目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-1236 类漏洞列表 128

CWE-1236 类弱点 128 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1236 属于 CSV 注入漏洞,指程序将用户输入写入 CSV 文件时未对特殊字符进行适当转义。攻击者利用此缺陷,在数据中嵌入以等号、加号或制表符开头的恶意公式,当受害者使用电子表格软件打开文件时,这些公式会被自动执行,可能导致数据泄露、远程代码执行或系统配置篡改。开发者应通过转义特殊字符、限制输入内容或采用非公式格式存储数据来防御此类攻击。

MITRE CWE 官方描述
CWE:CWE-1236 CSV 文件中公式元素的不当中和 英文:产品将用户提供的信息保存到逗号分隔值(Comma-Separated Value, CSV)文件中,但未对特殊元素进行中和,或中和不当,导致当文件被电子表格产品打开时,这些元素可能被解释为命令。
常见影响 (1)
ConfidentialityRead Application Data, Execute Unauthorized Code or Commands
Attackers can populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.
缓解措施 (3)
ImplementationWhen generating CSV output, ensure that formula-sensitive metacharacters are effectively escaped or removed from all data before storage in the resultant CSV. Risky characters include '=' (equal), '+' (plus), '-' (minus), and '@' (at).
Effectiveness: Moderate
ImplementationIf a field starts with a formula character, prepend it with a ' (single apostrophe), which prevents Excel from executing the formula.
Effectiveness: Moderate
Architecture and DesignCertain implementations of spreadsheet software might disallow formulas from executing if the file is untrusted, or if the file is not authored by the current user.
Effectiveness: Limited
代码示例 (1)
Hyperlinks or other commands can be executed when a cell begins with the formula identifier, '='
=HYPERLINK(link_location, [friendly_name])
Attack · Other
HYPERLINK(link_location, [friendly_name])
Good · Other
CVE ID标题CVSS风险等级Published
CVE-2026-42267 Kimai 公式注入漏洞 — kimai--2026-05-08
CVE-2026-27644 Traccar CSV公式注入漏洞 — traccar 6.5 Medium2026-05-05
CVE-2023-54348 ERPGo SaaS 3.9 供应商创建CSV注入漏洞 — ERPGo SaaS 8.8 High2026-05-05
CVE-2026-39424 MaxKB 安全漏洞 — MaxKB 7.8 -2026-04-14
CVE-2026-24447 Movable Type 安全漏洞 — Movable Type (Software Edition) 8.6AIHighAI2026-02-04
CVE-2025-67851 Moodle 安全漏洞 6.1 Medium2026-02-03
CVE-2020-36962 Tendenci 安全漏洞 — Tendenci 9.8 Critical2026-01-28
CVE-2021-47901 dirsearch 安全漏洞 — dirsearch 9.8 Critical2026-01-27
CVE-2020-36941 Knock Subdomain Scan 安全漏洞 — knock 9.8 Critical2026-01-27
CVE-2026-23873 HUSTOJ 安全漏洞 — hustoj 8.0AIHighAI2026-01-21
CVE-2025-61873 Request Tracker 安全漏洞 — Request Tracker 2.6 Low2026-01-16
CVE-2023-53929 phpMyFAQ 安全漏洞 — phpMyFAQ 8.8 High2025-12-17
CVE-2023-53913 Rukovoditel 安全漏洞 — Rukovoditel 8.8 High2025-12-17
CVE-2023-53905 ProjectSend 安全漏洞 — projectSend 8.0 High2025-12-17
CVE-2025-14229 SourceCodester Inventory Management System 安全漏洞 — Inventory Management System 4.7 Medium2025-12-08
CVE-2025-13133 WordPress plugin Simple User Import Export 安全漏洞 — Simple User Import Export 6.6 Medium2025-11-18
CVE-2025-12249 Axosoft Scrum and Bug Tracking 安全漏洞 — Scrum and Bug Tracking 6.3 Medium2025-10-27
CVE-2025-11576 WordPress plugin AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant 安全漏洞 — AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant 4.3 Medium2025-10-24
CVE-2025-62417 Webkul Software Bagisto 安全漏洞 — bagisto 7.8AIHighAI2025-10-16
CVE-2025-11498 B&R Automation Runtime 安全漏洞 — Automation Runtime 6.1 Medium2025-10-14
CVE-2025-11254 WordPress plugin Contest Gallery – Upload, Vote & Sell with PayPal and Stripe 安全漏洞 — Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe 4.3 Medium2025-10-11
CVE-2025-11279 Axosoft Scrum and Bug Tracking 安全漏洞 — Scrum and Bug Tracking 5.5 Medium2025-10-05
CVE-2025-35033 Medical Informatics Engineering Enterprise Health 安全漏洞 — Enterprise Health 4.1 Medium2025-09-29
CVE-2025-58855 WordPress plugin AP HoneyPot 安全漏洞 — AP HoneyPot WordPress Plugin 7.1 High2025-09-05
CVE-2025-55745 UnoPim 安全漏洞 — unopim 8.8AIHighAI2025-08-22
CVE-2025-9241 ELADMIN 安全漏洞 — eladmin 6.3 Medium2025-08-20
CVE-2025-8767 WordPress plugin AnWP Football Leagues 安全漏洞 — AnWP Football Leagues 4.8 Medium2025-08-12
CVE-2025-8808 tianti 安全漏洞 — tianti 天梯 4.3 Medium2025-08-10
CVE-2025-54752 Alfasado PowerCMS 安全漏洞 — PowerCMS 6.5 Medium2025-07-31
CVE-2025-6838 WordPress plugin Broken Link Notifier 安全漏洞 — Broken Link Notifier 4.1 Medium2025-07-11

CWE-1236 是常见的弱点类别,本平台收录该类弱点关联的 128 条 CVE 漏洞。