CWE-829
Inclusion of Functionality from Untrusted Control Sphere
Description
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-175 · CAPEC-201 · CAPEC-228 · CAPEC-251 · CAPEC-252 · CAPEC-253 · CAPEC-263 · CAPEC-538 · CAPEC-549 · CAPEC-640 · CAPEC-660 · CAPEC-695 · CAPEC-698
CVEs mapped to this weakness (143)
page 7 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-59828 | 0.00 | — | 0.00 | Sep 24, 2025 | Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be… | |||
| CVE-2025-59535 | 0.00 | — | 0.00 | Sep 22, 2025 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this… | |||
| CVE-2024-29073 | 0.00 | — | 0.11 | Jul 22, 2024 | An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an… | |||
| CVE-2024-38537 | 0.00 | — | 0.01 | Jul 2, 2024 | Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support… | |||
| CVE-2024-28184 | 0.00 | — | 0.01 | Mar 9, 2024 | WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This… | |||
| CVE-2024-24821 | 0.00 | — | 0.00 | Feb 8, 2024 | Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may… | |||
| CVE-2022-31021 | 0.00 | — | 0.00 | Jan 16, 2024 | Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key… | |||
| CVE-2023-41267 | 0.00 | — | 0.00 | Sep 14, 2023 | In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package… | |||
| CVE-2022-4134 | 0.00 | — | 0.00 | Mar 6, 2023 | A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images. | |||
| CVE-2022-41709 | — | 0.00 | — | 0.00 | Oct 19, 2022 | Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the "nodeIntegration" option enabled. | ||
| CVE-2021-4229 | — | 0.00 | — | 0.01 | May 24, 2022 | A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the… | ||
| CVE-2022-24329 | — | 0.00 | — | 0.02 | Feb 25, 2022 | In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects. | ||
| CVE-2021-3603 | 0.00 | — | 0.02 | Jun 17, 2021 | PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by… | |||
| CVE-2021-28162 | 0.00 | — | 0.01 | Mar 12, 2021 | In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run. | |||
| CVE-2021-20187 | — | 0.00 | — | 0.02 | Jan 28, 2021 | It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. | ||
| CVE-2021-26272 | — | 0.00 | — | 0.02 | Jan 26, 2021 | It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin). | ||
| CVE-2020-5295 | 0.00 | — | 0.07 | Jun 3, 2020 | In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets`… | |||
| CVE-2020-8128 | 0.00 | — | 0.03 | Feb 14, 2020 | An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code. | |||
| CVE-2019-8154 | 0.00 | — | 0.02 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update. | |||
| CVE-2019-5479 | — | 0.00 | — | 0.01 | Sep 3, 2019 | An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file). |
- CVE-2025-59828Sep 24, 2025risk 0.00cvss —epss 0.00
Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be…
- CVE-2025-59535Sep 22, 2025risk 0.00cvss —epss 0.00
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this…
- CVE-2024-29073Jul 22, 2024risk 0.00cvss —epss 0.11
An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an…
- CVE-2024-38537Jul 2, 2024risk 0.00cvss —epss 0.01
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support…
- CVE-2024-28184Mar 9, 2024risk 0.00cvss —epss 0.01
WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This…
- CVE-2024-24821Feb 8, 2024risk 0.00cvss —epss 0.00
Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may…
- CVE-2022-31021Jan 16, 2024risk 0.00cvss —epss 0.00
Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key…
- CVE-2023-41267Sep 14, 2023risk 0.00cvss —epss 0.00
In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package…
- CVE-2022-4134Mar 6, 2023risk 0.00cvss —epss 0.00
A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images.
- CVE-2022-41709Oct 19, 2022risk 0.00cvss —epss 0.00
Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the "nodeIntegration" option enabled.
- CVE-2021-4229May 24, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the crypto mining component which introduces a backdoor. Upgrading to version 0.7.30, 0.8.1 and 1.0.1 is able to address this issue. It is recommended to upgrade the…
- CVE-2022-24329Feb 25, 2022risk 0.00cvss —epss 0.02
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
- CVE-2021-3603Jun 17, 2021risk 0.00cvss —epss 0.02
PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the $patternselect parameter to validateAddress() is set to 'php' (the default, defined by…
- CVE-2021-28162Mar 12, 2021risk 0.00cvss —epss 0.01
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.
- CVE-2021-20187Jan 28, 2021risk 0.00cvss —epss 0.02
It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.
- CVE-2021-26272Jan 26, 2021risk 0.00cvss —epss 0.02
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).
- CVE-2020-5295Jun 3, 2020risk 0.00cvss —epss 0.07
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets`…
- CVE-2020-8128Feb 14, 2020risk 0.00cvss —epss 0.03
An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code.
- CVE-2019-8154Nov 5, 2019risk 0.00cvss —epss 0.02
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update.
- CVE-2019-5479Sep 3, 2019risk 0.00cvss —epss 0.01
An unintended require vulnerability in <v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).