Skip to main content

CWE-176

Improper Handling of Unicode Encoding

23 CVEs Avg CVSS 6.1 MITRE
3
CRITICAL
3
HIGH
13
MEDIUM
4
LOW
6
POC
1
KEV

Monthly

CVE-2026-59890 PyPI MEDIUM PATCH This Month

Setuptools prior to 83.0.0 fails to normalize Unicode filenames before matching them against MANIFEST.in exclusion patterns on macOS APFS and HFS+ filesystems, allowing files with NFD-normalized on-disk names to silently bypass NFC-encoded exclude, global-exclude, recursive-exclude, and prune directives and be packed into Python source distributions. Python package maintainers developing on macOS face a supply chain risk: sensitive files such as credentials, private keys, or environment configs that are correctly listed in MANIFEST.in for exclusion may still appear in tarballs published to PyPI or private registries. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Python Apple Setuptools
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-48618 MEDIUM PATCH This Month

Improper hostname normalization in Node.js TLS server-identity verification (fixed in v26.3.1) lets a TLS peer's hostname be evaluated without proper Unicode/case normalization, so identity checks may match a host they should reject. Rated High by the Node.js team (CVSS 7.7, scope-changed, confidentiality-only), it can cause a client to trust the wrong server and expose data carried over the connection. No public exploit identified at time of analysis; this was disclosed pre-NVD via the nodejs/node June 2026 security release and is not listed in CISA KEV.

Information Disclosure Node Js
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2025-71316 CRITICAL POC PATCH Act Now

Arbitrary DLL loading in SQLite's sqldiff.exe utility on Windows allows attackers to achieve code execution by abusing the Microsoft C runtime's Unicode-to-ANSI Best-Fit character conversion. Specially crafted Unicode characters in command-line arguments can be transformed into ASCII characters that sqldiff then parses as the '-L' option, loading an attacker-supplied DLL. Publicly available exploit research (Blackhat EU 2024 'WorstFit' presentation) demonstrates the technique, though no public exploit identified targeting sqldiff specifically and it is not listed in CISA KEV.

Microsoft RCE
NVD
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-44288 npm MEDIUM PATCH GHSA This Month

protobufjs versions 7.5.5 and earlier, and 8.0.0-8.0.1 accept overlong UTF-8 byte sequences in the minimal UTF-8 decoder used by non-Node and fallback decoding paths, allowing attackers to bypass byte-level filtering and decode strings containing characters that were not present in the raw protobuf binary input. This integrity issue affects applications that rely on pre-decoding byte validation before using protobuf strings in security-sensitive contexts. Patch versions 7.5.6 and 8.0.2 are available; Node.js Buffer-backed paths are not directly affected.

Canonical Node.js Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7040 HIGH This Week

Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minnify.

Buffer Overflow Text
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-35375 Cargo LOW PATCH Monitor

The split utility in uutils coreutils corrupts output filenames when processing non-UTF-8 prefix or suffix inputs by converting invalid byte sequences to UTF-8 replacement characters, causing filename mismatches, collisions, and potential data misdirection. Affected versions prior to 0.8.0 on all platforms exhibit this behavior, which deviates from GNU split's byte-preservation semantics. Local authenticated users can trigger the vulnerability through crafted non-UTF-8 input, leading to integrity issues in automated workflows relying on predictable filename generation.

Information Disclosure Coreutils
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-35373 Cargo LOW POC PATCH GHSA Monitor

The ln utility in uutils coreutils fails to process source paths containing non-UTF-8 filename bytes when using target-directory forms, rejecting valid filenames that GNU ln handles correctly. This logic error affects automated scripts and system tasks on Unix filesystems where non-UTF-8 filenames are common, causing denial of service for those specific operations. SSVC classifies exploitation as possible (POC available) but not automatable, with partial technical impact.

Denial Of Service Coreutils
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-35346 Cargo LOW PATCH GHSA Monitor

The comm utility in uutils coreutils silently corrupts binary and non-UTF-8 encoded file output by replacing invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD), diverging from GNU comm's byte-preserving behavior. This affects any user comparing files with legacy encodings or binary content, resulting in data integrity loss. A proof-of-concept demonstrating the lossy conversion exists, and a patch is available.

Information Disclosure Coreutils
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-20202 MEDIUM PATCH This Month

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.

Information Disclosure Splunk Enterprise Splunk Cloud Platform
NVD VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-4116 HIGH NEWS This Week

Two-factor authentication bypass in SonicWall SMA1000 SSL-VPN allows remote attackers with valid SSLVPN credentials to circumvent TOTP requirements via Unicode encoding manipulation. Affects SMA1000 versions 12.5.0-02283 and 12.4.3-03245 and earlier. Requires high-privilege (PR:H) authenticated access but enables complete authentication bypass (CVSS 7.2). Low EPSS score (0.03%, 10th percentile) indicates minimal observed exploitation likelihood. No public exploit code identified at time of analysis.

Authentication Bypass Sonicwall
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Setuptools prior to 83.0.0 fails to normalize Unicode filenames before matching them against MANIFEST.in exclusion patterns on macOS APFS and HFS+ filesystems, allowing files with NFD-normalized on-disk names to silently bypass NFC-encoded exclude, global-exclude, recursive-exclude, and prune directives and be packed into Python source distributions. Python package maintainers developing on macOS face a supply chain risk: sensitive files such as credentials, private keys, or environment configs that are correctly listed in MANIFEST.in for exclusion may still appear in tarballs published to PyPI or private registries. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Python Apple +1
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Improper hostname normalization in Node.js TLS server-identity verification (fixed in v26.3.1) lets a TLS peer's hostname be evaluated without proper Unicode/case normalization, so identity checks may match a host they should reject. Rated High by the Node.js team (CVSS 7.7, scope-changed, confidentiality-only), it can cause a client to trust the wrong server and expose data carried over the connection. No public exploit identified at time of analysis; this was disclosed pre-NVD via the nodejs/node June 2026 security release and is not listed in CISA KEV.

Information Disclosure Node Js
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL POC PATCH Act Now

Arbitrary DLL loading in SQLite's sqldiff.exe utility on Windows allows attackers to achieve code execution by abusing the Microsoft C runtime's Unicode-to-ANSI Best-Fit character conversion. Specially crafted Unicode characters in command-line arguments can be transformed into ASCII characters that sqldiff then parses as the '-L' option, loading an attacker-supplied DLL. Publicly available exploit research (Blackhat EU 2024 'WorstFit' presentation) demonstrates the technique, though no public exploit identified targeting sqldiff specifically and it is not listed in CISA KEV.

Microsoft RCE
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

protobufjs versions 7.5.5 and earlier, and 8.0.0-8.0.1 accept overlong UTF-8 byte sequences in the minimal UTF-8 decoder used by non-Node and fallback decoding paths, allowing attackers to bypass byte-level filtering and decode strings containing characters that were not present in the raw protobuf binary input. This integrity issue affects applications that rely on pre-decoding byte validation before using protobuf strings in security-sensitive contexts. Patch versions 7.5.6 and 8.0.2 are available; Node.js Buffer-backed paths are not directly affected.

Canonical Node.js Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minnify.

Buffer Overflow Text
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

The split utility in uutils coreutils corrupts output filenames when processing non-UTF-8 prefix or suffix inputs by converting invalid byte sequences to UTF-8 replacement characters, causing filename mismatches, collisions, and potential data misdirection. Affected versions prior to 0.8.0 on all platforms exhibit this behavior, which deviates from GNU split's byte-preservation semantics. Local authenticated users can trigger the vulnerability through crafted non-UTF-8 input, leading to integrity issues in automated workflows relying on predictable filename generation.

Information Disclosure Coreutils
NVD GitHub
EPSS 0% CVSS 3.3
LOW POC PATCH Monitor

The ln utility in uutils coreutils fails to process source paths containing non-UTF-8 filename bytes when using target-directory forms, rejecting valid filenames that GNU ln handles correctly. This logic error affects automated scripts and system tasks on Unix filesystems where non-UTF-8 filenames are common, causing denial of service for those specific operations. SSVC classifies exploitation as possible (POC available) but not automatable, with partial technical impact.

Denial Of Service Coreutils
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

The comm utility in uutils coreutils silently corrupts binary and non-UTF-8 encoded file output by replacing invalid UTF-8 byte sequences with the Unicode replacement character (U+FFFD), diverging from GNU comm's byte-preserving behavior. This affects any user comparing files with legacy encodings or binary content, resulting in data integrity loss. A proof-of-concept demonstrating the lossy conversion exists, and a patch is available.

Information Disclosure Coreutils
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.

Information Disclosure Splunk Enterprise Splunk Cloud Platform
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Two-factor authentication bypass in SonicWall SMA1000 SSL-VPN allows remote attackers with valid SSLVPN credentials to circumvent TOTP requirements via Unicode encoding manipulation. Affects SMA1000 versions 12.5.0-02283 and 12.4.3-03245 and earlier. Requires high-privilege (PR:H) authenticated access but enables complete authentication bypass (CVSS 7.2). Low EPSS score (0.03%, 10th percentile) indicates minimal observed exploitation likelihood. No public exploit code identified at time of analysis.

Authentication Bypass Sonicwall
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy