Common Weakness Enumeration

CWE-116

Allowed-with-Review

Improper Encoding or Escaping of Output

Abstraction: Class · Status: Draft

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

612 vulnerabilities reference this CWE, most recent first.

GHSA-JQW6-R3PP-RFVR

Vulnerability from github – Published: 2026-03-11 18:30 – Updated: 2026-03-11 18:30
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-11T16:16:18Z",
    "severity": "LOW"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.",
  "id": "GHSA-jqw6-r3pp-rfvr",
  "modified": "2026-03-11T18:30:32Z",
  "published": "2026-03-11T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12697"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3341953"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/579504"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JV8M-2544-3PG3

Vulnerability from github – Published: 2026-05-21 21:27 – Updated: 2026-05-21 21:27
VLAI
Summary
Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`
Details

Description

Several filters in the twig/* extras packages are registered with is_safe => ['all'], which tells Twig's autoescaper to treat their output as safe in every context (html, js, css, url, ...). The output of these filters is plain text or HTML markup, neither of which is safe in every escaping context.

Affected filters:

  • html_to_markdown (twig/markdown-extra) emits plain Markdown text. league/html-to-markdown decodes HTML entities when producing code spans and fenced blocks, so an attacker-controlled <code>&lt;img src=x onerror=alert(1)&gt;</code> becomes `<img src=x onerror=alert(1)>`, which renders live when interpolated into an HTML page.
  • markdown_to_html (twig/markdown-extra) emits HTML. Safe in an HTML context but not in JS, CSS or URL contexts (e.g. when interpolated into an inline <script> block).
  • inline_css (twig/cssinliner-extra) emits HTML with inlined styles. Same constraint as markdown_to_html.

In all three cases, is_safe => ['all'] causes the autoescaper to emit the output verbatim in any context, even when the developer never wrote |raw. In a context such as a JS string or a URL parameter, this produces unescaped HTML and is exploitable as XSS.

Resolution

  • html_to_markdown no longer claims to be safe in any escaping context; its plain-text output is now autoescaped for the surrounding context.
  • markdown_to_html and inline_css are now declared is_safe => ['html'], asserting only what they actually guarantee.

Credits

Twig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix for html_to_markdown and markdown_to_html in twig/markdown-extra, and Christophe Coevoet for extending the audit to inline_css in twig/cssinliner-extra.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "twig/markdown-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "twig/cssinliner-extra"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-21T21:27:20Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Description\n\nSeveral filters in the `twig/*` extras packages are registered with `is_safe =\u003e [\u0027all\u0027]`, which tells Twig\u0027s autoescaper to treat their output as safe in every context (`html`, `js`, `css`, `url`, ...). The output of these filters is plain text or HTML markup, neither of which is safe in every escaping context.\n\nAffected filters:\n\n- `html_to_markdown` (`twig/markdown-extra`) emits plain Markdown text. `league/html-to-markdown` decodes HTML entities when producing code spans and fenced blocks, so an attacker-controlled `\u003ccode\u003e\u0026lt;img src=x onerror=alert(1)\u0026gt;\u003c/code\u003e` becomes `` `\u003cimg src=x onerror=alert(1)\u003e` ``, which renders live when interpolated into an HTML page.\n- `markdown_to_html` (`twig/markdown-extra`) emits HTML. Safe in an HTML context but not in JS, CSS or URL contexts (e.g. when interpolated into an inline `\u003cscript\u003e` block).\n- `inline_css` (`twig/cssinliner-extra`) emits HTML with inlined styles. Same constraint as `markdown_to_html`.\n\nIn all three cases, `is_safe =\u003e [\u0027all\u0027]` causes the autoescaper to emit the output verbatim in any context, even when the developer never wrote `|raw`. In a context such as a JS string or a URL parameter, this produces unescaped HTML and is exploitable as XSS.\n\n### Resolution\n\n- `html_to_markdown` no longer claims to be safe in any escaping context; its plain-text output is now autoescaped for the surrounding context.\n- `markdown_to_html` and `inline_css` are now declared `is_safe =\u003e [\u0027html\u0027]`, asserting only what they actually guarantee.\n\n### Credits\n\nTwig would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix for `html_to_markdown` and `markdown_to_html` in `twig/markdown-extra`, and Christophe Coevoet for extending the audit to `inline_css` in `twig/cssinliner-extra`.",
  "id": "GHSA-jv8m-2544-3pg3",
  "modified": "2026-05-21T21:27:20Z",
  "published": "2026-05-21T21:27:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/twigphp/Twig/security/advisories/GHSA-jv8m-2544-3pg3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/cssinliner-extra/CVE-2026-46637.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/markdown-extra/CVE-2026-46637.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/twigphp/Twig"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2026-46637"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe =\u003e [\u0027all\u0027]`"
}

GHSA-JWVF-28FG-G4XG

Vulnerability from github – Published: 2022-07-18 00:00 – Updated: 2022-07-21 21:40
VLAI
Summary
WooCommerce WordPress plugin before 6.6.0 vulnerable to stored HTML injection
Details

