CWE-116
Allowed-with-ReviewImproper Encoding or Escaping of Output
Abstraction: Class · Status: Draft
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
613 vulnerabilities reference this CWE, most recent first.
GHSA-M6W7-6M35-32WX
Vulnerability from github – Published: 2025-05-20 00:30 – Updated: 2025-05-20 00:30A vulnerability exists in PX Backup whereby sensitive information may be logged under specific conditions.
{
"affected": [],
"aliases": [
"CVE-2025-1308"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-19T22:15:20Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in PX Backup whereby sensitive information may be logged under specific conditions.",
"id": "GHSA-m6w7-6m35-32wx",
"modified": "2025-05-20T00:30:31Z",
"published": "2025-05-20T00:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1308"
},
{
"type": "WEB",
"url": "https://support.purestorage.com/Pure_Security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M7CR-M3PV-HGRP
Vulnerability from github – Published: 2026-05-19 15:21 – Updated: 2026-06-08 23:42Impact
go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through sq_quote_buf so that an embedded ' becomes the '\'' close-escape-reopen sequence and the whole path round-trips as a single quoted argument.
A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell (for example a user account whose login shell is /bin/sh or /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND), those additional tokens execute in that account's command-execution context. SSH servers that tokenize the exec command without shell evaluation, including the canonical git-shell setup, are not affected.
The vulnerable behaviour is on the SSH server side, not in go-git: the same bytes can be produced by any SSH client. The change in go-git is defense-in-depth that restores parity with canonical Git's wire format and prevents go-git from being a vehicle for reaching shell-evaluating servers through attacker-influenced repository paths.
Patches
Users should upgrade to a patched version in order to mitigate this issue. The fix ports sq_quote_buf from canonical Git into go-git's SSH transport so that the wire output is byte-identical to what git itself would send for the same input.
Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.
Credit
Thanks to @N0zoM1z0 for reporting this to the go-git project. :bow:
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.19.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/go-git/go-git/v5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.19.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.0-alpha.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/go-git/go-git/v6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.0-alpha.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-git/go-git"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45570"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T15:21:01Z",
"nvd_published_at": "2026-05-27T15:16:30Z",
"severity": "LOW"
},
"details": "### Impact\n\n`go-git`\u0027s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through `sq_quote_buf` so that an embedded `\u0027` becomes the `\u0027\\\u0027\u0027` close-escape-reopen sequence and the whole path round-trips as a single quoted argument.\n\nA repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell (for example a user account whose login shell is `/bin/sh` or `/bin/bash`, or a `ForceCommand` wrapper that re-evaluates `$SSH_ORIGINAL_COMMAND`), those additional tokens execute in that account\u0027s command-execution context. SSH servers that tokenize the exec command without shell evaluation, including the canonical `git-shell` setup, are not affected.\n\nThe vulnerable behaviour is on the SSH server side, not in `go-git`: the same bytes can be produced by any SSH client. The change in `go-git` is defense-in-depth that restores parity with canonical Git\u0027s wire format and prevents `go-git` from being a vehicle for reaching shell-evaluating servers through attacker-influenced repository paths.\n\n### Patches\n\nUsers should upgrade to a patched version in order to mitigate this issue. The fix ports `sq_quote_buf` from canonical Git into `go-git`\u0027s SSH transport so that the wire output is byte-identical to what `git` itself would send for the same input.\n\nVersions prior to `v5` are likely to be affected, users are recommended to upgrade to a supported go-git version.\n\n### Credit\n\nThanks to @N0zoM1z0 for reporting this to the `go-git` project. :bow:",
"id": "GHSA-m7cr-m3pv-hgrp",
"modified": "2026-06-08T23:42:58Z",
"published": "2026-05-19T15:21:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45570"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-git/go-git"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "go-git: Improper single-quote escaping in go-git SSH transport"
}
GHSA-MCP9-HFJJ-CPP5
Vulnerability from github – Published: 2024-05-03 18:30 – Updated: 2024-05-03 18:30IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463.
