LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-116

CWE-116

Improper Encoding or Escaping of Output

Class EXPLOIT LIKELIHOOD: HIGH

What it is

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Improper encoding or escaping can allow attackers to change the commands that are sent to another component, inserting malicious commands instead.Most products follow a certain protocol that uses structured messages for communication between components, such as queries or commands. These structured messages can contain raw data interspersed with metadata or control information. For example, "GET /index.html HTTP/1.1" is a structured message containing a command ("GET") with a single argument ("/index.html") and metadata about which protocol version is being used ("HTTP/1.1").If an application uses attacker-supplied inputs to construct a structured message without properly encoding or escaping, then the attacker could insert special characters that will cause the data to be interpreted as control information or metadata. Consequently, the component that receives the output will perf

Impact

IntegrityModify Application Data
Integrity, Confidentiality, Availability, Access ControlExecute Unauthorized Code or Commands
ConfidentialityBypass Protection Mechanism

Mitigations

  • [Architecture and Design]Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.Alternately, use built-in functions, but consider using wrappers in
  • [Architecture and Design]If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.For example, stored procedures can enforce database query structure and reduce the l
  • [Architecture and Design, Implementation] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required e
  • [Architecture and Design] In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting
  • [Architecture and Design] Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).
  • [Requirements] Fully specify which encodings are required by components that will be communicating with each other.
  • [Implementation] When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

Real-world CVE examples

  • CVE-2021-41232 — Chain: authentication routine in Go-based agile development product does not escape user name (CWE-116), allowing LDAP injection (CWE-90)
  • CVE-2008-4636 — OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed.
  • CVE-2008-0769 — Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.
  • CVE-2008-0005 — Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.
  • CVE-2008-5573 — SQL injection via password parameter; a strong password might contain "&"
  • CVE-2008-3773 — Cross-site scripting in chat application via a message subject, which normally might contain "&" and other XSS-related characters.
  • CVE-2008-0757 — Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content.

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top