Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-96 (静态存储代码中指令转义处理不恰当(静态代码注入)) — Vulnerability Class 21

21 vulnerabilities classified as CWE-96 (静态存储代码中指令转义处理不恰当(静态代码注入)). AI Chinese analysis included.

CWE-96 represents a critical input validation weakness where applications fail to properly sanitize user-supplied directives before embedding them into statically saved code resources. This vulnerability typically arises when developers construct executable files, libraries, or configuration templates by directly concatenating untrusted data with code syntax, allowing attackers to inject malicious commands or logic. Exploitation occurs when the compromised resource is subsequently executed, granting the attacker unintended control over the system or application behavior. To mitigate this risk, developers must implement rigorous input validation and strict output encoding techniques. By ensuring that all external inputs are neutralized or escaped before integration into static code structures, organizations can prevent the injection of unauthorized directives, thereby preserving the integrity and security of their executable assets against code injection attacks.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
Common Consequences (5)
ConfidentialityRead Files or Directories, Read Application Data
The injected code could access restricted data / files.
Access ControlBypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Access ControlGain Privileges or Assume Identity
Injected code can access resources that the attacker is directly prevented from accessing.
Integrity, Confidentiality, Availability, OtherExecute Unauthorized Code or Commands
Code injection attacks can lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing. Additionally, code injection can often result in the execution of arbitrary code.
Non-RepudiationHide Activities
Often the actions performed by injected control code are unlogged.
Mitigations (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationPerform proper output validation and escaping to neutralize all code syntax from data written to code files.
Examples (1)
This example attempts to write user messages to a message file and allow users to view them.
$MessageFile = "messages.out"; if ($_GET["action"] == "NewMessage") { $name = $_GET["name"]; $message = $_GET["message"]; $handle = fopen($MessageFile, "a+"); fwrite($handle, "<b>$name</b> says '$message'<hr>\n"); fclose($handle); echo "Message Saved!<p>\n"; } else if ($_GET["action"] == "ViewMessages") { include($MessageFile); }
Bad · PHP
name=h4x0r message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2025-57707 File Station 5 — File Station 5 6.5AIMediumAI2026-02-11
CVE-2025-7825 Schema Plugin For Divi, Gutenberg & Shortcodes <= 4.3.2 - Authenticated (Contributor+) Object Instantiation — Schema Plugin For Divi, Gutenberg & Shortcodes 6.3 Medium2025-10-03
CVE-2025-36595 Dell Unisphere 安全漏洞 — Unisphere for PowerMax vApp 7.2 High2025-06-27
CVE-2015-2079 Webmin Usermin 安全漏洞 — Usermin 9.9 Critical2025-04-28
CVE-2025-30091 Tiny MoxieManager 安全漏洞 — MoxieManager PHP 9.8AICriticalAI2025-03-25
CVE-2024-13268 Opigno - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-032 — Opigno 9.8 -2025-01-09
CVE-2024-13267 Opigno TinCan Question Type - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-031 — Opigno TinCan Question Type 9.8 -2025-01-09
CVE-2024-13265 Opigno Learning path - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-029 — Opigno Learning path 8.8 -2025-01-09
CVE-2024-13264 Opigno module - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-028 — Opigno module 9.8 -2025-01-09
CVE-2024-13263 Opigno group manager - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-027 — Opigno group manager 8.8 -2025-01-09
CVE-2024-55877 XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList — xwiki-platform 10.0 Critical2024-12-12
CVE-2024-55662 XWiki allows remote code execution through the extension sheet — xwiki-platform 10.0 Critical2024-12-12
CVE-2024-43400 XWiki Platform allows XSS through XClass name in string properties — xwiki-platform 9.1 Critical2024-08-19
CVE-2024-37900 XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader — xwiki-platform 6.4 Medium2024-07-31
CVE-2024-0788 SUPERAntiSpyware Pro X v10.0.1260 - Kernel-level API parameters manipulation — SUPERAntiSpyware Pro X 6.6 Medium2024-01-29
CVE-2022-3960 Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') — Pentaho Business Analytics Server 6.3 Medium2023-04-03
CVE-2022-43938 Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') — Pentaho Business Analytics Server 8.8 High2023-04-03
CVE-2022-0895 Static Code Injection in microweber/microweber — microweber/microweber 9.8 -2022-03-10
CVE-2021-39115 Atlassian Jira 代码注入漏洞 — Jira Service Desk Server 7.2 -2021-09-01
CVE-2020-6144 Open Solutions for Education openSIS 代码注入漏洞 — OS4Ed 9.8 -2020-09-01
CVE-2020-6143 Open Solutions for Education openSIS 代码注入漏洞 — OS4Ed 9.8 -2020-09-01

Vulnerabilities classified as CWE-96 (静态存储代码中指令转义处理不恰当(静态代码注入)) represent 21 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.