目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-74 输出中的特殊元素转义处理不恰当(注入) 类漏洞列表 397

CWE-74 输出中的特殊元素转义处理不恰当(注入) 类弱点 397 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-74指下游组件注入漏洞,属输入验证缺陷。攻击者通过构造包含特殊字符的恶意输入,干扰下游组件对命令或数据的解析逻辑,从而执行非预期操作或篡改数据结构。开发者应避免直接拼接用户输入,需实施严格的输入过滤与输出编码,确保特殊元素被正确转义或隔离,防止其被下游组件误解释为可执行指令或结构标记。

MITRE CWE 官方描述
CWE:CWE-74 下游组件使用的输出中特殊元素的不当中和('Injection') 英文:产品使用来自上游组件的外部影响输入来构建命令、数据结构或记录的全部或部分内容,但在将其发送给下游组件时,未对可能修改其解析或解释方式的特殊元素进行中和,或中和不正确。
常见影响 (5)
ConfidentialityRead Application Data
Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
Access ControlBypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
OtherAlter Execution Logic
Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
Integrity, OtherOther
Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
Non-RepudiationHide Activities
Often the actions performed by injected control code are unlogged.
缓解措施 (2)
RequirementsProgramming languages and supporting technologies might be chosen which are not subject to these issues.
ImplementationUtilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.
代码示例 (2)
This example code intends to take the name of a user and list the contents of that user's home directory. It is subject to the first variant of OS command injection.
$userName = $_POST["user"]; $command = 'ls -l /home/' . $userName; system($command);
Bad · PHP
;rm -rf /
Attack
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
CVE ID标题CVSS风险等级Published
CVE-2026-10661 Blender MCP server.py 开放注入漏洞 — blender-mcp 4.3 Medium2026-06-02
CVE-2026-8993 D.Launcher 2 URL处理缺陷致NTLM凭证泄露及SSRF漏洞 — D.Launcher 2 6.5 Medium2026-06-02
CVE-2026-7770 IBM i ACS 远程代码执行漏洞 — i Access Family 8.8 High2026-06-01
CVE-2026-10223 NousResearch Hermes-Agent memory_tool.py 内存注入漏洞 — hermes-agent 6.3 Medium2026-06-01
CVE-2026-10222 NousResearch Hermes-Agent config.py 注入漏洞 — hermes-agent 5.6 Medium2026-06-01
CVE-2026-10221 NousResearch hermes-agent run_agent.py _compress_context注入漏洞 — hermes-agent 7.3 High2026-06-01
CVE-2026-10220 NousResearch Hermes Agent skill_view注入漏洞 — hermes-agent 7.3 High2026-06-01
CVE-2026-10210 AstrBot skill_manager.py 提示注入漏洞 — AstrBot 6.3 Medium2026-06-01
CVE-2026-45344 LinkAce 注入漏洞 — LinkAce 8.1 High2026-05-28
CVE-2026-9422 KLiK SocialMediaWebsite 安全漏洞 — KLiK SocialMediaWebsite 7.3 High2026-05-25
CVE-2026-9420 KLiK SocialMediaWebsite 安全漏洞 — KLiK SocialMediaWebsite 6.3 Medium2026-05-25
CVE-2026-9366 Hermes Agent 安全漏洞 — hermes-agent 7.3 High2026-05-24
CVE-2026-9353 Hermes Agent 安全漏洞 — hermes-agent 7.3 High2026-05-24
CVE-2026-6279 WordPress plugin Avada (Fusion) Builder 注入漏洞 — Avada (Fusion) Builder 9.8 Critical2026-05-21
CVE-2026-20199 Cisco ThousandEyes Virtual Appliance 注入漏洞 — Cisco ThousandEyes Enterprise Agent 4.7 Medium2026-05-20
CVE-2026-42334 Mongoose 注入漏洞 — mongoose 7.5 High2026-05-14
CVE-2026-44458 Hono 注入漏洞 — hono 4.3 Medium2026-05-13
CVE-2026-44455 Hono 注入漏洞 — hono 4.7 Medium2026-05-13
CVE-2026-42838 Microsoft Edge 注入漏洞 — Microsoft Edge (Chromium-based) 5.4 Medium2026-05-12
CVE-2026-33833 Microsoft Azure Machine Learning 注入漏洞 — Azure Machine Learning 8.2 High2026-05-12
CVE-2026-41109 Microsoft GitHub Copilot and Visual Studio 注入漏洞 — Visual Studio Code 8.8 High2026-05-12
CVE-2025-8154 WSO2多款产品 注入漏洞 — WSO2 API Manager 5.3 Medium2026-05-11
CVE-2025-67486 Dolibarr 注入漏洞 — dolibarr 7.2AIHighAI2026-05-08
CVE-2026-26164 Microsoft 365 Copilot BizChat 注入漏洞 — Microsoft 365 Copilot's Business Chat 7.5 High2026-05-07
CVE-2026-7045 dynamic-datasource-spring-boot-starter 注入漏洞 — dynamic-datasource 6.3 Medium2026-04-26
CVE-2026-6994 Envoy Proxy 注入漏洞 — Envoy 6.3 Medium2026-04-25
CVE-2026-41319 MailKit 注入漏洞 — MailKit 6.5 Medium2026-04-24
CVE-2026-1089 Fortra GoAnywhere MFT 安全漏洞 — GoAnywhere MFT 6.5 Medium2026-04-21
CVE-2026-0972 Fortra GoAnywhere MFT 安全漏洞 — GoAnywhere MFT 5.4 Medium2026-04-21
CVE-2026-6599 Langflow 安全漏洞 — langflow 6.3 Medium2026-04-20

CWE-74(输出中的特殊元素转义处理不恰当(注入)) 是常见的弱点类别,本平台收录该类弱点关联的 397 条 CVE 漏洞。