CWE-184 不完整的黑名单类漏洞列表 94

CWE-184 不完整的黑名单类弱点 94 条 CVE 漏洞汇总，含 AI 中文分析。

CWE-184属于输入验证缺陷，指软件依赖黑名单机制过滤非法输入，但列表存在遗漏。攻击者常利用此漏洞，通过构造未被黑名单覆盖的恶意输入绕过安全限制，从而执行未授权操作或注入攻击。开发者应避免单纯依赖黑名单，转而采用白名单机制严格限定合法输入，或对所有输入进行标准化处理与深度校验，确保防御逻辑的完整性与健壮性。

MITRE CWE 官方描述

CWE：CWE-184 未完全列出禁止输入英文：产品实现了一种保护机制，该机制依赖于一个输入（或输入属性）列表，这些输入（或属性）因违反策略而被禁止，或需要采取其他措施以在进一步处理之前进行中和，但该列表不完整。

常见影响 (1)

Access ControlBypass Protection Mechanism

Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.

缓解措施 (1)

ImplementationDo not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as …

代码示例 (2)

The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.

public String removeScriptTags(String input, String mask) { return input.replaceAll("script", mask); }

Bad · Java

This example takes user input, passes it through an encoding scheme, then lists the contents of the user's home directory based on the user name.

sub GetUntrustedInput { return($ARGV[0]); } sub encode { my($str) = @_; $str =~ s/\&/\&amp;/gs; $str =~ s/\"/\&quot;/gs; $str =~ s/\'/\&apos;/gs; $str =~ s/\</\&lt;/gs; $str =~ s/\>/\&gt;/gs; return($str); } sub doit { my $uname = encode(GetUntrustedInput("username")); print "<b>Welcome, $uname!</b><p>\n"; system("cd /home/$uname; /bin/ls -l"); }

Bad · Perl

' pwd

Attack

CVE ID	标题	CVSS	风险等级	Published
CVE-2026-48557	Spatie Laravel Media Library Pro 安全漏洞 — laravel-medialibrary	8.8	High	2026-05-29
CVE-2026-44463	Zed 安全漏洞 — zed	8.6	High	2026-05-28
CVE-2026-44462	Zed 安全漏洞 — zed	6.4	Medium	2026-05-28
CVE-2026-45037	Tabby 安全漏洞 — tabby	7.1	High	2026-05-15
CVE-2026-42590	Gotenberg 安全漏洞 — gotenberg	8.2	High	2026-05-14
CVE-2026-43929	SSRF Check 安全漏洞 — ssrfcheck	8.2	High	2026-05-12
CVE-2026-45006	OpenClaw 安全漏洞 — OpenClaw	8.8	High	2026-05-11
CVE-2026-44993	OpenClaw 安全漏洞 — OpenClaw	5.4	Medium	2026-05-11
CVE-2026-44115	OpenClaw 安全漏洞 — OpenClaw	8.8	High	2026-05-06
CVE-2026-44114	OpenClaw 安全漏洞 — OpenClaw	7.8	High	2026-05-06
CVE-2026-43584	OpenClaw 安全漏洞 — OpenClaw	8.8	High	2026-05-06
CVE-2026-43578	OpenClaw 安全漏洞 — OpenClaw	9.1	Critical	2026-05-06
CVE-2026-41934	Vvveb 安全漏洞 — Vvveb	8.8	High	2026-05-06
CVE-2026-43566	OpenClaw 安全漏洞 — OpenClaw	9.1	Critical	2026-05-05
CVE-2026-43532	OpenClaw 安全漏洞 — OpenClaw	7.7	High	2026-05-05
CVE-2026-42435	OpenClaw 安全漏洞 — OpenClaw	8.8	High	2026-05-05
CVE-2026-42427	OpenClaw 安全漏洞 — OpenClaw	5.3	Medium	2026-04-28
CVE-2026-41915	OpenClaw 安全漏洞 — OpenClaw	5.3	Medium	2026-04-28
CVE-2026-41392	OpenClaw 安全漏洞 — OpenClaw	6.7	Medium	2026-04-28
CVE-2026-41391	OpenClaw 安全漏洞 — OpenClaw	5.3	Medium	2026-04-28
CVE-2026-41361	OpenClaw 安全漏洞 — OpenClaw	7.1	High	2026-04-23
CVE-2026-41332	OpenClaw 安全漏洞 — OpenClaw	5.3	Medium	2026-04-23
CVE-2026-41264	Flowise 安全漏洞 — Flowise	9.8^AI	Critical^AI	2026-04-23
CVE-2026-41206	PySpector 安全漏洞 — PySpector	8.8^AI	High^AI	2026-04-23
CVE-2026-34415	Xerte Online Toolkits 安全漏洞 — xerteonlinetoolkits	9.8	Critical	2026-04-22
CVE-2026-26274	October 安全漏洞 — october	6.6	Medium	2026-04-21
CVE-2026-40077	Beszel 安全漏洞 — beszel	3.5	Low	2026-04-09
CVE-2026-39315	unhead 安全漏洞 — unhead	6.1	Medium	2026-04-09
CVE-2026-34177	LXD 安全漏洞 — lxd	9.1	Critical	2026-04-09
CVE-2026-35410	Directus 输入验证错误漏洞 — directus	6.1	Medium	2026-04-06

CWE-184（不完整的黑名单）是常见的弱点类别，本平台收录该类弱点关联的 94 条 CVE 漏洞。

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CWE-184 不完整的黑名单 类漏洞列表 94

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

CWE-184 不完整的黑名单类漏洞列表 94