CWE-116: Improper Encoding or Escaping of Output
Also known as: Output Sanitization, Output Validation, Output Encoding
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Last updated
Overview
Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead. Most products follow a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, "GET /index.html HTTP/1.1" is a structured message containing a command ("GET") with a single argument ("/index.html") and metadata about which protocol version is being used ("HTTP/1.1"). If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perform the wrong operations, or otherwise interpret the data incorrectly.
Real-world CVEs
218 recorded CVEs are caused by CWE-116 (Improper Encoding or Escaping of Output), including 4 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 82 new CWE-116 CVEs have been recorded so far in 2026 (55 in 2025).
- CVE-2024-38475CISA KEV
Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.
Critical · CVSS 9.3 · EPSS 100th2024-07-01 - CVE-2022-42948CISA KEVHigh · CVSS 8.7 · EPSS 84th2023-03-24
- CVE-2026-20245CISA KEV
Cisco Catalyst SD-WAN Controller Authenticated Privilege Escalation Vulnerability
High · CVSS 7.8 · EPSS 98th2026-06-04 - CVE-2022-24682CISA KEVMedium · CVSS 6.4 · EPSS 98th2022-02-09
- CVE-2026-48358
Adobe Commerce | Improper Encoding or Escaping of Output (CWE-116)
Critical · CVSS 10.0 · EPSS 56th2026-07-14 - CVE-2025-55730
XWiki Remote Macros vulnerable to remote code execution using the confluence paste code macro
Critical · CVSS 10.0 · EPSS 48th2025-09-09 - CVE-2025-55729
XWiki Remote Macros vulnerable to remote code execution using the ConfluenceLayoutSection macro
Critical · CVSS 10.0 · EPSS 48th2025-09-09 - CVE-2023-26472Critical · CVSS 10.0 · EPSS 62th2023-03-02
- CVE-2022-23603Critical · CVSS 9.9 · EPSS 59th2022-02-01
- CVE-2026-54133
jmespath.php has CompilerRuntime code injection via unescaped function names
Critical · CVSS 9.8 · EPSS 24th2026-06-12 - CVE-2025-8276
HTML Injection in Patika Global Technologies' HumanSuite
Critical · CVSS 9.8 · EPSS 23th2025-09-16 - CVE-2025-56266Critical · CVSS 9.8 · EPSS 84th2025-09-08
Showing 12 of 218 recorded CWE-116 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-116 vulnerabilitiesCommon consequences
What can happen when CWE-116 is exploited.
Modify Application Data
Affects: Integrity
The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
Execute Unauthorized Code or Commands
Affects: Integrity, Confidentiality, Availability, Access Control
The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
Bypass Protection Mechanism
Affects: Confidentiality
The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-116, grouped by where in the lifecycle they apply.
Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.
Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
Fully specify which encodings are required by components that will be communicating with each other.
When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.
How to detect it
Automated Static Analysis
This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
Effectiveness: Moderate
Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code displays an email address that was submitted as part of a form.
Vulnerable example
<% String email = request.getParameter("email"); %>The value read from the form parameter is reflected back to the client browser without having been encoded prior to output, allowing various XSS attacks (CWE-79).
Consider a chat application in which a front-end web application communicates with a back-end server. The back-end is legacy code that does not perform authentication or authorization, so the front-end must implement it. The chat protocol supports two commands, SAY and BAN, although only administrators can use the BAN command. Each argument must be separated by a single space. The raw inputs are URL-encoded. The messaging protocol allows multiple commands to be specified on the same line if they are separated by a "|" character.
Vulnerable example
# generate an array of strings separated by the "|" character.
$inputString = readLineFromFileHandle($serverFH);Vulnerable example
$inputString = GetUntrustedArgument("command");Attack input
SAY hello world|BAN user12Resulting query
SAY hello%20world|BAN%20user12Resulting query
SAY hello worldThis example takes user input, passes it through an encoding scheme, then lists the contents of the user's home directory based on the user name.
Vulnerable example
sub GetUntrustedInput {Attack input
' pwdIllustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-41232 — Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90)
- CVE-2008-4636 — OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed.
- CVE-2008-0769 — Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.
- CVE-2008-0005 — Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.
- CVE-2008-5573 — SQL injection via password parameter; a strong password might contain "&"
- CVE-2008-3773 — Cross-site scripting in chat application via a message subject, which normally might contain "&" and other XSS-related characters.
- CVE-2008-0757 — Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content.
Terminology & mappings
Alternate terms
- Output Sanitization
- Output Validation
- Output Encoding
Mapped taxonomies
- WASC: Improper Output Handling (22)
- The CERT Oracle Secure Coding Standard for Java (2011): Sanitize untrusted data passed across a trust boundary (IDS00-J) — Exact fit
- The CERT Oracle Secure Coding Standard for Java (2011): Use a subset of ASCII for file and path names (IDS05-J)
- SEI CERT Oracle Coding Standard for Java: Prevent SQL injection (IDS00-J) — Imprecise fit
- SEI CERT Perl Coding Standard: Sanitize untrusted data passed across a trust boundary (IDS33-PL) — Exact fit
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-116.
- What is CWE-116?
- The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
- What CVEs are caused by CWE-116?
- 218 recorded CVEs are attributed to CWE-116, including CVE-2024-38475, CVE-2022-42948, CVE-2026-20245. 4 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-116?
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- How is CWE-116 detected?
- Automated Static Analysis: This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives.
- What are the consequences of CWE-116?
- Exploiting CWE-116 can lead to: Modify Application Data, Execute Unauthorized Code or Commands, Bypass Protection Mechanism.
- Is CWE-116 actively exploited?
- Yes. 4 CWE-116 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 218 recorded CVEs.
References
- MITRE CWE definition (CWE-116) (opens in a new tab)
- CWE-116 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-116
Get alerted the moment a new CWE-116 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.