目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-184 不完整的黑名单 类漏洞列表 102

CWE-184 不完整的黑名单 类弱点 102 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-184属于输入验证缺陷,指软件依赖黑名单机制过滤非法输入,但列表存在遗漏。攻击者常利用此漏洞,通过构造未被黑名单覆盖的恶意输入绕过安全限制,从而执行未授权操作或注入攻击。开发者应避免单纯依赖黑名单,转而采用白名单机制严格限定合法输入,或对所有输入进行标准化处理与深度校验,确保防御逻辑的完整性与健壮性。

MITRE CWE 官方描述
CWE:CWE-184 未完全列出禁止输入 英文:产品实现了一种保护机制,该机制依赖于一个输入(或输入属性)列表,这些输入(或属性)因违反策略而被禁止,或需要采取其他措施以在进一步处理之前进行中和,但该列表不完整。
常见影响 (1)
Access ControlBypass Protection Mechanism
Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.
缓解措施 (1)
ImplementationDo not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as …
代码示例 (2)
The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.
public String removeScriptTags(String input, String mask) { return input.replaceAll("script", mask); }
Bad · Java
This example takes user input, passes it through an encoding scheme, then lists the contents of the user's home directory based on the user name.
sub GetUntrustedInput { return($ARGV[0]); } sub encode { my($str) = @_; $str =~ s/\&/\&amp;/gs; $str =~ s/\"/\&quot;/gs; $str =~ s/\'/\&apos;/gs; $str =~ s/\</\&lt;/gs; $str =~ s/\>/\&gt;/gs; return($str); } sub doit { my $uname = encode(GetUntrustedInput("username")); print "<b>Welcome, $uname!</b><p>\n"; system("cd /home/$uname; /bin/ls -l"); }
Bad · Perl
' pwd
Attack
CVE ID标题CVSS风险等级Published
CVE-2026-53873 Matthieu Maitre Picklescan 输入验证错误漏洞 — picklescan 9.8 Critical2026-06-17
CVE-2025-71323 Matthieu Maitre Picklescan 输入验证错误漏洞 — picklescan 9.8 Critical2026-06-17
CVE-2025-71320 Matthieu Maitre Picklescan 输入验证错误漏洞 — picklescan 9.8 Critical2026-06-17
CVE-2026-53864 OpenClaw < 2026.5.26 Node.js 控制变量环境变量净化不足漏洞 — OpenClaw 8.1 High2026-06-16
CVE-2026-53861 OpenClaw 输入验证错误漏洞 — OpenClaw 6.6 Medium2026-06-16
CVE-2026-53855 OpenClaw 输入验证错误漏洞 — OpenClaw 8.1 High2026-06-16
CVE-2026-53848 OpenClaw < 2026.5.26 通过透明命令包装器绕过执行允许列表 — OpenClaw 4.3 Medium2026-06-16
CVE-2026-53836 OpenClaw 输入验证错误漏洞 — OpenClaw 8.8 High2026-06-12
CVE-2026-48557 Spatie Laravel Media Library Pro 安全漏洞 — laravel-medialibrary 8.8 High2026-05-29
CVE-2026-44463 Zed 安全漏洞 — zed 8.6 High2026-05-28
CVE-2026-44462 Zed 安全漏洞 — zed 6.4 Medium2026-05-28
CVE-2026-45037 Tabby 安全漏洞 — tabby 7.1 High2026-05-15
CVE-2026-42590 Gotenberg 安全漏洞 — gotenberg 8.2 High2026-05-14
CVE-2026-43929 SSRF Check 安全漏洞 — ssrfcheck 8.2 High2026-05-12
CVE-2026-45006 OpenClaw 安全漏洞 — OpenClaw 8.8 High2026-05-11
CVE-2026-44993 OpenClaw 安全漏洞 — OpenClaw 5.4 Medium2026-05-11
CVE-2026-44115 OpenClaw 安全漏洞 — OpenClaw 8.8 High2026-05-06
CVE-2026-44114 OpenClaw 安全漏洞 — OpenClaw 7.8 High2026-05-06
CVE-2026-43584 OpenClaw 安全漏洞 — OpenClaw 8.8 High2026-05-06
CVE-2026-43578 OpenClaw 安全漏洞 — OpenClaw 9.1 Critical2026-05-06
CVE-2026-41934 Vvveb 安全漏洞 — Vvveb 8.8 High2026-05-06
CVE-2026-43566 OpenClaw 安全漏洞 — OpenClaw 9.1 Critical2026-05-05
CVE-2026-43532 OpenClaw 安全漏洞 — OpenClaw 7.7 High2026-05-05
CVE-2026-42435 OpenClaw 安全漏洞 — OpenClaw 8.8 High2026-05-05
CVE-2026-42427 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-28
CVE-2026-41915 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-28
CVE-2026-41392 OpenClaw 安全漏洞 — OpenClaw 6.7 Medium2026-04-28
CVE-2026-41391 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-28
CVE-2026-41361 OpenClaw 安全漏洞 — OpenClaw 7.1 High2026-04-23
CVE-2026-41332 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-23

CWE-184(不完整的黑名单) 是常见的弱点类别,本平台收录该类弱点关联的 102 条 CVE 漏洞。