CWE-285 授权机制不恰当 类弱点 985 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-285 属于权限控制缺陷,指系统在访问资源或执行操作时未正确执行授权检查。攻击者常通过篡改请求参数或绕过前端限制,以非授权身份访问敏感数据或执行特权操作。开发者应实施严格的基于角色的访问控制,在服务器端对所有请求进行细粒度权限验证,确保仅允许合法用户执行相应操作,从而杜绝越权风险。
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);sub DisplayPrivateMessage { my($id) = @_; my $Message = LookupMessageObject($id); print "From: " . encodeHTML($Message->{from}) . "<br>\n"; print "Subject: " . encodeHTML($Message->{subject}) . "\n"; print "<hr>\n"; print "Body: " . encodeHTML($Message->{body}) . "\n"; } my $q = new CGI; # For purposes of this example, assume that CWE-309 and # CWE-523 do not apply. if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("invalid username or password"); } my $id = $q->param('id'); DisplayPrivateMessage($id);| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2026-42202 | Nova Toggle v5 开关接口越权修改漏洞 — nova-toggle-5 | 6.5 | Medium | 2026-05-08 |
| CVE-2026-33823 | Microsoft Teams Events Portal 信息泄露漏洞 — Microsoft Teams | 9.6 | Critical | 2026-05-07 |
| CVE-2026-41572 | Note Mark 未授权读取已删除公开书籍数据漏洞 — note-mark | 5.3 | Medium | 2026-05-04 |
| CVE-2026-7713 | Calibre-Web 授权令牌生成权限绕过漏洞 — Calibre-Web-Automated | 6.3 | Medium | 2026-05-04 |
| CVE-2026-7709 | Calibre-Web 认证令牌生成授权绕过漏洞 — Calibre-Web | 6.3 | Medium | 2026-05-03 |
| CVE-2026-7644 | ChatGPTNextWeb addMcpServer 授权绕过漏洞 — NextChat | 7.3 | High | 2026-05-02 |
| CVE-2026-7631 | Online Hospital 注册授权漏洞 — Online Hospital Management System | 5.4 | Medium | 2026-05-02 |
| CVE-2026-6449 | Amelia <= 2.1.2 远程审批端点未授权绕过漏洞 — Booking for Appointments and Events Calendar – Amelia | 5.3 | Medium | 2026-05-02 |
| CVE-2026-7602 | JeecgBoot FillRuleUtil 编辑不当授权漏洞 — JeecgBoot | 6.3 | Medium | 2026-05-02 |
| CVE-2026-7505 | GoClaw/GoClaw Lite RPC 授权不当漏洞 — GoClaw | 7.3 | High | 2026-04-30 |
| CVE-2026-2892 | Otter Blocks <= 3.1.4 伪造Cookie绕过购买验证漏洞 — Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE | 7.5 | High | 2026-04-30 |
| CVE-2026-7292 | O2OA 安全漏洞 — o2oa | 5.6 | Medium | 2026-04-28 |
| CVE-2026-5781 | MphRx Minerva 授权问题漏洞 — Minerva | 8.8AI | HighAI | 2026-04-28 |
| CVE-2026-7142 | Wooey 安全漏洞 — Wooey | 6.3 | Medium | 2026-04-27 |
| CVE-2026-7109 | Code-Projects Invoice System in Laravel 安全漏洞 — Invoice System in Laravel | 5.3 | Medium | 2026-04-27 |
| CVE-2026-7093 | Code-Projects Invoice System in Laravel 安全漏洞 — Invoice System in Laravel | 6.3 | Medium | 2026-04-27 |
| CVE-2026-7092 | Code-Projects Invoice System in Laravel 安全漏洞 — Invoice System in Laravel | 6.3 | Medium | 2026-04-27 |
| CVE-2026-7091 | Code-Projects Invoice System in Laravel 安全漏洞 — Invoice System in Laravel | 6.3 | Medium | 2026-04-27 |
| CVE-2026-6977 | Vanna 安全漏洞 — vanna | 7.3 | High | 2026-04-25 |
| CVE-2026-6634 | Memos 安全漏洞 — memos | 6.3 | Medium | 2026-04-20 |
| CVE-2026-6609 | DjangoBlog 安全漏洞 — DjangoBlog | 6.3 | Medium | 2026-04-20 |
| CVE-2026-6572 | kodcloud KodExplorer 安全漏洞 — KodExplorer | 5.6 | Medium | 2026-04-19 |
| CVE-2026-6564 | EMQ EMQX Enterprise 安全漏洞 — EMQX Enterprise | 4.3 | Medium | 2026-04-19 |
| CVE-2026-40305 | DNN 安全漏洞 — Dnn.Platform | 4.3 | Medium | 2026-04-17 |
| CVE-2026-40259 | SiYuan 安全漏洞 — siyuan | 8.1 | High | 2026-04-16 |
| CVE-2026-40248 | free5GC 安全漏洞 — free5gc | 7.5AI | HighAI | 2026-04-16 |
| CVE-2026-40247 | free5GC 安全漏洞 — free5gc | 5.3AI | MediumAI | 2026-04-16 |
| CVE-2026-40246 | free5GC 安全漏洞 — free5gc | 5.3AI | MediumAI | 2026-04-16 |
| CVE-2026-33146 | Docmost 授权问题漏洞 — docmost | 4.3 | Medium | 2026-04-14 |
| CVE-2026-34370 | Chamilo LMS 安全漏洞 — chamilo-lms | 6.5 | Medium | 2026-04-14 |
CWE-285(授权机制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 985 条 CVE 漏洞。