| CVE-2026-9270 |
2026-06-05 |
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.
DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.
The send_st… |
| CVE-2026-11362 |
2026-06-05 |
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.
DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sourc… |
| CVE-2026-47090 |
2026-05-18 |
Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded … |
| CVE-2026-45038 |
2026-05-15 |
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code e… |
| CVE-2026-45803 |
2026-05-15 |
`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view… |
| CVE-2026-41526 |
2026-04-28 |
In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading t… |
| CVE-2026-6019 |
2026-04-22 |
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the gene… |
| CVE-2026-40505 |
2026-04-16 |
MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious … |
| CVE-2026-26149 |
2026-04-14 |
Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network. |
| CVE-2026-35651 |
2026-04-10 |
OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can ca… |
| CVE-2026-3108 |
2026-03-26 |
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers… |
| CVE-2025-62845 |
2026-03-20 |
An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerab… |
| CVE-2026-25996 |
2026-02-12 |
Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. String fields from eBPF events in columns output mode are … |
| CVE-2025-15311 |
2026-02-05 |
Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance. |
| CVE-2026-21521 |
2026-01-22 |
Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network. |
| CVE-2026-23829 |
2026-01-19 |
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RC… |
| CVE-2026-21439 |
2026-01-06 |
badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical… |
| CVE-2025-65082 |
2025-12-05 |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calc… |
| CVE-2025-64494 |
2025-11-08 |
Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being… |
| CVE-2025-55754 |
2025-10-27 |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Wind… |