CWE-184(Incomplete List of Disallowed Inputs)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Not Technology-Specific | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-48557 | 2026-05-29 | Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-ext… |
| CVE-2026-44287 | 2026-05-29 | FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.te… |
| CVE-2026-44463 | 2026-05-28 | Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., … |
| CVE-2026-44462 | 2026-05-28 | Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowlisted… |
| CVE-2026-45037 | 2026-05-15 | Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without v… |
| CVE-2026-42590 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary … |
| CVE-2026-40893 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames th… |
| CVE-2026-43929 | 2026-05-12 | ssrfcheck is a library that checks if a string contains a potential SSRF attack. In 1.3.0 and earlier, ssrfcheck fails to block Server-Side Request Forgery attacks when the target private IP address i… |
| CVE-2026-43991 | 2026-05-12 | JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, substring-based blocklist in plugin-shell's command-safety check could be bypassed by adversarial argument construc… |
| CVE-2026-45006 | 2026-05-11 | OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write unsafe configuration … |
| CVE-2026-44993 | 2026-05-11 | OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enfor… |
| CVE-2026-44115 | 2026-05-06 | OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell exp… |
| CVE-2026-44114 | 2026-05-06 | OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious … |
| CVE-2026-43584 | 2026-05-06 | OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup v… |
| CVE-2026-43578 | 2026-05-06 | OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can … |
| CVE-2026-41934 | 2026-05-06 | Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insu… |
| CVE-2026-43566 | 2026-05-05 | OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can explo… |
| CVE-2026-43532 | 2026-05-05 | OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media refe… |
| CVE-2026-42435 | 2026-05-05 | OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attacke… |
| CVE-2026-42427 | 2026-04-28 | OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. A… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Sean Eidemiller | 1.0 | — | added/updated demonstrative examples |
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Detection_Factors, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
| 2008-11-24 | CWE Content Team | 1.1 | — | updated Observed_Examples |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Description, Other_Notes, Relationship_Notes, Time_of_Introduction |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Relationships |
| 2010-04-05 | CWE Content Team | 1.8.1 | — | updated Related_Attack_Patterns |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Demonstrative_Examples |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated References, Related_Attack_Patterns, Relationships |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Potential_Mitigations |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Demonstrative_Examples, Relationships |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-05-03 | CWE Content Team | 2.11 | — | updated Potential_Mitigations, Related_Attack_Patterns |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, References |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated Observed_Examples, Relationships |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Related_Attack_Patterns |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Related_Attack_Patterns, Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Alternate_Terms, Description, Detection_Factors, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, Relationship_Notes, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Alternate_Terms, Observed_Examples |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes, Relationships |
| 2024-07-16 | CWE Content Team | 4.15 | — | updated Observed_Examples |
| 2024-11-19 | CWE Content Team | 4.16 | — | updated Common_Consequences, Description, Diagram, Modes_of_Introduction |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples |