CWE-116

High likelihood

Improper Encoding or Escaping of Output

Parent: CWE-707 - Improper Neutralization

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

446 vulnerabilities with CWE-116
CVE-2026-44458 MEDIUM
Hono: CSS Declaration Injection via Style Object Values in JSX SSR
CVSS 4.3
CVE-2026-43939 HIGH
YAF.NET: Stored XSS in Forum Thread Posts/Replies Allowing Arbitrary JavaScript Execution for All Thread Viewers
CVSS 7.3
CVE-2026-43938 HIGH
YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
CVSS 8.1
CVE-2026-28907 HIGH
iOS and iPadOS < 18.7.9 and < 26.5 - Content Security Policy Bypass via Malicious Web Content
CVSS 8.1
CVE-2026-39826 MEDIUM
Escaper bypass leads to XSS in html/template
CVSS 6.1
CVE-2026-42810 CRITICAL
Apache Polaris: could broaden vended S3 credentials through wildcard-bearing namespace or table names
CVSS 9.9
CVE-2026-41426 MEDIUM
pretalx: Email injection via unescaped user-controlled placeholders in pretalx mail templates
CVSS 6.1
CVE-2026-42040 LOW
Axios <1.15.1, <0.31.1 - Info Disclosure
CVSS 3.7
CVE-2026-41318 MEDIUM
AnythingLLM < 1.12.1 - Stored DOM XSS in Chart Caption Renderer
CVSS 5.4
CVE-2026-6019 MEDIUM
BaseCookie.js_output() does not neutralize embedded characters
CVSS 6.1
CVE-2026-33597 LOW
PRSD detection denial of service
CVSS 3.7
CVE-2026-40871 HIGH
mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API
CVSS 7.2
CVE-2026-40568 HIGH
FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization
CVSS 8.5
CVE-2026-40567 MEDIUM
FreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature Variables
CVSS 5.8
CVE-2026-6058 MEDIUM
Zyxel WRE6505 v2 firmware V1.00(ABDV.3)C0 - Denial of Service via Malformed SSID on AP Select Page
CVSS 4.5
CVE-2026-35582 HIGH
Emissary <8.43.0 Executrix File Endings - OS Command Injection
CVSS 8.8
CVE-2026-40593 MEDIUM
ChurchCRM: Stored XSS in UserEditor.php via Login Name Field
CVSS 4.8
CVE-2026-40483 MEDIUM
ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field
CVSS 5.4
CVE-2026-40302 MEDIUM
zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering
CVSS 6.1
CVE-2026-33436 LOW
Stirling-PDF: Reflected XSS through crafted filename in file upload functionality
CVSS 3.1
CVE-2026-35569 HIGH
ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
CVSS 8.7
CVE-2026-20136 MEDIUM
Cisco Identity Services Engine Authenticated Privilege Escalation Vulnerability
CVSS 6.0
CVE-2026-2404 MEDIUM
Schneider Electric PowerChute Serial Shutdown <=1.4 - Log Injection
CVSS 5.3
CVE-2026-33657 MEDIUM
EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field
CVSS 4.6
CVE-2026-40023 MEDIUM
Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters
CVSS 5.3
Details
Vulnerabilities 446
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits