Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-116

CWE-116

High likelihood

Improper Encoding or Escaping of Output

Parent: CWE-707 - Improper Neutralization

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

446 vulnerabilities with CWE-116

CVE-2026-40021 MEDIUM

Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters

CVE-2026-34481 HIGH

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

CVE-2026-34480 HIGH

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

CVE-2026-34479 HIGH

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

CVE-2026-34483 HIGH

Apache Tomcat: Incomplete escaping of JSON access logs

CVE-2026-35534 HIGH

ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection

CVE-2026-35208 MEDIUM

lichess.org Stream Titles - HTML Injection

CVE-2026-26027 HIGH

GLPI 11.0.0-11.0.5 Inventory - Unauthenticated Stored Cross-Site Scripting

CVE-2026-25932 HIGH

GLPI has Stored XSS in Supplier 'Website' field

CVE-2026-33941 HIGH

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

CVE-2026-33758 MEDIUM

OpenBao has Reflected XSS in its OIDC authentication error message

CVE-2026-33628 MEDIUM

Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items

CVE-2026-32986 MEDIUM

Textpattern CMS 4.9.0: Second-Order XSS via Atom Feed Injection

CVE-2026-32811 HIGH

Heimdall: Path received via Envoy gRPC corrupted when containing query string

CVE-2026-29106 MEDIUM

SuiteCRM has blind XSS in return_id parameter

CVE-2026-32754 CRITICAL

FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!})

CVE-2026-33301 HIGH

OpenEMR has arbitrary image file read via PDF generator

CVE-2026-31898 HIGH

jsPDF <4.2.1 createAnnotation color - PDF Object Injection

CVE-2026-28499 MEDIUM

Vapor LeafKit < 1.14.2 - Collection Value Cross-Site Scripting

CVE-2026-3644 HIGH

Incomplete control character validation in http.cookies

CVE-2026-31859 MEDIUM

Craft CMS 4.15.3-4.17.3 - Reflected Cross-Site Scripting via Unsanitized Return URL

CVE-2026-28350 MEDIUM

lxml_html_clean <0.4.4 - Auth Bypass

CVE-2026-28348 MEDIUM

lxml_html_clean < 0.4.4 - Cross-Site Scripting via CSS Unicode Escape Sequence Bypass

CVE-2026-27812 CRITICAL

sub2api < 0.1.85 - Password Reset Poisoning via Host Header Manipulation

CVE-2026-21443 MEDIUM

OpenEMR < 8.0.0 - Cross-Site Scripting via Unescaped Translation Function Output

Previous Page 3 of 18 Next

Details

Vulnerabilities 446

Exploit Likelihood High

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy