目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-96 静态存储代码中指令转义处理不恰当(静态代码注入) 类漏洞列表 21

CWE-96 静态存储代码中指令转义处理不恰当(静态代码注入) 类弱点 21 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-96指静态代码注入,属输入验证缺陷。攻击者通过向库、配置文件或模板等可执行资源注入恶意代码语法,利用程序未正确清洗输入的特性,实现远程代码执行或逻辑篡改。开发者需严格实施输入验证与白名单过滤,确保动态数据不被直接嵌入静态代码结构中,从而阻断注入路径,保障系统安全。

MITRE CWE 官方描述
CWE:CWE-96 静态保存代码中指令的不当中和('Static Code Injection') 英文:产品从上游组件接收输入,但在将输入插入可执行资源(如库、配置文件或模板)之前,未对代码语法进行中和或中和不当。
常见影响 (5)
ConfidentialityRead Files or Directories, Read Application Data
The injected code could access restricted data / files.
Access ControlBypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Access ControlGain Privileges or Assume Identity
Injected code can access resources that the attacker is directly prevented from accessing.
Integrity, Confidentiality, Availability, OtherExecute Unauthorized Code or Commands
Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.
Non-RepudiationHide Activities
Often the actions performed by injected control code are unlogged.
缓解措施 (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationPerform proper output validation and escaping to neutralize all code syntax from data written to code files.
代码示例 (1)
This example attempts to write user messages to a message file and allow users to view them.
$MessageFile = "messages.out"; if ($_GET["action"] == "NewMessage") { $name = $_GET["name"]; $message = $_GET["message"]; $handle = fopen($MessageFile, "a+"); fwrite($handle, "<b>$name</b> says '$message'<hr>\n"); fclose($handle); echo "Message Saved!<p>\n"; } else if ($_GET["action"] == "ViewMessages") { include($MessageFile); }
Bad · PHP
name=h4x0r message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E
Attack
CVE ID标题CVSS风险等级Published
CVE-2025-57707 QNAP Systems File Station 5 安全漏洞 — File Station 5 6.5AIMediumAI2026-02-11
CVE-2025-7825 WordPress plugin The Schema Plugin For Divi, Gutenberg & Shortcodes 安全漏洞 — Schema Plugin For Divi, Gutenberg & Shortcodes 6.3 Medium2025-10-03
CVE-2025-36595 Dell Unisphere 安全漏洞 — Unisphere for PowerMax vApp 7.2 High2025-06-27
CVE-2015-2079 Webmin Usermin 安全漏洞 — Usermin 9.9 Critical2025-04-28
CVE-2025-30091 Tiny MoxieManager 安全漏洞 — MoxieManager PHP 9.8AICriticalAI2025-03-25
CVE-2024-13268 Drupal 安全漏洞 — Opigno 9.8 -2025-01-09
CVE-2024-13267 Drupal 安全漏洞 — Opigno TinCan Question Type 9.8 -2025-01-09
CVE-2024-13265 Drupal 安全漏洞 — Opigno Learning path 8.8 -2025-01-09
CVE-2024-13264 Drupal 安全漏洞 — Opigno module 9.8 -2025-01-09
CVE-2024-13263 Drupal 安全漏洞 — Opigno group manager 8.8 -2025-01-09
CVE-2024-55877 XWiki Platform 安全漏洞 — xwiki-platform 10.0 Critical2024-12-12
CVE-2024-55662 XWiki Platform 安全漏洞 — xwiki-platform 10.0 Critical2024-12-12
CVE-2024-43400 XWiki Platform 安全漏洞 — xwiki-platform 9.1 Critical2024-08-19
CVE-2024-37900 XWiki Platform 安全漏洞 — xwiki-platform 6.4 Medium2024-07-31
CVE-2024-0788 SUPERAntiSpyware Pro X 安全漏洞 — SUPERAntiSpyware Pro X 6.6 Medium2024-01-29
CVE-2022-3960 Hitachi Vantara Pentaho Business Analytics Server 代码注入漏洞 — Pentaho Business Analytics Server 6.3 Medium2023-04-03
CVE-2022-43938 Hitachi Vantara Pentaho Business Analytics Server 代码注入漏洞 — Pentaho Business Analytics Server 8.8 High2023-04-03
CVE-2022-0895 Microweber 安全漏洞 — microweber/microweber 9.8 -2022-03-10
CVE-2021-39115 Atlassian Jira 代码注入漏洞 — Jira Service Desk Server 7.2 -2021-09-01
CVE-2020-6144 Open Solutions for Education openSIS 代码注入漏洞 — OS4Ed 9.8 -2020-09-01
CVE-2020-6143 Open Solutions for Education openSIS 代码注入漏洞 — OS4Ed 9.8 -2020-09-01

CWE-96(静态存储代码中指令转义处理不恰当(静态代码注入)) 是常见的弱点类别,本平台收录该类弱点关联的 21 条 CVE 漏洞。