Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-183 (宽松定义的白名单) — Vulnerability Class 28

28 vulnerabilities classified as CWE-183 (宽松定义的白名单). AI Chinese analysis included.

CWE-183 represents a critical input validation weakness where an application’s security mechanism relies on an overly permissive allowlist of acceptable inputs. Instead of strictly permitting only known-safe values, this flawed approach inadvertently includes dangerous data that violates security policies, thereby assuming safety without sufficient verification. Attackers typically exploit this vulnerability by crafting malicious inputs that fall within the broad, accepted range but contain hidden payloads, such as injection code or path traversal sequences. These inputs bypass initial checks and trigger downstream security failures like cross-site scripting or command injection. To mitigate this risk, developers must implement strict, granular allowlists that precisely define valid inputs, avoiding broad patterns or wildcards. Additionally, employing defense-in-depth strategies, such as output encoding and parameterized queries, ensures that even if a permissive check fails, the system remains resilient against exploitation.

MITRE CWE Description
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
Common Consequences (1)
Access ControlBypass Protection Mechanism
CVE IDTitleCVSSSeverityPublished
CVE-2026-44111 OpenClaw < 2026.4.15 - Arbitrary Markdown File Read via QMD memory_get — OpenClaw 4.3 Medium2026-05-06
CVE-2026-43574 OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists — OpenClaw 6.5 Medium2026-05-05
CVE-2026-29514 NetBox 4.3.5 - 4.5.4 RCE via RenderTemplateMixin — netbox 8.8 High2026-05-04
CVE-2026-41387 OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitization — OpenClaw 7.8 High2026-04-28
CVE-2026-42042 Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion — axios 5.4 Medium2026-04-24
CVE-2026-42043 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 — axios 7.2 High2026-04-24
CVE-2026-41240 DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) — DOMPurify 7.2AIHighAI2026-04-23
CVE-2026-40899 DataEase has an Arbitrary File Read Vulnerability — dataease 8.3AIHighAI2026-04-16
CVE-2026-35649 OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist — OpenClaw 6.5 Medium2026-04-10
CVE-2026-21915 JSI Virtual Lightweight Collector: Shell escape allows privilege escalation to root — JSI LWC 6.7 Medium2026-04-09
CVE-2026-33979 Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk) — express-xss-sanitizer 8.2 High2026-03-27
CVE-2026-32881 ewe has an Overly Permissive List of Allowed Inputs — ewe 5.3 Medium2026-03-20
CVE-2026-2303 Heap Out-of-Bounds Read in Go Driver GSSAPI C Wrappers enables application crash or information leak — MongoDB Go Driver 6.5 Medium2026-02-10
CVE-2025-59457 JetBrains TeamCity 安全漏洞 — TeamCity 7.7 High2025-09-17
CVE-2025-53762 Microsoft Purview Elevation of Privilege Vulnerability — Microsoft Purview 8.7 High2025-07-18
CVE-2025-24349 Bosch Rexroth ctrlX OS 安全漏洞 — ctrlX OS - Device Admin 7.1 High2025-04-30
CVE-2024-47565 Siemens SINEC Security Monitor 安全漏洞 — SINEC Security Monitor 4.3 Medium2024-10-08
CVE-2024-38522 CSP bypass in Hush Line — hushline 6.3 Medium2024-06-28
CVE-2023-7250 Iperf3: possible denial of service — Red Hat Enterprise Linux 8 5.3 Medium2024-03-18
CVE-2024-1654 Unauthorized write operations in PaperCut NG/MF — PaperCut NG, PaperCut MF 7.2 High2024-03-14
CVE-2023-4399 Grafana 安全漏洞 — Grafana Enterprise 6.6 Medium2023-10-17
CVE-2022-42469 Fortinet FortiGate 安全漏洞 — FortiOS 4.1 Medium2023-04-11
CVE-2022-34450 Dell PowerPath Management Appliance 安全漏洞 — PowerPath Management Appliance 6.7 Medium2023-02-10
CVE-2022-23158 Dell Wyse Device Agent 信息泄露漏洞 — Dell Wyse Device Agent 6.0 Medium2022-04-01
CVE-2021-40128 Cisco Webex Meetings Email Content Injection Vulnerability — Cisco Webex Meetings 5.3 Medium2021-11-04
CVE-2021-34787 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Identity-Based Rule Bypass Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 5.3 Medium2021-10-27
CVE-2020-25696 PostgreSQL 安全漏洞 — PostgreSQL 8.1 -2020-11-23
CVE-2020-1694 Red Hat Keycloak 安全漏洞 — keycloak 6.5 -2020-09-16

Vulnerabilities classified as CWE-183 (宽松定义的白名单) represent 28 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.