Skip to main content

CWE-117

Improper Output Neutralization for Logs

81 CVEs Avg CVSS 5.7 MITRE
3
CRITICAL
11
HIGH
62
MEDIUM
5
LOW
10
POC
0
KEV

Monthly

CVE-2026-12616 MEDIUM This Month

Log injection in Eclipse CSI PIA's unauthenticated /v1/upload/sbom endpoint allows a remote attacker to plant forged authentication-success log entries that are byte-for-byte indistinguishable from genuine PIA audit events. PIA is an authentication broker whose logs are explicitly designated as the authoritative source for incident response (DESIGN.md §5.4), meaning the forgery directly subverts the audit trail the service exists to produce. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical sophistication.

Information Disclosure Eclipse Csi Pia
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-10745 HIGH This Week

Log injection in upKeeper Instant Privilege Access through 1.6.1 on Windows allows remote unauthenticated attackers to forge, tamper with, or inject crafted entries into application logs by smuggling unneutralized control characters through logged inputs. The flaw (CWE-117) does not directly compromise the upKeeper agent itself but produces high integrity, confidentiality, and availability impact on subsequent log-consuming systems (SIEM, audit pipelines). No public exploit identified at time of analysis and the CVE is not present in CISA KEV.

Code Injection Microsoft Upkeeper Instant Privilege Access
NVD VulDB
CVSS 4.0
7.9
EPSS
0.3%
CVE-2026-20260 MEDIUM PATCH This Month

ANSI escape code injection in Splunk SOAR versions below 8.5.0 allows an unauthenticated remote attacker to embed terminal control sequences into application log files via crafted HTTP request paths. When an administrator subsequently views those logs in a terminal emulator, the escape codes may be interpreted, enabling visual output manipulation such as overwriting displayed text, hiding log entries, or altering terminal state. No public exploit code has been identified at time of analysis, and exploitation requires administrator interaction with affected log output, keeping real-world risk moderate despite the low authentication barrier.

Code Injection Splunk Splunk Soar
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-9016 MEDIUM This Month

Log injection in the Debug Log Manager WordPress plugin (versions up to and including 2.5.0) allows unauthenticated remote attackers to write arbitrary forged entries into the site's debug log. The root cause is a broken authorization design: the `log_js_errors()` AJAX handler is registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors`, and the only gate-a WordPress nonce-is publicly broadcast in every page's front-end HTML via `wp_localize_script()` whenever JavaScript error logging is enabled, rendering it non-secret and thus non-protective. Exploitation enables log spoofing, masking of real malicious activity behind fabricated noise, and manipulation of administrator triage decisions. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Information Disclosure WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-5078 npm MEDIUM POC PATCH GHSA This Month

Log injection in morgan Node.js middleware versions 1.2.0 through 1.10.1 allows unauthenticated remote attackers to forge access log entries by embedding CR or LF control characters in the Basic authentication username of the Authorization request header. The :remote-user format token writes this value to the log stream without sanitization, breaking the one-request-per-line log structure and enabling attackers to fabricate arbitrary log lines visible to downstream consumers such as SIEMs or log aggregators. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the zero-prerequisite network attack vector and widespread use of morgan across the Node.js/Express ecosystem make this a meaningful integrity risk for security monitoring pipelines.

Code Injection Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45679 Go MEDIUM PATCH GHSA This Month

OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 forwards raw Redis error replies verbatim into OTLP span status messages, enabling both information disclosure and telemetry injection against any deployment tracing Redis traffic. The `getRedisError` function in `pkg/ebpf/common/redis_detect_transform.go` applies only CRLF trimming before storing error text directly into `request.DBError.Description`, which `span.go` then exports as the span status message for every non-zero-status Redis span. A publicly available proof-of-concept demonstrates that caller-supplied values embedded in Redis error replies - including authentication credentials, tokens, and PII - are automatically propagated into OTLP collectors, dashboards, and log aggregators without requiring any special attacker position beyond the ability to trigger Redis errors. No public exploit identified at time of analysis beyond the included PoC; not in CISA KEV.

Redis Docker Information Disclosure Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6494 MEDIUM This Month

Log injection vulnerability in Red Hat Ansible Automation Platform 2 MCP server allows unauthenticated remote attackers to inject control characters and ANSI escape sequences via the `toolsetroute` parameter, enabling log forgery and obscuring legitimate audit trails to facilitate social engineering attacks that trick operators into executing malicious commands or accessing attacker-controlled URLs. CVSS 5.3 (medium) reflects the integrity impact on logs without direct confidentiality or availability impact; exploitation requires no authentication, credentials, or user interaction. No public exploit code or active exploitation has been identified at time of analysis.

Code Injection Red Hat
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14684 MEDIUM PATCH This Month

IBM Maximo Application Suite Monitor Component versions 8.10, 8.11, 9.0, and 9.1 contain an improper neutralization vulnerability in log file handling that allows unauthorized users to inject arbitrary data into log messages. An attacker with local access can manipulate log entries to inject malicious content, potentially leading to log tampering and integrity compromise. While the CVSS score of 4.0 reflects low severity with no confidentiality or availability impact, the vulnerability requires no authentication or special privileges, making it a concern for environments with local access controls.

