目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-93 对CRLF序列的转义处理不恰当(CRLF注入) 类漏洞列表 107

CWE-93 对CRLF序列的转义处理不恰当(CRLF注入) 类弱点 107 条 CVE 漏洞汇总,含 AI 中文分析。

CRLF注入是一种输入验证缺陷,指程序未正确过滤用户输入中的回车换行符。攻击者利用此漏洞注入恶意CRLF序列,篡改HTTP响应头或伪造日志,进而实施会话劫持、跨站脚本或缓存投毒。开发者应严格对用户输入进行白名单验证,确保仅包含合法字符,并在使用输入前自动转义或移除CRLF序列,以阻断注入路径。

MITRE CWE 官方描述
CWE:CWE-93 CRLF序列(CRLF Injection)的不当中和 英文:产品将CRLF(回车换行符)作为特殊元素使用,例如用于分隔行或记录,但未对输入中的CRLF序列进行中和,或中和不当。
常见影响 (1)
IntegrityModify Application Data
缓解措施 (2)
ImplementationAvoid using CRLF as a special sequence.
ImplementationAppropriately filter or quote CRLF sequences in user-controlled input.
代码示例 (2)
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment …
name: Deploy Preview jobs: deploy: runs-on: ubuntu-latest steps: - name: 'Download artifact' uses: actions/github-script with: script: | var artifacts = await github.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{ github.event.workflow_run.id }}, }); var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "pr" })[0]; var downloadPr = await github.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchPrArtifact.id, archive_format: 'zip', }); var fs = require('fs');
Bad · Other
\nNODE_OPTIONS="--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//"
Attack
CVE ID标题CVSS风险等级Published
CVE-2026-48861 Mint HTTP/1 请求行CRLF注入漏洞 — mint--2026-06-02
CVE-2026-45372 cpp-httplib 环境问题漏洞 — cpp-httplib 9.9 Critical2026-05-29
CVE-2026-49130 Music Player Daemon 安全漏洞 — MPD 5.3 Medium2026-05-28
CVE-2026-46740 Mojolicious::Plugin::Statsd 安全漏洞 — Mojolicious::Plugin::Statsd--2026-05-26
CVE-2026-44214 eventsource-encoder 注入漏洞 — eventsource-encoder 5.8 Medium2026-05-26
CVE-2026-47072 Hackney 安全漏洞 — hackney--2026-05-25
CVE-2026-47075 Hackney 安全漏洞 — hackney--2026-05-25
CVE-2026-47069 Hackney 安全漏洞 — hackney--2026-05-25
CVE-2026-8788 Net::Statsd::Lite 注入漏洞 — Net::Statsd::Lite--2026-05-18
CVE-2026-46720 Net::Statsd::Tiny 注入漏洞 — Net::Statsd::Tiny--2026-05-17
CVE-2026-46719 Net::Statsd::Lite 注入漏洞 — Net::Statsd::Lite--2026-05-16
CVE-2026-32993 cPanel 注入漏洞 — cPanel 8.3 High2026-05-13
CVE-2026-42586 Netty 注入漏洞 — netty 6.8 Medium2026-05-13
CVE-2026-35504 Subnet Solutions PowerSYSTEM Center 注入漏洞 — PowerSYSTEM Center 2020 5.5 Medium2026-05-12
CVE-2026-44217 sse-channel 注入漏洞 — sse-channel--2026-05-12
CVE-2026-43882 WWBN AVideo 注入漏洞 — AVideo 4.3 Medium2026-05-11
CVE-2026-43968 Cowlib 注入漏洞 — cowlib--2026-05-11
CVE-2026-43969 Cowlib 注入漏洞 — cowlib--2026-05-11
CVE-2026-42257 Net::IMAP 命令注入漏洞 — net-imap 6.5 -2026-05-09
CVE-2026-41570 PHPUnit 参数注入漏洞 — phpunit 7.8 High2026-05-08
CVE-2026-41417 Netty 注入漏洞 — netty 5.3 Medium2026-05-06
CVE-2026-39849 Pi-hole 注入漏洞 — FTL 8.8 -2026-05-05
CVE-2026-34458 Sandboxie-Plus 注入漏洞 — Sandboxie 7.8 -2026-05-05
CVE-2026-5140 Pardus 注入漏洞 — Pardus Update 8.8 High2026-04-29
CVE-2026-42037 Axios 注入漏洞 — axios 5.3 Medium2026-04-24
CVE-2026-41230 Froxlor 注入漏洞 — froxlor 8.5 High2026-04-23
CVE-2026-2717 WordPress plugin HTTP Headers 注入漏洞 — HTTP Headers 5.5 Medium2026-04-22
CVE-2026-32964 Silex SD-330AC和Silex AMC Manager 安全漏洞 — SD-330AC 6.5 Medium2026-04-20
CVE-2026-6351 Openfind MailGates和Openfind MailAudit 安全漏洞 — MailGates 7.5 High2026-04-16
CVE-2026-2400 Schneider Electric PowerChute Serial Shutdown 注入漏洞 — PowerChute™ Serial Shutdown 4.5 -2026-04-14

CWE-93(对CRLF序列的转义处理不恰当(CRLF注入)) 是常见的弱点类别,本平台收录该类弱点关联的 107 条 CVE 漏洞。