CWE-285 授权机制不恰当 类弱点 1059 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-285 属于权限控制缺陷,指系统在访问资源或执行操作时未正确执行授权检查。攻击者常通过篡改请求参数或绕过前端限制,以非授权身份访问敏感数据或执行特权操作。开发者应实施严格的基于角色的访问控制,在服务器端对所有请求进行细粒度权限验证,确保仅允许合法用户执行相应操作,从而杜绝越权风险。
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);sub DisplayPrivateMessage { my($id) = @_; my $Message = LookupMessageObject($id); print "From: " . encodeHTML($Message->{from}) . "<br>\n"; print "Subject: " . encodeHTML($Message->{subject}) . "\n"; print "<hr>\n"; print "Body: " . encodeHTML($Message->{body}) . "\n"; } my $q = new CGI; # For purposes of this example, assume that CWE-309 and # CWE-523 do not apply. if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("invalid username or password"); } my $id = $q->param('id'); DisplayPrivateMessage($id);| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2026-7092 | Code-Projects Invoice System in Laravel 安全漏洞 — Invoice System in Laravel | 6.3 | Medium | 2026-04-27 |
| CVE-2026-7091 | Code-Projects Invoice System in Laravel 安全漏洞 — Invoice System in Laravel | 6.3 | Medium | 2026-04-27 |
| CVE-2026-6977 | Vanna 安全漏洞 — vanna | 7.3 | High | 2026-04-25 |
| CVE-2026-6634 | Memos 安全漏洞 — memos | 6.3 | Medium | 2026-04-20 |
| CVE-2026-6609 | DjangoBlog 安全漏洞 — DjangoBlog | 6.3 | Medium | 2026-04-20 |
| CVE-2026-6572 | kodcloud KodExplorer 安全漏洞 — KodExplorer | 5.6 | Medium | 2026-04-19 |
| CVE-2026-6564 | EMQ EMQX Enterprise 安全漏洞 — EMQX Enterprise | 4.3 | Medium | 2026-04-19 |
| CVE-2026-40305 | DNN 安全漏洞 — Dnn.Platform | 4.3 | Medium | 2026-04-17 |
| CVE-2026-40259 | SiYuan 安全漏洞 — siyuan | 8.1 | High | 2026-04-16 |
| CVE-2026-40248 | free5GC 安全漏洞 — free5gc | 7.5AI | HighAI | 2026-04-16 |
| CVE-2026-40247 | free5GC 安全漏洞 — free5gc | 5.3AI | MediumAI | 2026-04-16 |
| CVE-2026-40246 | free5GC 安全漏洞 — free5gc | 5.3AI | MediumAI | 2026-04-16 |
| CVE-2026-33146 | Docmost 授权问题漏洞 — docmost | 4.3 | Medium | 2026-04-14 |
| CVE-2026-34370 | Chamilo LMS 安全漏洞 — chamilo-lms | 6.5 | Medium | 2026-04-14 |
| CVE-2026-27912 | Microsoft Windows Kerberos 授权问题漏洞 — Windows Server 2012 | 8.0 | High | 2026-04-14 |
| CVE-2026-6105 | go-fastdfs-web 授权问题漏洞 — go-fastdfs-web | 7.3 | High | 2026-04-11 |
| CVE-2026-32252 | chartbrew 授权问题漏洞 — chartbrew | 7.7 | High | 2026-04-10 |
| CVE-2026-5412 | Juju 安全漏洞 — Juju | 9.9 | Critical | 2026-04-10 |
| CVE-2026-5999 | JeecgBoot 授权问题漏洞 — JeecgBoot | 6.3 | Medium | 2026-04-10 |
| CVE-2026-39901 | monetr 授权问题漏洞 — monetr | 5.7 | Medium | 2026-04-08 |
| CVE-2026-35479 | InvenTree 授权问题漏洞 — InvenTree | 6.6 | Medium | 2026-04-08 |
| CVE-2026-35476 | InvenTree 授权问题漏洞 — InvenTree | 7.2 | High | 2026-04-08 |
| CVE-2026-35407 | saleor 授权问题漏洞 — saleor | 5.3AI | MediumAI | 2026-04-08 |
| CVE-2026-39389 | CI4MS 授权问题漏洞 — ci4ms | 6.7 | Medium | 2026-04-08 |
| CVE-2026-39347 | OrangeHRM 授权问题漏洞 — orangehrm | 5.5AI | MediumAI | 2026-04-07 |
| CVE-2026-35610 | PolarLearn 授权问题漏洞 — PolarLearn | 8.8 | High | 2026-04-07 |
| CVE-2026-5642 | Student Management System 授权问题漏洞 — Student-Management-System | 7.3 | High | 2026-04-06 |
| CVE-2026-5529 | Dromara Lamp-Cloud 授权问题漏洞 — lamp-cloud | 4.3 | Medium | 2026-04-05 |
| CVE-2017-20238 | Belden Hirschmann Industrial HiVision 授权问题漏洞 — Hirschmann Industrial HiVision | 7.1 | High | 2026-04-03 |
| CVE-2026-33105 | Microsoft Azure Kubernetes Service 授权问题漏洞 — Azure Kubernetes Service | 10.0 | Critical | 2026-04-02 |
CWE-285(授权机制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 1059 条 CVE 漏洞。