CWE-829
Inclusion of Functionality from Untrusted Control Sphere
Description
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-175 · CAPEC-201 · CAPEC-228 · CAPEC-251 · CAPEC-252 · CAPEC-253 · CAPEC-263 · CAPEC-538 · CAPEC-549 · CAPEC-640 · CAPEC-660 · CAPEC-695 · CAPEC-698
CVEs mapped to this weakness (143)
page 4 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-43571 | Hig | 0.50 | 8.8 | 0.00 | May 5, 2026 | OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust… | ||
| CVE-2026-43569 | Hig | 0.50 | 8.8 | 0.00 | May 5, 2026 | OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are… | ||
| CVE-2026-42089 | Hig | 0.49 | 8.6 | 0.00 | Jun 16, 2026 | Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream… | ||
| CVE-2026-8879 | Hig | 0.49 | 7.5 | 0.00 | Jun 3, 2026 | Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all… | ||
| CVE-2020-36905 | Hig | 0.49 | 7.5 | 0.00 | Jan 6, 2026 | FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user… | ||
| CVE-2025-27582 | Hig | 0.49 | 7.6 | 0.00 | Jul 14, 2025 | The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the… | ||
| CVE-2025-39507 | Hig | 0.49 | 7.5 | 0.01 | May 16, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core nasa-core allows PHP Local File Inclusion.This issue affects Nasa Core: from n/a through < 6.4.4. | ||
| CVE-2024-48336 | Hig | 0.49 | 8.4 | 0.01 | Nov 4, 2024 | The install() function of ProviderInstaller.java in Magisk App before canary version 27007 does not verify the GMS app before loading it, which allows a local untrusted app with no additional privileges to silently execute arbitrary code in the Magisk app and escalate privileges… | ||
| CVE-2024-49243 | Hig | 0.49 | 7.5 | 0.00 | Oct 18, 2024 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ramjon27 Dynamic Elementor Addons dynamic-elementor-addons allows PHP Local File Inclusion.This issue affects Dynamic Elementor Addons: from n/a through <=… | ||
| CVE-2024-3043 | Hig | 0.49 | 7.5 | 0.01 | Jun 27, 2024 | An unauthenticated IEEE 802.15.4 'co-ordinator realignment' packet can be used to force Zigbee nodes to change their network identifier (pan ID), leading to a denial of service. This packet type is not useful in production and should be used only for PHY qualification. | ||
| CVE-2026-46529 | Hig | 0.48 | — | 0.01 | Jun 10, 2026 | Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into… | ||
| CVE-2026-43940 | Hig | 0.48 | 8.4 | 0.00 | May 8, 2026 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any… | ||
| CVE-2026-32920 | Hig | 0.48 | 8.4 | 0.00 | Mar 31, 2026 | OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute… | ||
| CVE-2018-1000502 | Hig | 0.47 | 7.2 | 0.01 | Jun 26, 2018 | MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be… | ||
| CVE-2026-11269 | Hig | 0.46 | 7.1 | 0.00 | Jun 5, 2026 | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Low) | ||
| CVE-2026-44358 | Hig | 0.46 | 8.2 | 0.00 | May 28, 2026 | Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path… | ||
| CVE-2026-43003 | Hig | 0.45 | 8.0 | 0.01 | May 1, 2026 | An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image. | ||
| CVE-2026-52858 | Hig | 0.44 | 7.8 | 0.00 | Jun 11, 2026 | Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and… | ||
| CVE-2026-41396 | Hig | 0.44 | 7.8 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin… | ||
| CVE-2026-41336 | Hig | 0.44 | 7.8 | 0.00 | Apr 23, 2026 | OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code. |
- risk 0.50cvss 8.8epss 0.00
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust…
- risk 0.50cvss 8.8epss 0.00
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are…
- risk 0.49cvss 8.6epss 0.00
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream…
- risk 0.49cvss 7.5epss 0.00
Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all…
- risk 0.49cvss 7.5epss 0.00
FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user…
- risk 0.49cvss 7.6epss 0.00
The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the…
- risk 0.49cvss 7.5epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core nasa-core allows PHP Local File Inclusion.This issue affects Nasa Core: from n/a through < 6.4.4.
- risk 0.49cvss 8.4epss 0.01
The install() function of ProviderInstaller.java in Magisk App before canary version 27007 does not verify the GMS app before loading it, which allows a local untrusted app with no additional privileges to silently execute arbitrary code in the Magisk app and escalate privileges…
- risk 0.49cvss 7.5epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ramjon27 Dynamic Elementor Addons dynamic-elementor-addons allows PHP Local File Inclusion.This issue affects Dynamic Elementor Addons: from n/a through <=…
- risk 0.49cvss 7.5epss 0.01
An unauthenticated IEEE 802.15.4 'co-ordinator realignment' packet can be used to force Zigbee nodes to change their network identifier (pan ID), leading to a denial of service. This packet type is not useful in production and should be used only for PHY qualification.
- risk 0.48cvss —epss 0.01
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into…
- risk 0.48cvss 8.4epss 0.00
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any…
- risk 0.48cvss 8.4epss 0.00
OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute…
- risk 0.47cvss 7.2epss 0.01
MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be…
- risk 0.46cvss 7.1epss 0.00
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Low)
- risk 0.46cvss 8.2epss 0.00
Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path…
- risk 0.45cvss 8.0epss 0.01
An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.
- risk 0.44cvss 7.8epss 0.00
Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and…
- risk 0.44cvss 7.8epss 0.00
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin…
- risk 0.44cvss 7.8epss 0.00
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.