CWE-915 类弱点 54 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-915属于对象属性控制不当漏洞,指程序接收上游输入以初始化或更新对象属性时,未严格限制可修改的字段。攻击者常利用此缺陷篡改内部敏感属性,如权限标志或状态位,从而绕过安全校验或提升权限。开发者应实施严格的白名单机制,仅允许修改预期的公开属性,并对所有动态输入进行严格的类型和范围校验,确保内部属性不可被外部直接操控。
function setValueByPath (object, path, value) { const pathArray = path.split("."); const attributeToSet = pathArray.pop(); let objectToModify = object; for (const attr of pathArray) { if (typeof objectToModify[attr] !== 'object') { objectToModify[attr] = {}; } objectToModify = objectToModify[attr]; } objectToModify[attributeToSet] = value; return object; }setValueByPath({}, "__proto__.isAdmin", true) setValueByPath({}, "constructor.prototype.isAdmin", true)| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2025-14341 | DivvyDrive 输入数据操纵漏洞 — DivvyDrive | 8.3 | High | 2026-05-07 |
| CVE-2026-41139 | mathjs 不安全数组索引获取器漏洞 — mathjs | - | - | 2026-05-07 |
| CVE-2026-33453 | Apache Camel 安全漏洞 — Apache Camel | 9.8AI | CriticalAI | 2026-04-27 |
| CVE-2026-42044 | Axios 安全漏洞 — axios | 6.5 | Medium | 2026-04-24 |
| CVE-2026-40897 | mathjs 安全漏洞 — mathjs | 8.8 | High | 2026-04-24 |
| CVE-2026-6912 | AWS Ops Wheel 安全漏洞 — AWS Ops Wheel | 8.8 | High | 2026-04-24 |
| CVE-2026-34427 | Vvveb 安全漏洞 — Vvveb | 8.8 | High | 2026-04-20 |
| CVE-2026-40486 | kimai 安全漏洞 — kimai | 4.3 | Medium | 2026-04-17 |
| CVE-2026-34179 | LXD 安全漏洞 — lxd | 9.1 | Critical | 2026-04-09 |
| CVE-2026-5708 | Amazon Web Services Research and Engineering Studio 安全漏洞 — Research and Engineering Studio (RES) | 8.8 | High | 2026-04-06 |
| CVE-2026-5251 | admin 安全漏洞 — admin | 6.3 | Medium | 2026-04-01 |
| CVE-2026-5248 | gougucms 安全漏洞 — gougucms | 6.3 | Medium | 2026-04-01 |
| CVE-2026-34406 | APTRS 安全漏洞 — APTRS | 8.8 | - | 2026-03-31 |
| CVE-2026-27953 | ormar 安全漏洞 — ormar | 7.1 | High | 2026-03-19 |
| CVE-2026-32742 | Parse Server 安全漏洞 — parse-server | 4.3 | Medium | 2026-03-18 |
| CVE-2026-29056 | Kanboard 安全漏洞 — kanboard | 8.8 | - | 2026-03-18 |
| CVE-2026-32640 | simpleeval 安全漏洞 — simpleeval | 7.5AI | HighAI | 2026-03-13 |
| CVE-2026-30822 | Flowise 安全漏洞 — Flowise | 5.3 | - | 2026-03-07 |
| CVE-2025-15602 | Snipe-IT 安全漏洞 — Snipe-IT | 8.8 | High | 2026-03-06 |
| CVE-2026-28219 | Discourse 安全漏洞 — discourse | 4.3AI | MediumAI | 2026-02-26 |
| CVE-2026-27125 | Svelte 安全漏洞 — svelte | 3.7 | - | 2026-02-20 |
| CVE-2026-24140 | MyTube 安全漏洞 — MyTube | 2.7 | Low | 2026-01-23 |
| CVE-2026-22814 | @adonisjs/lucid 安全漏洞 — lucid | 7.5AI | HighAI | 2026-01-13 |
| CVE-2026-21695 | titra 安全漏洞 — titra | 4.3 | Medium | 2026-01-07 |
| CVE-2025-9315 | Moxa MXsecurity Series 安全漏洞 — MXsecurity Series | 9.4AI | CriticalAI | 2025-12-10 |
| CVE-2025-13081 | Drupal core 安全漏洞 — Drupal core | 9.8AI | CriticalAI | 2025-11-18 |
| CVE-2025-52656 | HCL MyXalytics 安全漏洞 — HCL MyXalytics | 7.6 | High | 2025-10-03 |
| CVE-2025-7104 | LibreChat 安全漏洞 — danny-avila/librechat | 9.1AI | CriticalAI | 2025-09-29 |
| CVE-2025-58367 | DeepDiff 安全漏洞 — deepdiff | 9.8AI | CriticalAI | 2025-09-05 |
| CVE-2025-6107 | ComfyUI 安全漏洞 — comfyui | 3.1 | Low | 2025-06-16 |
CWE-915 是常见的弱点类别,本平台收录该类弱点关联的 54 条 CVE 漏洞。