目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-150 转义、元或控制序列转义处理不恰当 类漏洞列表 38

CWE-150 转义、元或控制序列转义处理不恰当 类弱点 38 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-150属于输入验证缺陷,指程序接收上游输入后,未正确转义或过滤包含转义符、元字符或控制序列的特殊元素。攻击者利用此漏洞,通过注入恶意序列误导下游组件执行非预期操作,如命令注入或跨站脚本。开发者需实施严格的输入验证,对特殊字符进行标准化转义,并确保下游组件正确解析数据,从而阻断恶意序列的执行路径。

MITRE CWE 官方描述
CWE:CWE-150 转义、元或控制序列的不当中和 英文:产品从上游组件接收输入,但未对特殊元素进行中和或错误地中和了这些特殊元素,当这些元素被发送到下游组件时,它们可能被解释为转义、元或控制字符序列。
常见影响 (1)
IntegrityExecute Unauthorized Code or Commands, Hide Activities, Unexpected State
ANSI escape codes can be used for low-severity attacks such as changing the color of console output, but they can also be used to arbitrarily move the cursor, clear the screen, and make fake prompts inside the interactive CLI via malicious user input. In some …
缓解措施 (5)
Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationWhile it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or whit…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
ImplementationWhen using output from an LLM, neutralize or strip escape codes before redirecting output to the terminal or other rendering engine that would process the codes. The neutralization could require that the character be printable and/or allowable whitespace, such as a carriage return or newline. Be deliberate about wh…
Effectiveness: High
代码示例 (1)
Consider a situation in which an AI agent uses LLM output based on training data from untrusted sources.
CVE ID标题CVSS风险等级Published
CVE-2026-41526 KCoreAddons 安全漏洞 — KCoreAddons 6.5 Medium2026-04-28
CVE-2026-6019 CPython 安全漏洞 — CPython 6.1AIMediumAI2026-04-22
CVE-2026-40505 MuPDF 安全漏洞 — MuPDF 3.3 Low2026-04-16
CVE-2026-26149 Microsoft Power Apps 安全漏洞 — Microsoft Power Apps Desktop Client 9.0 Critical2026-04-14
CVE-2026-35651 OpenClaw 安全漏洞 — OpenClaw 4.3 Medium2026-04-10
CVE-2026-3108 Mattermost 安全漏洞 — Mattermost 8.0 High2026-03-26
CVE-2025-62845 QNAP Systems QHora 安全漏洞 — QuRouter 7.8 -2026-03-20
CVE-2026-25996 Inspektor Gadget 安全漏洞 — inspektor-gadget 9.4AICriticalAI2026-02-12
CVE-2025-15311 Tanium Appliance 安全漏洞 — Tanium Appliance 7.8 High2026-02-05
CVE-2026-21521 Microsoft 365 Word Copilot 安全漏洞 — Microsoft 365 Word Copilot 7.4 High2026-01-22
CVE-2026-21439 badkeys 安全漏洞 — badkeys 5.3 -2026-01-05
CVE-2025-65082 Apache HTTP Server 安全漏洞 — Apache HTTP Server 7.5 -2025-12-05
CVE-2025-64494 Soft Serve 安全漏洞 — soft-serve 4.6 Medium2025-11-08
CVE-2025-55754 Apache Tomcat 安全漏洞 — Apache Tomcat 8.8 -2025-10-27
CVE-2025-58160 tracing 安全漏洞 — tracing 7.1 -2025-08-29
CVE-2025-55193 Rails 安全漏洞 — rails 5.3AIMediumAI2025-08-13
CVE-2024-47252 Apache HTTP Server 安全漏洞 — Apache HTTP Server 5.3AIMediumAI2025-07-10
CVE-2025-47284 Gardener 安全漏洞 — gardener 9.1AICriticalAI2025-05-19
CVE-2024-58251 BusyBox 安全漏洞 — BusyBox 2.5 Low2025-04-23
CVE-2025-30089 gurk 安全漏洞 — gurk 5.4 Medium2025-03-16
CVE-2025-0975 IBM MQ 安全漏洞 — MQ 8.8 High2025-02-28
CVE-2025-1693 MongoDB 安全漏洞 — mongosh 3.9 Low2025-02-27
CVE-2025-1692 MongoDB Shell 安全漏洞 — mongosh 6.3 Medium2025-02-27
CVE-2025-25286 Crayfish 安全漏洞 — Crayfish 9.8 Critical2025-02-13
CVE-2024-9774 python-sql 安全漏洞 9.8AICriticalAI2024-12-27
CVE-2024-56201 Jinja 安全漏洞 — jinja 8.1 -2024-12-23
CVE-2024-43785 gitoxide 安全漏洞 — gitoxide 2.5 Low2024-08-22
CVE-2024-27936 Deno 安全漏洞 — deno 8.8 High2024-03-06
CVE-2023-40185 shescape 安全漏洞 — shescape 6.5 Medium2023-08-23
CVE-2023-3265 Cyber Power Systems CyberPower PowerPanel Enterprise 安全漏洞 — PowerPanel Enterprise 9.8 Critical2023-08-14

CWE-150(转义、元或控制序列转义处理不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 38 条 CVE 漏洞。