CWE-177: Improper Handling of URL Encoding (Hex Encoding)
The product does not properly handle when all or part of an input has been URL encoded.
Last updated
Overview
CWE-177 (Improper Handling of URL Encoding (Hex Encoding)) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
11 recorded CVEs are caused by CWE-177 (Improper Handling of URL Encoding (Hex Encoding)). The highest-severity and most recent are shown first. 6 new CWE-177 CVEs have been recorded so far in 2026 (1 in 2025).
- CVE-2026-29045
Hono: Arbitrary file access via serveStatic vulnerability
Critical · CVSS 9.8 · EPSS 35th2026-03-04 - CVE-2026-59083
Apache Tomcat: Incorrect URL decoding in RewriteValve may allow security control bypass
Critical · CVSS 9.1 · EPSS 30th2026-07-14 - CVE-2026-41041
Apache Gravitino: URL path injection via unencoded user-supplied identifiers in MCP REST client f-string URL construction, enabling path traversal to unintended API endpoints.