IBM Authentication Bypass
NVD VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-59784 HIGH This Week

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. [CVSS 7.2 HIGH]

Information Disclosure Access Commander
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-12755 MEDIUM This Month

IBM MQ Operator (SC2 v3.2.0-3.8.1, LTS v2.0.0-2.0.29) and IBM‑supplied MQ Advanced container images (across affected SC2, CD, and LTS 9.3.x-9.4.x releases) contain a vulnerability where log messages are not properly neutralized before being written to log files. [CVSS 4.0 MEDIUM]

IBM
NVD
CVSS 3.1
4.0
EPSS
0.0%
EPSS 0% CVSS 6.9
MEDIUM This Month

Log injection in Eclipse CSI PIA's unauthenticated /v1/upload/sbom endpoint allows a remote attacker to plant forged authentication-success log entries that are byte-for-byte indistinguishable from genuine PIA audit events. PIA is an authentication broker whose logs are explicitly designated as the authoritative source for incident response (DESIGN.md §5.4), meaning the forgery directly subverts the audit trail the service exists to produce. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical sophistication.

Information Disclosure Eclipse Csi Pia
NVD
EPSS 0% CVSS 7.9
HIGH This Week

Log injection in upKeeper Instant Privilege Access through 1.6.1 on Windows allows remote unauthenticated attackers to forge, tamper with, or inject crafted entries into application logs by smuggling unneutralized control characters through logged inputs. The flaw (CWE-117) does not directly compromise the upKeeper agent itself but produces high integrity, confidentiality, and availability impact on subsequent log-consuming systems (SIEM, audit pipelines). No public exploit identified at time of analysis and the CVE is not present in CISA KEV.

Code Injection Microsoft Upkeeper Instant Privilege Access
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

ANSI escape code injection in Splunk SOAR versions below 8.5.0 allows an unauthenticated remote attacker to embed terminal control sequences into application log files via crafted HTTP request paths. When an administrator subsequently views those logs in a terminal emulator, the escape codes may be interpreted, enabling visual output manipulation such as overwriting displayed text, hiding log entries, or altering terminal state. No public exploit code has been identified at time of analysis, and exploitation requires administrator interaction with affected log output, keeping real-world risk moderate despite the low authentication barrier.

Code Injection Splunk Splunk Soar
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Log injection in the Debug Log Manager WordPress plugin (versions up to and including 2.5.0) allows unauthenticated remote attackers to write arbitrary forged entries into the site's debug log. The root cause is a broken authorization design: the `log_js_errors()` AJAX handler is registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors`, and the only gate-a WordPress nonce-is publicly broadcast in every page's front-end HTML via `wp_localize_script()` whenever JavaScript error logging is enabled, rendering it non-secret and thus non-protective. Exploitation enables log spoofing, masking of real malicious activity behind fabricated noise, and manipulation of administrator triage decisions. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Log injection in morgan Node.js middleware versions 1.2.0 through 1.10.1 allows unauthenticated remote attackers to forge access log entries by embedding CR or LF control characters in the Basic authentication username of the Authorization request header. The :remote-user format token writes this value to the log stream without sanitization, breaking the one-request-per-line log structure and enabling attackers to fabricate arbitrary log lines visible to downstream consumers such as SIEMs or log aggregators. No active exploitation is confirmed (not in CISA KEV) and no public exploit code is identified at time of analysis, but the zero-prerequisite network attack vector and widespread use of morgan across the Node.js/Express ecosystem make this a meaningful integrity risk for security monitoring pipelines.

Code Injection Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 forwards raw Redis error replies verbatim into OTLP span status messages, enabling both information disclosure and telemetry injection against any deployment tracing Redis traffic. The `getRedisError` function in `pkg/ebpf/common/redis_detect_transform.go` applies only CRLF trimming before storing error text directly into `request.DBError.Description`, which `span.go` then exports as the span status message for every non-zero-status Redis span. A publicly available proof-of-concept demonstrates that caller-supplied values embedded in Redis error replies - including authentication credentials, tokens, and PII - are automatically propagated into OTLP collectors, dashboards, and log aggregators without requiring any special attacker position beyond the ability to trigger Redis errors. No public exploit identified at time of analysis beyond the included PoC; not in CISA KEV.

Redis Docker Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Log injection vulnerability in Red Hat Ansible Automation Platform 2 MCP server allows unauthenticated remote attackers to inject control characters and ANSI escape sequences via the `toolsetroute` parameter, enabling log forgery and obscuring legitimate audit trails to facilitate social engineering attacks that trick operators into executing malicious commands or accessing attacker-controlled URLs. CVSS 5.3 (medium) reflects the integrity impact on logs without direct confidentiality or availability impact; exploitation requires no authentication, credentials, or user interaction. No public exploit code or active exploitation has been identified at time of analysis.

Code Injection Red Hat
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

IBM Maximo Application Suite Monitor Component versions 8.10, 8.11, 9.0, and 9.1 contain an improper neutralization vulnerability in log file handling that allows unauthorized users to inject arbitrary data into log messages. An attacker with local access can manipulate log entries to inject malicious content, potentially leading to log tampering and integrity compromise. While the CVSS score of 4.0 reflects low severity with no confidentiality or availability impact, the vulnerability requires no authentication or special privileges, making it a concern for environments with local access controls.

IBM Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

2N Access Commander version 3.4.1 and prior is vulnerable to log pollution. Certain parameters sent over API may be included in the logs without prior validation or sanitisation. [CVSS 7.2 HIGH]

Information Disclosure Access Commander
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

IBM MQ Operator (SC2 v3.2.0-3.8.1, LTS v2.0.0-2.0.29) and IBM‑supplied MQ Advanced container images (across affected SC2, CD, and LTS 9.3.x-9.4.x releases) contain a vulnerability where log messages are not properly neutralized before being written to log files. [CVSS 4.0 MEDIUM]

IBM
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy