CWE-829
Inclusion of Functionality from Untrusted Control Sphere
Description
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-175 · CAPEC-201 · CAPEC-228 · CAPEC-251 · CAPEC-252 · CAPEC-253 · CAPEC-263 · CAPEC-538 · CAPEC-549 · CAPEC-640 · CAPEC-660 · CAPEC-695 · CAPEC-698
CVEs mapped to this weakness (143)
page 1 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-34074 | Cri | 0.70 | — | 0.01 | Jul 2, 2025 | An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an… | ||
| CVE-2004-0285 | Cri | 0.67 | 9.8 | 0.08 | Nov 23, 2004 | PHP remote file inclusion vulnerabilities in include/footer.inc.php in (1) AllMyVisitors, (2) AllMyLinks, and (3) AllMyGuests allow remote attackers to execute arbitrary PHP code via a URL in the _AMVconfig[cfg_serverpath] parameter. | ||
| CVE-2004-0030 | Cri | 0.67 | 9.8 | 0.07 | Jan 20, 2004 | PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server… | ||
| CVE-2025-70974 | Cri | 0.65 | 10.0 | 0.01 | Jan 9, 2026 | Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection… | ||
| CVE-2025-34060 | — | Cri | 0.65 | — | 0.01 | Jul 1, 2025 | A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation.… | |
| CVE-2025-11023 | Cri | 0.64 | 9.8 | 0.01 | Oct 23, 2025 | Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ArkSigner Software and Hardware Inc. AcBakImzala allows PHP Local File Inclusion. This issue… | ||
| CVE-2024-49649 | Cri | 0.64 | 9.8 | 0.01 | Jan 7, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23. | ||
| CVE-2023-4488 | Cri | 0.64 | 9.8 | 0.01 | Oct 20, 2023 | The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code… | ||
| CVE-2017-5397 | Cri | 0.64 | 9.8 | 0.03 | Jun 11, 2018 | The cache directory on the local file system is set to be world writable. Firefox defaults to extracting libraries from this cache. This allows for the possibility of an installed malicious application or tools with write access to the file system to replace files used by… | ||
| CVE-2017-1376 | Cri | 0.64 | 9.8 | 0.03 | Aug 29, 2017 | A flaw in the IBM J9 VM class verifier allows untrusted code to disable the security manager and elevate its privileges. IBM X-Force ID: 126873. | ||
| CVE-2010-2076 | Cri | 0.64 | 9.8 | 0.10 | Aug 19, 2010 | Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read… | ||
| CVE-2026-47174 | Cri | 0.62 | — | 0.00 | Jun 11, 2026 | In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull… | ||
| CVE-2026-47172 | Cri | 0.62 | — | 0.00 | Jun 11, 2026 | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy… | ||
| CVE-2026-22208 | Cri | 0.62 | 9.6 | 0.01 | Feb 17, 2026 | OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing… | ||
| CVE-2025-36852 | Cri | 0.61 | — | 0.00 | Jun 10, 2025 | A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache (such as those using Amazon S3, Google Cloud Storage, or similar object storage) that allows any contributor with pull request privileges to inject… | ||
| CVE-2025-27510 | Cri | 0.61 | — | 0.01 | Mar 4, 2025 | conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the PyPi repository nor registered by any entity. If conda-oci-mirror is taken over by a threat actor,… | ||
| CVE-2023-2249 | Hig | 0.61 | 8.8 | 0.61 | Jun 9, 2023 | The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being… | ||
| CVE-2018-15486 | Cri | 0.59 | 9.1 | 0.02 | Sep 7, 2018 | An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Local File Inclusion and File modification is possible through the open HTTP interface by modifying the name parameter of the file endpoint, aka KONE-02. | ||
| CVE-2026-6859 | Hig | 0.57 | 8.8 | 0.00 | Apr 22, 2026 | A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a… | ||
| CVE-2024-32011 | Hig | 0.57 | 8.8 | 0.00 | Nov 11, 2025 | A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to run arbitrary commands via the user interface. This user interface can be used via the network and allows the execution of commands as… |
- risk 0.70cvss —epss 0.01
An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an…
- risk 0.67cvss 9.8epss 0.08
PHP remote file inclusion vulnerabilities in include/footer.inc.php in (1) AllMyVisitors, (2) AllMyLinks, and (3) AllMyGuests allow remote attackers to execute arbitrary PHP code via a URL in the _AMVconfig[cfg_serverpath] parameter.
- risk 0.67cvss 9.8epss 0.07
PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server…
- risk 0.65cvss 10.0epss 0.01
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection…
- risk 0.65cvss —epss 0.01
A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation.…
- risk 0.64cvss 9.8epss 0.01
Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ArkSigner Software and Hardware Inc. AcBakImzala allows PHP Local File Inclusion. This issue…
- risk 0.64cvss 9.8epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-online allows PHP Local File Inclusion.This issue affects Build App Online: from n/a through <= 1.0.23.
- risk 0.64cvss 9.8epss 0.01
The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code…
- risk 0.64cvss 9.8epss 0.03
The cache directory on the local file system is set to be world writable. Firefox defaults to extracting libraries from this cache. This allows for the possibility of an installed malicious application or tools with write access to the file system to replace files used by…
- risk 0.64cvss 9.8epss 0.03
A flaw in the IBM J9 VM class verifier allows untrusted code to disable the security manager and elevate its privileges. IBM X-Force ID: 126873.
- risk 0.64cvss 9.8epss 0.10
Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read…
- risk 0.62cvss —epss 0.00
In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull…
- risk 0.62cvss —epss 0.00
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy…
- risk 0.62cvss 9.6epss 0.01
OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing…
- risk 0.61cvss —epss 0.00
A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache (such as those using Amazon S3, Google Cloud Storage, or similar object storage) that allows any contributor with pull request privileges to inject…
- risk 0.61cvss —epss 0.01
conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the PyPi repository nor registered by any entity. If conda-oci-mirror is taken over by a threat actor,…
- risk 0.61cvss 8.8epss 0.61
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forgery, and PHAR Deserialization in versions up to, and including, 2.1.7. This is due to the insecure use of file_get_contents without appropriate verification of the data being…
- risk 0.59cvss 9.1epss 0.02
An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Local File Inclusion and File modification is possible through the open HTTP interface by modifying the name parameter of the file endpoint, aka KONE-02.
- risk 0.57cvss 8.8epss 0.00
A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a…
- risk 0.57cvss 8.8epss 0.00
A vulnerability has been identified in Spectrum Power 4 (All versions < V4.70 SP12 Update 2). The affected application is vulnerable to run arbitrary commands via the user interface. This user interface can be used via the network and allows the execution of commands as…