{
"affected": [],
"aliases": [
"CVE-2023-28952"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-117"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T18:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463.",
"id": "GHSA-mcp9-hfjj-cpp5",
"modified": "2024-05-03T18:30:37Z",
"published": "2024-05-03T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28952"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/251463"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7149876"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MG75-HVVV-R45Q
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM.
{
"affected": [],
"aliases": [
"CVE-2021-38751"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-16T14:15:00Z",
"severity": "MODERATE"
},
"details": "A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM.",
"id": "GHSA-mg75-hvvv-r45q",
"modified": "2022-05-24T19:11:16Z",
"published": "2022-05-24T19:11:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38751"
},
{
"type": "WEB",
"url": "https://github.com/exponentcms/exponent-cms/issues/1544"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MH7Q-V46C-8VPG
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05Improper Encoding or Escaping in Gallagher Command Centre Server allows a Command Centre Operator to alter the configuration of Controllers and other hardware items beyond their privilege. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); version 8.10 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2021-23205"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T16:15:00Z",
"severity": "HIGH"
},
"details": "Improper Encoding or Escaping in Gallagher Command Centre Server allows a Command Centre Operator to alter the configuration of Controllers and other hardware items beyond their privilege. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); version 8.10 and prior versions.",
"id": "GHSA-mh7q-v46c-8vpg",
"modified": "2022-05-24T19:05:01Z",
"published": "2022-05-24T19:05:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23205"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/Security-Advisories/CVE-2021-23205"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MJCQ-3WHQ-7XJH
Vulnerability from github – Published: 2025-05-21 21:31 – Updated: 2025-06-10 18:32Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.
{
"affected": [],
"aliases": [
"CVE-2021-25254"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-21T07:15:59Z",
"severity": "HIGH"
},
"details": "Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.",
"id": "GHSA-mjcq-3whq-7xjh",
"modified": "2025-06-10T18:32:17Z",
"published": "2025-05-21T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25254"
},
{
"type": "WEB",
"url": "https://yandex.com/bugbounty/i/hall-of-fame-browser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MP22-WPH9-QGQX
Vulnerability from github – Published: 2024-10-16 09:30 – Updated: 2025-07-01 21:32Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Additionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk.
for file in $(find /path/to/storage/ -type f -regex [a-f0-9-].); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done The command can also be run for the file-based primary storages; however, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.
For checking the whole template/volume features of each disk, operators can run the following command:
for file in $(find /path/to/storage/ -type f -regex [a-f0-9-].); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done
{
"affected": [],
"aliases": [
"CVE-2024-45219"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-16T08:15:05Z",
"severity": "HIGH"
},
"details": "Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. \n\nAdditionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk.\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\nThe command can also be run for the file-based primary storages; however, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\n\nFor checking the whole template/volume features of each disk, operators can run the following command:\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done",
"id": "GHSA-mp22-wph9-qgqx",
"modified": "2025-07-01T21:32:13Z",
"published": "2024-10-16T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45219"
},
{
"type": "WEB",
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo"
},
{
"type": "WEB",
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/10/15/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQR9-VQHQ-3JXW
Vulnerability from github – Published: 2026-03-03 21:37 – Updated: 2026-03-19 21:24Summary
OpenClaw Windows Scheduled Task script generation allowed unsafe argument handling in generated gateway.cmd files. In vulnerable versions, cmd metacharacter-only values could be emitted without safe quoting/escaping, which could lead to unintended command execution when the scheduled task runs.
Details
The issue affected Windows daemon startup script generation in src/daemon/schtasks.ts.
Vulnerable behavior included: - Incomplete cmd argument quoting for metacharacter-only values. - Incomplete handling of cmd expansion-sensitive characters in script arguments. - Missing CR/LF guards for script-rendered fields.
The fix hardens Windows script generation by:
- Separating schtasks argument quoting from batch script argument quoting.
- Quoting cmd metacharacter arguments and escaping % / ! expansion cases.
- Rejecting CR/LF in command arguments, task descriptions, and rendered environment assignments.
- Adding regression tests for metacharacter and line-break injection paths.
