Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-349 (在可信数据中接受外来的不可信数据) — Vulnerability Class 28

28 vulnerabilities classified as CWE-349 (在可信数据中接受外来的不可信数据). AI Chinese analysis included.

CWE-349 represents a critical input validation weakness where software incorrectly processes untrusted data embedded alongside trusted inputs, treating the malicious elements as legitimate. Attackers typically exploit this by injecting harmful payloads, such as SQL commands or script tags, into fields that are otherwise expected to contain safe, verified information. Because the application fails to distinguish between the two data sources, it executes the untrusted content, leading to severe vulnerabilities like injection attacks or data corruption. Developers can prevent this by implementing strict input sanitization and validation routines that isolate and verify each data component independently. By explicitly defining allowed formats and rejecting any unexpected characters or structures, even those hidden within trusted streams, engineers ensure that only verified, safe data influences the application’s logic, thereby maintaining system integrity.

MITRE CWE Description
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
Common Consequences (1)
Access Control, IntegrityBypass Protection Mechanism, Modify Application Data
An attacker could package untrusted data with trusted data to bypass protection mechanisms to gain access to and possibly modify sensitive data.
CVE IDTitleCVSSSeverityPublished
CVE-2026-32162 Windows COM Elevation of Privilege Vulnerability — Windows 10 Version 1809 8.4 High2026-04-14
CVE-2026-35641 OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation — OpenClaw 7.8 High2026-04-10
CVE-2026-1642 NGINX vulnerability — NGINX Open Source 5.9 Medium2026-02-04
CVE-2025-68269 JetBrains IntelliJ IDEA 安全漏洞 — IntelliJ IDEA 5.4 Medium2025-12-16
CVE-2025-1680 Moxa Ethernet switches 安全漏洞 — TN-4500A Series 6.7AIMediumAI2025-10-23
CVE-2025-40778 Cache poisoning attacks with unsolicited RRs — BIND 9 8.6 High2025-10-22
CVE-2025-11411 Possible domain hijacking via promiscuous records in the authority section — Unbound 7.5AIHighAI2025-10-22
CVE-2025-11703 WP Go Maps (formerly WP Google Maps) <= 9.0.48 - Unauthenticated Cache Poisoning — WP Go Maps (formerly WP Google Maps) 5.3 Medium2025-10-18
CVE-2025-5994 Cache poisoning via the ECS-enabled Rebirthday Attack — Unbound 5.3 -2025-07-16
CVE-2025-40776 Birthday Attack against Resolvers supporting ECS — BIND 9 8.6 High2025-07-16
CVE-2025-48804 Windows BitLocker Security Feature Bypass Vulnerability — Windows 10 Version 1507 6.8 Medium2025-07-08
CVE-2025-46339 FreshRSS vulnerable to favicon cache poisoning via proxy — FreshRSS 4.3 Medium2025-06-04
CVE-2025-20255 Cisco Webex Meetings 安全漏洞 — Cisco Webex Meetings 4.3 Medium2025-05-21
CVE-2025-29842 UrlMon Security Feature Bypass Vulnerability — Windows 10 Version 1507 7.5 High2025-05-13
CVE-2025-29816 Microsoft Word Security Feature Bypass Vulnerability — Microsoft 365 Apps for Enterprise 7.5 High2025-04-08
CVE-2025-27415 Nuxt allows DOS via cache poisoning with payload rendering response — nuxt 7.5 High2025-03-19
CVE-2024-53848 check-jsonschema default caching for remote schemas allows for cache confusion — check-jsonschema 7.1 High2024-11-29
CVE-2024-52555 JetBrains WebStorm 安全漏洞 — WebStorm 6.3 Medium2024-11-15
CVE-2024-42483 ESP-NOW Replay Attacks Vulnerability — esp-now 6.5 Medium2024-09-12
CVE-2024-34083 STARTTLS unencrypted commands injection — aiosmtpd 5.4 Medium2024-05-18
CVE-2023-51655 JetBrains IntelliJ IDEA 安全漏洞 — IntelliJ IDEA 6.3 Medium2023-12-21
CVE-2023-44317 Siemens SCALANCE 多款产品安全漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 7.2 High2023-11-14
CVE-2023-5548 Moodle: cache poisoning risk with endpoint revision numbers 3.3 Low2023-11-09
CVE-2023-3749 VideoEdge config — VideoEdge 7.1 High2023-08-03
CVE-2020-8023 Local privilege escalation from ldap to root when using OPENLDAP_CONFIG_BACKEND=ldap in openldap2 — SUSE Enterprise Storage 5 7.7 High2020-09-01
CVE-2020-10751 Linux kernel 数据伪造问题漏洞 — kernel 6.1 Medium2020-05-26
CVE-2019-9535 iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution — iTerm2 9.8 -2019-10-09
CVE-2018-1131 Infinispan 安全漏洞 — infinispan 8.8 -2018-05-15

Vulnerabilities classified as CWE-349 (在可信数据中接受外来的不可信数据) represent 28 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.