CWE-84: Improper Neutralization of Encoded URI Schemes in a Web Page
The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.
Last updated
Overview
CWE-84 (Improper Neutralization of Encoded URI Schemes in a Web Page) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
17 recorded CVEs are caused by CWE-84 (Improper Neutralization of Encoded URI Schemes in a Web Page). The highest-severity and most recent are shown first. 0 new CWE-84 CVEs have been recorded so far in 2026 (12 in 2025).
- CVE-2025-58444
MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server
High · CVSS 8.6 · EPSS 46th2025-09-08 - CVE-2022-40181High · CVSS 8.3 · EPSS 54th2022-10-11
- CVE-2024-45045
JavaScript Injection via url encoded values in links in Collabora Office Android
Medium · CVSS 6.3 · EPSS 19th2024-08-29