Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-501 (违背信任边界) — Vulnerability Class 19

19 vulnerabilities classified as CWE-501 (违背信任边界). AI Chinese analysis included.

CWE-501 represents a critical trust boundary violation where software improperly mixes trusted and untrusted data within the same structure or message. This weakness occurs when a program fails to distinguish between data originating from secure internal sources and potentially malicious external inputs. Attackers typically exploit this flaw by injecting untrusted data into contexts expecting only trusted information, thereby bypassing security controls or triggering unintended behaviors. To prevent such vulnerabilities, developers must strictly enforce validation logic at every trust boundary. This involves rigorously sanitizing all external inputs before they enter the system’s core logic and ensuring that data structures clearly separate trusted internal state from untrusted external data. By maintaining clear separation and validating data crossings, developers can ensure that only safe, verified information influences critical application processes.

MITRE CWE Description
The product mixes trusted and untrusted data in the same data structure or structured message. A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data.
Common Consequences (1)
Access ControlBypass Protection Mechanism
Examples (1)
The following code accepts an HTTP request and stores the username parameter in the HTTP session object before checking to ensure that the user has been authenticated.
usrname = request.getParameter("usrname"); if (session.getAttribute(ATTR_USR) == null) { session.setAttribute(ATTR_USR, usrname); }
Bad · Java
usrname = request.Item("usrname"); if (session.Item(ATTR_USR) == null) { session.Add(ATTR_USR, usrname); }
Bad · C#
CVE IDTitleCVSSSeverityPublished
CVE-2026-24153 NVIDIA Jetson Linux 安全漏洞 — Jetson Xavier Series, Jetson Orin Series and Jetson Thor 5.2 Medium2026-03-31
CVE-2026-25725 Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json — claude-code 8.4AIHighAI2026-02-06
CVE-2025-14542 Command execution in python-utcp allows attackers to achieve remote code execution when fetching a remote Manual from a malicious endpoint 7.5 High2025-12-13
CVE-2025-49714 Visual Studio Code Python Extension Remote Code Execution Vulnerability — Python extension for Visual Studio Code 7.8 High2025-07-08
CVE-2025-48938 Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server — go-gh 9.8AICriticalAI2025-05-30
CVE-2025-1118 Grub2: commands/dump: the dump command is not in lockdown when secure boot is enabled 4.4 Medium2025-02-19
CVE-2024-49050 Visual Studio Code Python Extension Remote Code Execution Vulnerability — Python extension for Visual Studio Code 8.8 High2024-11-12
CVE-2024-20265 Cisco Access Point 安全漏洞 — Cisco IOS XE Software 5.9 Medium2024-03-27
CVE-2024-1725 Kubevirt-csi: persistentvolume allows access to hcp's root node 6.5 Medium2024-03-07
CVE-2024-23682 Artemis Java Test Sandbox Class Loading Escape 9.6 -2024-01-19
CVE-2023-49788 Improper handling of browser-side provided input in richdocuments path handling — online 7.2 High2023-12-08
CVE-2023-0627 Docker Desktop 4.11.x allows --no-windows-containers flag bypass — Docker Desktop 6.7 Medium2023-09-25
CVE-2023-28597 Improper trust boundary implementation for SMB in Zoom Clients — Zoom (for Android, iOS, Linux, macOS, and Windows) 8.3 High2023-03-27
CVE-2022-20826 Cisco Firepower Threat Defense 安全漏洞 — Cisco Adaptive Security Appliance (ASA) Software 6.4 Medium2022-11-10
CVE-2022-1799 Incorrect signature verification on Google play-services-basement in Google Play SDK — Google Play Services SDK 5.7 Medium2022-07-29
CVE-2020-15096 Context isolation bypass via Promise in Electron — electron 6.8 Medium2020-07-07
CVE-2020-4076 Context isolation bypass via leaked cross-context objects in Electron — electron 7.8 High2020-07-07
CVE-2020-4077 Context isolation bypass via contextBridge in Electron — electron 7.7 High2020-07-07
CVE-2019-0035 Junos OS: 'set system ports console insecure' allows root password recovery on OAM volumes — Junos OS 6.8 -2019-04-10

Vulnerabilities classified as CWE-501 (违背信任边界) represent 19 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.