目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-35 路径遍历:’…/…//’ 类漏洞列表 149

CWE-35 路径遍历:’…/…//’ 类弱点 149 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-35 属于路径遍历漏洞,指程序使用外部输入构建受限目录内的文件路径时,未正确过滤“.../...//”等双重重定向序列。攻击者利用此缺陷,通过构造特殊路径字符序列绕过安全检查,访问或修改目录外的敏感文件。开发者应避免直接拼接用户输入,需对路径进行严格规范化处理,并实施白名单验证,确保最终解析路径始终位于预期的安全目录范围内。

MITRE CWE 官方描述
CWE:CWE-35 路径遍历:'.../...//' 英文:产品使用外部输入来构建一个应位于受限目录内的路径名,但它未能正确对 '.../...//'(双重重叠点斜杠)序列进行中和,这些序列可能解析到该目录之外的位置。
常见影响 (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
Not properly neutralizing '.../...//' (doubled triple dot slash) allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
缓解措施 (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
代码示例 (1)
Suppose the product serves files from a specific "public" directory -- /home/product/public/ -- and has an algorithm that attempts to protect against common path traversal attacks. The algorithm works by sequentially scanning through a requested filename and removes each occurrence of "../" that it encounters, then appending the filename to the public directory.
../secret.dat
Attack
/home/product/public/secret.dat
Result
CVE ID标题CVSS风险等级Published
CVE-2026-42274 Heimdall 路径规范化不匹配致越权漏洞 — heimdall--2026-05-08
CVE-2026-20034 Cisco Unity Connection 远程代码执行漏洞 — Cisco Unity Connection 8.8 High2026-05-06
CVE-2026-0205 SonicWALL SonicOS 安全漏洞 — SonicOS 8.1AIHighAI2026-04-29
CVE-2026-6074 Intrado 911 Emergency Gateway 安全漏洞 — 911 Emergency Gateway 9.8AICriticalAI2026-04-23
CVE-2026-28265 Dell PowerStore 安全漏洞 — PowerStore 4.4 Medium2026-04-01
CVE-2026-25397 WordPress plugin File Uploader for WooCommerce 安全漏洞 — File Uploader for WooCommerce 7.5 High2026-03-25
CVE-2026-32415 WordPress plugin Squeeze 安全漏洞 — Squeeze 5.0 Medium2026-03-13
CVE-2026-26124 Microsoft ACI Confidential Containers 安全漏洞 — Microsoft ACI Confidential Containers 6.7 Medium2026-03-05
CVE-2025-69325 WordPress plugin Primer MyData for Woocommerce 安全漏洞 — Primer MyData for Woocommerce 5.3 Medium2026-02-20
CVE-2025-58381 Broadcom Brocade Fabric OS(FOS) 安全漏洞 — Fabric OS 7.2AIHighAI2026-02-03
CVE-2025-58380 Broadcom Brocade Fabric OS 安全漏洞 — Fabric OS 6.5AIMediumAI2026-02-03
CVE-2025-59099 Dormakaba Access Manager 安全漏洞 — Access Manager 92xx-k5 9.1AICriticalAI2026-01-26
CVE-2025-67914 WordPress plugin VidMov 安全漏洞 — VidMov 7.7 High2026-01-08
CVE-2025-46256 WordPress plugin Advanced Database Cleaner PRO 安全漏洞 — Advanced Database Cleaner PRO 6.4 Medium2026-01-07
CVE-2025-68428 jsPDF 安全漏洞 — jsPDF 6.5 -2026-01-05
CVE-2025-28973 WordPress plugin Pro Bulk Watermark Plugin for WordPress 安全漏洞 — Pro Bulk Watermark Plugin for WordPress 6.5 Medium2025-12-31
CVE-2025-64676 Microsoft Purview 代码注入漏洞 — Microsoft Purview 7.2 High2025-12-18
CVE-2025-64253 WordPress plugin Health Check & Troubleshooting 安全漏洞 — Health Check & Troubleshooting 4.9 Medium2025-12-16
CVE-2025-66004 libimobiledevice usbmuxd 安全漏洞 — usbmuxd 5.7 Medium2025-12-10
CVE-2025-41736 METZ CONNECT多款产品 安全漏洞 — Energy-Controlling EWIO2-M 8.8 High2025-11-18
CVE-2025-5454 AXIS OS 安全漏洞 — AXIS OS 6.4 Medium2025-11-11
CVE-2025-58972 WordPress plugin Barcode Scanner with Inventory & Order Manager 安全漏洞 — Barcode Scanner with Inventory & Order Manager 7.2 High2025-11-06
CVE-2025-48090 WordPress plugin Blanka - One Page WordPress Theme 安全漏洞 — Blanka - One Page WordPress Theme 8.1 High2025-11-06
CVE-2025-39467 WordPress plugin Wanderland 安全漏洞 — Wanderland 8.1 High2025-11-06
CVE-2025-22288 WordPress plugin Smush Image Compression and Optimization 安全漏洞 — Smush Image Compression and Optimization 4.1 Medium2025-11-06
CVE-2025-53880 SUSE多款产品 安全漏洞 — Container suse/manager/4.3/proxy-httpd:latest 6.5AIMediumAI2025-10-30
CVE-2025-41723 SAUTER多款产品 安全漏洞 — modulo 6 devices modu680-AS 9.8 Critical2025-10-22
CVE-2025-8051 OpenText Flipper 安全漏洞 — Flipper 6.5AIMediumAI2025-10-20
CVE-2025-42937 SAP Print Service 安全漏洞 — SAP Print Service 9.8 Critical2025-10-14
CVE-2025-43907 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release 6.5 Medium2025-10-07

CWE-35(路径遍历:’…/…//’) 是常见的弱点类别,本平台收录该类弱点关联的 149 条 CVE 漏洞。