM

Zyxel WRE6505 v2 Firmware < V1.00(ABDV.3)C0 - Denial of Service

CVE-2026-35582 HIGH

Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix

CVE-2026-40593 MEDIUM

ChurchCRM: Stored XSS in UserEditor.php via Login Name Field

CVE-2026-40483 MEDIUM

ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field

CVE-2026-40302 MEDIUM

zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering

CVE-2026-33436 LOW

Stirling-PDF: Reflected XSS through crafted filename in file upload functionality

CVE-2026-35569 HIGH

ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS

CVE-2026-20136 MEDIUM

Cisco Identity Services Engine Authenticated Privilege Escalation Vulnerability

CVE-2026-2404 MEDIUM

Schneider Electric PowerChute Serial Shutdown <=1.4 - Log Injection

CVE-2026-33657 MEDIUM

EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field

CVE-2026-40023 MEDIUM

Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters

CVE-2026-40021 MEDIUM

Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters

CVE-2026-34481 HIGH

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

CVE-2026-34480 HIGH

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

CVE-2026-34479 MEDIUM

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

CVE-2026-34483 HIGH

Apache Tomcat: Incomplete escaping of JSON access logs

CVE-2026-35534 HIGH

ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection

CVE-2026-35208 MEDIUM

lichess.org has an Unsanitized Stream Title Injection on /streamer

Page 1 of 17 Next

Details

Vulnerabilities 414

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy