CWE-116 · Improper Encoding or Escaping of Output

460 CVEs classified under CWE-116 (Improper Encoding or Escaping of Output). Browse by severity and year.

Top CVEs for CWE-116
CVESeverityScorePublishedSummary
CVE-2025-55730Critical10.02025-09-09XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5…
CVE-2025-55729Critical10.02025-09-09XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5…
CVE-2023-47143Critical10.02024-02-02IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to HTTP header injection, caused by improper validation of input by…
CVE-2026-42810Critical9.92026-05-04Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those…
CVE-2025-49013Critical9.92025-06-09WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue a…
CVE-2023-26472Critical9.92023-03-02XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by cre…
CVE-2022-41934Critical9.92022-11-23XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on commonly accessible docum…
CVE-2022-36100Critical9.92022-09-08XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform…
CVE-2022-36099Critical9.92022-09-08XWiki Platform Wiki UI Main Wiki is software for managing subwikis on XWiki Platform, a generic wiki platform. Starting with version 5.3-milestone-2 and prior…
CVE-2022-23603Critical9.92022-02-01iTunesRPC-Remastered is a discord rich presence application for use with iTunes & Apple Music. In code before commit 24f43aa user input is not properly sanitiz…
CVE-2026-54133Critical9.82026-06-12jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP dat…
CVE-2025-56266Critical9.82025-09-08A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.
CVE-2025-46347Critical9.82025-04-29YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used to write a fi…
CVE-2025-31651Critical9.82025-04-28Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was poss…
CVE-2024-10441Critical9.82025-03-19Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Man…
CVE-2024-55663Critical9.82024-12-12XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering o…
CVE-2024-38474Critical9.82024-07-01Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configur…
CVE-2024-31866Critical9.82024-04-09Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuratio…
CVE-2023-38316Critical9.82023-11-17An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS comma…
CVE-2023-48655Critical9.82023-11-17An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters.