application/xml response for out-of-range URL decoding

[ElectricNroff]

URL decoding of valid hex characters works as expected, e.g.,

https://test.cve.org/CVERecord/SearchResults?query=%78

results in a search for the single character 'x' and finds CVE Records such as CVE-2025-7433 with "... Sophos Intercept X for Windows ..." that have that character.

By contrast, using invalid hex characters such as

https://test.cve.org/CVERecord/SearchResults?query=%gg

results in

HTTP/1.1 403 Forbidden
Content-Type: application/xml
Server: AmazonS3
X-Cache: Error from cloudfront
Via: 1.1 9cd85e528eb96b937681f7f81aea46c8.cloudfront.net (CloudFront)

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message></Error>

If this can be addressed within the cve-core software, it would be best for the response to have Content-Type: text/html instead, and present an error message within the context of the cve.org website design.