CWE-116: Improper Encoding or Escaping of Output
low-riskThe product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Abstraction: Class
Common Consequences
Integrity
→
Modify Application Data
Integrity
→
Execute Unauthorized Code or Commands
Confidentiality
→
Bypass Protection Mechanism
Detection Methods
Automated Static Analysis
This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2024-38475 | 9.1 | 93.9% | Y |
| CVE-2022-36446 | 9.8 | 92.9% | — |
| CVE-2024-38473 | 8.1 | 88.3% | — |
| CVE-2022-24682 | 6.1 | 88.0% | Y |
| CVE-2022-24682 | 6.1 | 88.0% | Y |
| CVE-2021-31806 | 6.5 | 86.0% | — |
| CVE-2022-30781 | 7.5 | 80.7% | — |
| CVE-2025-60787 | 7.2 | 66.0% | — |
| CVE-2024-39929 | 5.4 | 63.9% | — |
| CVE-2024-1874 | 9.4 | 63.4% | — |
7
/ 100
low-risk
Active Threat
7/50 · Minimal
Exploit Availability
0/50 · Minimal