The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "woocommerce/woocommerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-2099"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-21T21:40:20Z",
    "nvd_published_at": "2022-07-17T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles",
  "id": "GHSA-jwvf-28fg-g4xg",
  "modified": "2022-07-21T21:40:20Z",
  "published": "2022-07-18T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2099"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/woocommerce/woocommerce"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/0316e5f3-3302-40e3-8ff4-be3423a3be7b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WooCommerce WordPress plugin before 6.6.0 vulnerable to stored HTML injection"
}

GHSA-JWXQ-F9VM-725G

Vulnerability from github – Published: 2023-02-21 00:30 – Updated: 2025-03-18 18:30
VLAI
Details

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1116",
      "CWE-116",
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-20T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.",
  "id": "GHSA-jwxq-f9vm-725g",
  "modified": "2025-03-18T18:30:37Z",
  "published": "2023-02-21T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48339"
    },
    {
      "type": "WEB",
      "url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5360"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXXQ-8QW2-56G4

Vulnerability from github – Published: 2022-12-21 09:30 – Updated: 2025-04-16 18:31
VLAI
Details

KDDI +Message App, NTT DOCOMO +Message App, and SoftBank +Message App contain a vulnerability caused by improper handling of Unicode control characters. +Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode control character's specifications. Therefore, a crafted text may display misleading web links. As a result, a spoofed URL may be displayed and phishing attacks may be conducted. Affected products and versions are as follows: KDDI +Message App for Android prior to version 3.9.2 and +Message App for iOS prior to version 3.9.4, NTT DOCOMO +Message App for Android prior to version 54.49.0500 and +Message App for iOS prior to version 3.9.4, and SoftBank +Message App for Android prior to version 12.9.5 and +Message App for iOS prior to version 3.9.4

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-21T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "KDDI +Message App, NTT DOCOMO +Message App, and SoftBank +Message App contain a vulnerability caused by improper handling of Unicode control characters. +Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode control character\u0027s specifications. Therefore, a crafted text may display misleading web links. As a result, a spoofed URL may be displayed and phishing attacks may be conducted. Affected products and versions are as follows: KDDI +Message App for Android prior to version 3.9.2 and +Message App for iOS prior to version 3.9.4, NTT DOCOMO +Message App for Android prior to version 54.49.0500 and +Message App for iOS prior to version 3.9.4, and SoftBank +Message App for Android prior to version 12.9.5 and +Message App for iOS prior to version 3.9.4",
  "id": "GHSA-jxxq-8qw2-56g4",
  "modified": "2025-04-16T18:31:30Z",
  "published": "2022-12-21T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43543"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN43561812/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.au.com/mobile/service/plus-message/information"
    },
    {
      "type": "WEB",
      "url": "https://www.docomo.ne.jp/service/plus_message"
    },
    {
      "type": "WEB",
      "url": "https://www.softbank.jp/mobile/service/plus-message"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M2CR-5JFQ-PF77

Vulnerability from github – Published: 2023-08-13 15:30 – Updated: 2024-04-04 06:54
VLAI
Details

Vulnerability of input parameter verification in certain APIs in the window management module. Successful exploitation of this vulnerability may cause the device to restart.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-13T13:15:11Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability of input parameter verification in certain APIs in the window management module. Successful exploitation of this vulnerability may cause the device to restart.",
  "id": "GHSA-m2cr-5jfq-pf77",
  "modified": "2024-04-04T06:54:01Z",
  "published": "2023-08-13T15:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39390"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/8"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202308-0000001667644725"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M37G-MWCG-7J7V

Vulnerability from github – Published: 2022-09-30 00:00 – Updated: 2024-04-23 23:37
VLAI
Summary
Moodle Improper Encoding or Escaping of Output
Details

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9"
            },
            {
              "fixed": "3.9.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10"
            },
            {
              "fixed": "3.10.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.11"
            },
            {
              "fixed": "3.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-40694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T23:37:22Z",
    "nvd_published_at": "2022-09-29T03:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.",
  "id": "GHSA-m37g-mwcg-7j7v",
  "modified": "2024-04-23T23:37:22Z",
  "published": "2022-09-30T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40694"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2043421"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Moodle Improper Encoding or Escaping of Output"
}

GHSA-M5FF-HJH4-Q487

Vulnerability from github – Published: 2025-11-11 15:31 – Updated: 2025-11-11 15:31
VLAI
Details

A security issue exists within DataMosaix™ Private Cloud allowing for Persistent XSS. This vulnerability can result in the execution of malicious JavaScript, allowing for account takeover, credential theft, or redirection to a malicious website.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11085"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T14:15:34Z",
    "severity": "HIGH"
  },
  "details": "A security issue exists within DataMosaix\u2122 Private Cloud allowing for Persistent XSS. This vulnerability can result in the execution of malicious JavaScript, allowing for account takeover, credential theft, or redirection to a malicious website.",
  "id": "GHSA-m5ff-hjh4-q487",
  "modified": "2025-11-11T15:31:20Z",
  "published": "2025-11-11T15:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11085"
    },
    {
      "type": "WEB",
      "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1758.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M5P4-GVPX-4MVR

Vulnerability from github – Published: 2026-05-11 14:43 – Updated: 2026-06-08 23:42
VLAI
Summary
GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content
Details

Summary

GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs.

