目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-93 对CRLF序列的转义处理不恰当(CRLF注入) 类漏洞列表 88

CWE-93 对CRLF序列的转义处理不恰当(CRLF注入) 类弱点 88 条 CVE 漏洞汇总,含 AI 中文分析。

CRLF注入是一种输入验证缺陷,指程序未正确过滤用户输入中的回车换行符。攻击者利用此漏洞注入恶意CRLF序列,篡改HTTP响应头或伪造日志,进而实施会话劫持、跨站脚本或缓存投毒。开发者应严格对用户输入进行白名单验证,确保仅包含合法字符,并在使用输入前自动转义或移除CRLF序列,以阻断注入路径。

MITRE CWE 官方描述
CWE:CWE-93 CRLF序列(CRLF Injection)的不当中和 英文:产品将CRLF(回车换行符)作为特殊元素使用,例如用于分隔行或记录,但未对输入中的CRLF序列进行中和,或中和不当。
常见影响 (1)
IntegrityModify Application Data
缓解措施 (2)
ImplementationAvoid using CRLF as a special sequence.
ImplementationAppropriately filter or quote CRLF sequences in user-controlled input.
代码示例 (2)
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment …
name: Deploy Preview jobs: deploy: runs-on: ubuntu-latest steps: - name: 'Download artifact' uses: actions/github-script with: script: | var artifacts = await github.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{ github.event.workflow_run.id }}, }); var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "pr" })[0]; var downloadPr = await github.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchPrArtifact.id, archive_format: 'zip', }); var fs = require('fs');
Bad · Other
\nNODE_OPTIONS="--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//"
Attack
CVE ID标题CVSS风险等级Published
CVE-2026-41570 PHPUnit PHP INI值换行参数注入漏洞 — phpunit 7.8 High2026-05-08
CVE-2026-41417 Netty 默认请求解析漏洞导致HTTP请求走私及RTSP注入 — netty 5.3 Medium2026-05-06
CVE-2026-39849 Pi-hole FTL dns.interface配置换行符注入致远程代码执行漏洞 — FTL--2026-05-05
CVE-2026-34458 Sandboxie-Plus权限提升漏洞 — Sandboxie--2026-05-05
CVE-2026-5140 Pardus 注入漏洞 — Pardus Update 8.8 High2026-04-29
CVE-2026-42037 Axios 注入漏洞 — axios 5.3 Medium2026-04-24
CVE-2026-41230 Froxlor 注入漏洞 — froxlor 8.5 High2026-04-23
CVE-2026-2717 WordPress plugin HTTP Headers 注入漏洞 — HTTP Headers 5.5 Medium2026-04-22
CVE-2026-32964 Silex SD-330AC和Silex AMC Manager 安全漏洞 — SD-330AC 6.5 Medium2026-04-20
CVE-2026-6351 Openfind MailGates和Openfind MailAudit 安全漏洞 — MailGates 7.5 High2026-04-16
CVE-2026-2400 Schneider Electric PowerChute Serial Shutdown 注入漏洞 — PowerChute™ Serial Shutdown 4.5 -2026-04-14
CVE-2026-35601 Vikunja 注入漏洞 — vikunja 4.1 Medium2026-04-10
CVE-2026-39983 Basic FTP 安全漏洞 — basic-ftp 8.6 High2026-04-09
CVE-2026-39958 oma 注入漏洞 — oma 5.3AIMediumAI2026-04-09
CVE-2026-39394 CI4MS 安全漏洞 — ci4ms 8.1 High2026-04-08
CVE-2026-34975 plunk 注入漏洞 — plunk 8.5 High2026-04-06
CVE-2026-26962 Rack 注入漏洞 — rack 4.8 Medium2026-04-02
CVE-2026-2442 WordPress plugin Pagelayer 注入漏洞 — Page Builder: Pagelayer – Drag and Drop website builder 5.3 Medium2026-03-28
CVE-2026-33635 iCalendar 注入漏洞 — icalendar 4.3 Medium2026-03-26
CVE-2026-20113 Cisco IOS XE Software 注入漏洞 — Cisco IOS XE Software 5.3 Medium2026-03-25
CVE-2026-28753 F5 NGINX Plus和F5 NGINX Open Source 注入漏洞 — NGINX Open Source 3.7 Low2026-03-24
CVE-2026-33128 H3 注入漏洞 — h3 7.5 High2026-03-20
CVE-2026-3633 libsoup 注入漏洞 — Red Hat Enterprise Linux 10 3.9 Low2026-03-17
CVE-2026-3634 libsoup 安全漏洞 — Red Hat Enterprise Linux 10 3.9 Low2026-03-17
CVE-2026-1527 undici 安全漏洞 — undici 4.6 Medium2026-03-12
CVE-2026-3234 mod_cluster 注入漏洞 — Red Hat Enterprise Linux 10 4.3 Medium2026-03-12
CVE-2026-3848 GitLab 注入漏洞 — GitLab 5.0 Medium2026-03-11
CVE-2026-30227 MimeKit 注入漏洞 — MimeKit 8.2 -2026-03-06
CVE-2026-28296 gvfs 注入漏洞 — Red Hat Enterprise Linux 10 4.3 Medium2026-02-26
CVE-2026-1714 WordPress plugin ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution 注入漏洞 — ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin 8.6 High2026-02-18

CWE-93(对CRLF序列的转义处理不恰当(CRLF注入)) 是常见的弱点类别,本平台收录该类弱点关联的 88 条 CVE 漏洞。