CWE-348 使用不可信的源 类弱点 46 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-348 属于信任管理缺陷,指系统在处理相同数据时,优先采用验证能力弱、可信度低或抗攻击性差的来源。攻击者常通过操控不可信数据源,注入恶意内容以绕过安全校验,进而实施注入攻击或逻辑绕过。开发者应建立严格的数据信任分级机制,优先使用经过身份验证和完整性校验的可靠数据源,并对所有输入进行严格过滤与验证,确保关键决策仅基于可信信息。
$requestingIP = '0.0.0.0'; if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { $requestingIP = $_SERVER['HTTP_X_FORWARDED_FOR']; else{ $requestingIP = $_SERVER['REMOTE_ADDR']; } if(in_array($requestingIP,$ipAllowlist)){ generatePage(); return; } else{ echo "You are not authorized to view this page"; return; }$requestingIP = '0.0.0.0'; if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { echo "This application cannot be accessed through a proxy."; return; else{ $requestingIP = $_SERVER['REMOTE_ADDR']; } ...| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2026-48772 | ProxySQL PROXY-Protocol v1 UNKNOWN源IP伪造绕过ACL漏洞 — proxysql | 10.0 | Critical | 2026-06-19 |
| CVE-2026-44046 | Apache APISIX wolf-rbac 插件身份伪造漏洞 — Apache APISIX | - | - | 2026-06-19 |
| CVE-2020-37248 | OfflineIMAP 安全漏洞 — OfflineIMAP | 6.5 | Medium | 2026-06-08 |
| CVE-2026-43634 | HestiaCP 安全漏洞 — hestiacp | 7.5 | High | 2026-05-19 |
| CVE-2026-40226 | systemd 安全漏洞 — systemd | 6.4 | Medium | 2026-04-10 |
| CVE-2026-35391 | Bulwark Webmail 安全漏洞 — webmail | 9.1AI | CriticalAI | 2026-04-06 |
| CVE-2026-35507 | shynet 安全漏洞 — Shynet | 6.4 | Medium | 2026-04-03 |
| CVE-2026-26927 | Krajowa Izba Rozliczeniowa Szafir SDK Web 安全漏洞 — Szafir SDK Web | 8.1AI | HighAI | 2026-04-02 |
| CVE-2026-33690 | WWBN AVideo 安全漏洞 — AVideo | 5.3 | Medium | 2026-03-23 |
| CVE-2026-3635 | Fastify 安全漏洞 — fastify | 6.1 | Medium | 2026-03-23 |
| CVE-2025-69240 | Raytha CMS 安全漏洞 — Raytha | 8.8 | - | 2026-03-16 |
| CVE-2026-22201 | WordPress plugin wpDiscuz 安全漏洞 — wpDiscuz | 5.3 | Medium | 2026-03-13 |
| CVE-2025-55292 | Meshtastic 安全漏洞 — firmware | 8.2 | High | 2026-01-27 |
| CVE-2026-24910 | Bun 安全漏洞 — Bun | 5.9 | Medium | 2026-01-27 |
| CVE-2025-13694 | WordPress plugin AA Block Country 安全漏洞 — AA Block country | 5.3 | Medium | 2026-01-07 |
| CVE-2025-15154 | PbootCMS 安全漏洞 — PbootCMS | 5.3 | Medium | 2025-12-28 |
| CVE-2025-32900 | KDE Connect 安全漏洞 — KDE Connect information-exchange protocol | 4.3 | Medium | 2025-12-05 |
| CVE-2025-59951 | Termix 安全漏洞 — Termix | 9.1AI | CriticalAI | 2025-10-01 |
| CVE-2025-58422 | RICOH Streamline NX 安全漏洞 — RICOH Streamline NX | 5.9AI | MediumAI | 2025-09-08 |
| CVE-2025-53522 | Movable Type 安全漏洞 — Movable Type (Software Edition) | 7.5 | - | 2025-08-20 |
| CVE-2025-48825 | RICOH Streamline NX V3 PC Client 安全漏洞 — RICOH Streamline NX V3 PC Client | 7.5AI | HighAI | 2025-06-13 |
| CVE-2025-47149 | Digital Arts i-FILTER 安全漏洞 — i-FILTER | 7.7AI | HighAI | 2025-05-23 |
| CVE-2025-1245 | Hitachi Ops Center Analyzer和Hitachi Infrastructure Analytics Advisor 安全漏洞 — Hitachi Infrastructure Analytics Advisor | 6.5 | Medium | 2025-05-16 |
| CVE-2025-47424 | Retool 安全漏洞 — Retool | 7.1 | High | 2025-05-09 |
| CVE-2025-43918 | SSL.com 安全漏洞 — SSL.com | 6.4 | Medium | 2025-04-19 |
| CVE-2025-24856 | TYPO3 安全漏洞 — oidc | 4.2 | Medium | 2025-03-16 |
| CVE-2025-27913 | Passbolt 安全漏洞 — API | 3.7 | - | 2025-03-10 |
| CVE-2024-54840 | CyberArk Privileged Access Manager Self-Hosted 安全漏洞 — Privileged Access Manager | 4.2 | Medium | 2025-02-03 |
| CVE-2024-10977 | PostgreSQL 安全漏洞 — PostgreSQL | 3.1 | Low | 2024-11-14 |
| CVE-2022-4534 | WordPress plugin Limit Login Attempts 安全漏洞 — Limit Login Attempts (Spam Protection) | 5.3 | Medium | 2024-10-08 |
CWE-348(使用不可信的源) 是常见的弱点类别,本平台收录该类弱点关联的 46 条 CVE 漏洞。