Description

The finding formatter stores file paths and snippets from scanned content:

location = file_path + ":" + str(start_line)
finding = {
    "location": location,
    "code": code,
    "message": result["extra"]["message"],
}

The human-readable reporter later prints these values directly:

"  * " + finding["message"] + " at " + finding["location"] + "\n    " + _format_code_line_for_output(finding["code"])

No escaping is applied for control characters such as \x1b. A malicious package can therefore ship a filename like:

evil\x1b[2J.py

or matched source lines containing terminal escapes, which survive into the final CLI output.

Reproduction summary

  1. Create a file whose name contains \x1b[2J.
  2. Feed a semgrep-style result referencing that file into Analyzer._format_semgrep_response().
  3. Render the result with HumanReadableReporter.print_scan_results().
  4. The output string contains the raw escape bytes, which a terminal may interpret.

Key code paths

  • guarddog/analyzer/analyzer.py:377-392
  • guarddog/reporters/human_readable.py:36-42
  • guarddog/reporters/human_readable.py:84-91

Practical impact

This can be used to: - clear or rewrite analyst terminal output - inject misleading or spoofed log content in CI - emit clickable OSC 8 hyperlinks or title changes in compatible terminals

Prior public disclosure check

As of 2026-03-18, no matching public GitHub advisory, CVE, or public repo issue was found for this specific bug.

Suggested fix

Escape or strip terminal control characters before rendering any attacker-controlled value in human-readable output. This should cover package names, file paths, messages, and code snippets.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "guarddog"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "last_affected": "2.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:43:43Z",
    "nvd_published_at": "2026-05-27T15:16:29Z",
    "severity": "MODERATE"
  },
  "details": "# Summary\nGuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs.\n\n# Description\nThe finding formatter stores file paths and snippets from scanned content:\n\n```python\nlocation = file_path + \":\" + str(start_line)\nfinding = {\n    \"location\": location,\n    \"code\": code,\n    \"message\": result[\"extra\"][\"message\"],\n}\n```\n\nThe human-readable reporter later prints these values directly:\n\n```python\n\"  * \" + finding[\"message\"] + \" at \" + finding[\"location\"] + \"\\n    \" + _format_code_line_for_output(finding[\"code\"])\n```\n\nNo escaping is applied for control characters such as `\\x1b`. A malicious package can therefore ship a filename like:\n\n```text\nevil\\x1b[2J.py\n```\n\nor matched source lines containing terminal escapes, which survive into the final CLI output.\n\n# Reproduction summary\n1. Create a file whose name contains `\\x1b[2J`.\n2. Feed a semgrep-style result referencing that file into `Analyzer._format_semgrep_response()`.\n3. Render the result with `HumanReadableReporter.print_scan_results()`.\n4. The output string contains the raw escape bytes, which a terminal may interpret.\n\n# Key code paths\n- `guarddog/analyzer/analyzer.py:377-392`\n- `guarddog/reporters/human_readable.py:36-42`\n- `guarddog/reporters/human_readable.py:84-91`\n\n# Practical impact\nThis can be used to:\n- clear or rewrite analyst terminal output\n- inject misleading or spoofed log content in CI\n- emit clickable OSC 8 hyperlinks or title changes in compatible terminals\n\n# Prior public disclosure check\nAs of 2026-03-18, no matching public GitHub advisory, CVE, or public repo issue was found for this specific bug.\n\n# Suggested fix\nEscape or strip terminal control characters before rendering any attacker-controlled value in human-readable output. This should cover package names, file paths, messages, and code snippets.",
  "id": "GHSA-m5p4-gvpx-4mvr",
  "modified": "2026-06-08T23:42:18Z",
  "published": "2026-05-11T14:43:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DataDog/guarddog/security/advisories/GHSA-m5p4-gvpx-4mvr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44972"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DataDog/guarddog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content"
}

GHSA-M6W7-6M35-32WX

Vulnerability from github – Published: 2025-05-20 00:30 – Updated: 2025-05-20 00:30
VLAI
Details

A vulnerability exists in PX Backup whereby sensitive information may be logged under specific conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-19T22:15:20Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability exists in PX Backup whereby sensitive information may be logged under specific conditions.",
  "id": "GHSA-m6w7-6m35-32wx",
  "modified": "2025-05-20T00:30:31Z",
  "published": "2025-05-20T00:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1308"
    },
    {
      "type": "WEB",
      "url": "https://support.purestorage.com/Pure_Security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-4.3
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
  • Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation MIT-27
Architecture and Design

Strategy: Parameterization

  • If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
  • For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Architecture and Design Implementation

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

Mitigation
Architecture and Design

In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.

Mitigation
Architecture and Design

Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).

Mitigation
Requirements

Fully specify which encodings are required by components that will be communicating with each other.

Mitigation
Implementation

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

CAPEC-104: Cross Zone Scripting

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.