目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-184 不完整的黑名单 类漏洞列表 86

CWE-184 不完整的黑名单 类弱点 86 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-184属于输入验证缺陷,指软件依赖黑名单机制过滤非法输入,但列表存在遗漏。攻击者常利用此漏洞,通过构造未被黑名单覆盖的恶意输入绕过安全限制,从而执行未授权操作或注入攻击。开发者应避免单纯依赖黑名单,转而采用白名单机制严格限定合法输入,或对所有输入进行标准化处理与深度校验,确保防御逻辑的完整性与健壮性。

MITRE CWE 官方描述
CWE:CWE-184 未完全列出禁止输入 英文:产品实现了一种保护机制,该机制依赖于一个输入(或输入属性)列表,这些输入(或属性)因违反策略而被禁止,或需要采取其他措施以在进一步处理之前进行中和,但该列表不完整。
常见影响 (1)
Access ControlBypass Protection Mechanism
Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.
缓解措施 (1)
ImplementationDo not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as …
代码示例 (2)
The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.
public String removeScriptTags(String input, String mask) { return input.replaceAll("script", mask); }
Bad · Java
This example takes user input, passes it through an encoding scheme, then lists the contents of the user's home directory based on the user name.
sub GetUntrustedInput { return($ARGV[0]); } sub encode { my($str) = @_; $str =~ s/\&/\&amp;/gs; $str =~ s/\"/\&quot;/gs; $str =~ s/\'/\&apos;/gs; $str =~ s/\</\&lt;/gs; $str =~ s/\>/\&gt;/gs; return($str); } sub doit { my $uname = encode(GetUntrustedInput("username")); print "<b>Welcome, $uname!</b><p>\n"; system("cd /home/$uname; /bin/ls -l"); }
Bad · Perl
' pwd
Attack
CVE ID标题CVSS风险等级Published
CVE-2026-44115 OpenClaw 2026.4.22 前未引用Heredoc绕过执行白名单漏洞 — OpenClaw 8.8 High2026-05-06
CVE-2026-44114 OpenClaw < 2026.4.20 环境变量命名空间碰撞漏洞 — OpenClaw 7.8 High2026-05-06
CVE-2026-43584 OpenClaw < 2026.4.10 执行策略环境变量黑名单不足漏洞 — OpenClaw 8.8 High2026-05-06
CVE-2026-43578 OpenClaw 权限提升漏洞 — OpenClaw 9.1 Critical2026-05-06
CVE-2026-41934 Vvveb CMS <1.0.8.2 认证远程代码执行漏洞 — Vvveb 8.8 High2026-05-06
CVE-2026-43566 OpenClaw 远程提权漏洞 — OpenClaw 9.1 Critical2026-05-05
CVE-2026-43532 OpenClaw 沙盒媒体归一化绕过漏洞 — OpenClaw 7.7 High2026-05-05
CVE-2026-42435 OpenClaw <2026.4.12 环境变量注入绕过漏洞 — OpenClaw 8.8 High2026-05-05
CVE-2026-42427 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-28
CVE-2026-41915 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-28
CVE-2026-41392 OpenClaw 安全漏洞 — OpenClaw 6.7 Medium2026-04-28
CVE-2026-41391 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-28
CVE-2026-41361 OpenClaw 安全漏洞 — OpenClaw 7.1 High2026-04-23
CVE-2026-41332 OpenClaw 安全漏洞 — OpenClaw 5.3 Medium2026-04-23
CVE-2026-41264 Flowise 安全漏洞 — Flowise 9.8AICriticalAI2026-04-23
CVE-2026-41206 PySpector 安全漏洞 — PySpector 8.8AIHighAI2026-04-23
CVE-2026-34415 Xerte Online Toolkits 安全漏洞 — xerteonlinetoolkits 9.8 Critical2026-04-22
CVE-2026-26274 October 安全漏洞 — october 6.6 Medium2026-04-21
CVE-2026-40077 Beszel 安全漏洞 — beszel 3.5 Low2026-04-09
CVE-2026-39315 unhead 安全漏洞 — unhead 6.1 Medium2026-04-09
CVE-2026-34177 LXD 安全漏洞 — lxd 9.1 Critical2026-04-09
CVE-2026-35410 Directus 输入验证错误漏洞 — directus 6.1 Medium2026-04-06
CVE-2026-34426 OpenClaw 安全漏洞 — OpenClaw 7.6 High2026-04-02
CVE-2026-34425 OpenClaw 安全漏洞 — OpenClaw 5.4 Medium2026-04-02
CVE-2026-35000 changedetection.io 安全漏洞 — ChangeDetection.io 6.5 Medium2026-04-01
CVE-2026-34430 DeerFlow 安全漏洞 — DeerFlow 8.8 High2026-04-01
CVE-2026-4509 PbootCMS 安全漏洞 — PbootCMS 6.3 Medium2026-03-21
CVE-2026-33139 PySpector 安全漏洞 — PySpector 9.8 -2026-03-20
CVE-2026-32022 OpenClaw 安全漏洞 — OpenClaw 6.5 Medium2026-03-19
CVE-2026-32017 OpenClaw 安全漏洞 — OpenClaw 7.1 High2026-03-19

CWE-184(不完整的黑名单) 是常见的弱点类别,本平台收录该类弱点关联的 86 条 CVE 漏洞。