Impact
This issue is local to Windows deployments and requires control over values that feed service script generation (for example install-time/runtime arguments or environment-derived values). It can result in unintended command execution in the scheduled task context.
Affected Packages / Versions
- Package:
openclaw(npm) - Vulnerable versions:
<= 2026.2.17 - Patched version:
>= 2026.2.19(planned next npm release) - Latest published npm version at update time (2026-02-19):
2026.2.17
Fix Commit(s)
280c6b117b2f0e24f398e5219048cd4cc3b82396
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31994"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:37:29Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nOpenClaw Windows Scheduled Task script generation allowed unsafe argument handling in generated `gateway.cmd` files. In vulnerable versions, cmd metacharacter-only values could be emitted without safe quoting/escaping, which could lead to unintended command execution when the scheduled task runs.\n\n### Details\nThe issue affected Windows daemon startup script generation in `src/daemon/schtasks.ts`.\n\nVulnerable behavior included:\n- Incomplete cmd argument quoting for metacharacter-only values.\n- Incomplete handling of cmd expansion-sensitive characters in script arguments.\n- Missing CR/LF guards for script-rendered fields.\n\nThe fix hardens Windows script generation by:\n- Separating schtasks argument quoting from batch script argument quoting.\n- Quoting cmd metacharacter arguments and escaping `%` / `!` expansion cases.\n- Rejecting CR/LF in command arguments, task descriptions, and rendered environment assignments.\n- Adding regression tests for metacharacter and line-break injection paths.\n\n### Impact\nThis issue is local to Windows deployments and requires control over values that feed service script generation (for example install-time/runtime arguments or environment-derived values). It can result in unintended command execution in the scheduled task context.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `\u003c= 2026.2.17`\n- Patched version: `\u003e= 2026.2.19` (planned next npm release)\n- Latest published npm version at update time (2026-02-19): `2026.2.17`\n\n### Fix Commit(s)\n- `280c6b117b2f0e24f398e5219048cd4cc3b82396`\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-mqr9-vqhq-3jxw",
"modified": "2026-03-19T21:24:33Z",
"published": "2026-03-03T21:37:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mqr9-vqhq-3jxw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31994"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/280c6b117b2f0e24f398e5219048cd4cc3b82396"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-local-command-injection-via-unsafe-cmd-argument-handling-in-windows-scheduled-task"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling"
}
GHSA-MR95-5FWR-MF38
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:06Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to insufficient protections on the underlying filesystem. An attacker could exploit these vulnerabilities by modifying critical files on the underlying filesystem. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running FTD instances.
{
"affected": [],
"aliases": [
"CVE-2019-12675"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-02T19:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the multi-instance feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to escape the container for their FTD instance and execute commands with root privileges in the host namespace. These vulnerabilities are due to insufficient protections on the underlying filesystem. An attacker could exploit these vulnerabilities by modifying critical files on the underlying filesystem. A successful exploit could allow the attacker to execute commands with root privileges within the host namespace. This could allow the attacker to impact other running FTD instances.",
"id": "GHSA-mr95-5fwr-mf38",
"modified": "2024-04-04T02:06:54Z",
"published": "2022-05-24T16:57:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12675"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-ftd-container-esc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MRVC-5W25-H6C4
Vulnerability from github – Published: 2026-01-09 00:30 – Updated: 2026-02-12 18:30Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.
{
"affected": [],
"aliases": [
"CVE-2026-22712"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-09T00:15:45Z",
"severity": "LOW"
},
"details": "Improper Encoding or Escaping of Output\u00a0due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.",
"id": "GHSA-mrvc-5w25-h6c4",
"modified": "2026-02-12T18:30:19Z",
"published": "2026-01-09T00:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22712"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/Iee1bf1cbc8a519899e7f9dde508856bd4e5a5d2a"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T412068"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-4.3
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
- Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation MIT-27
Strategy: Parameterization
- If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
- For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
Mitigation
In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
Mitigation
Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
Mitigation
Fully specify which encodings are required by components that will be communicating with each other.
Mitigation
When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.