VYPR

CWE-913

Improper Control of Dynamically-Managed Code Resources

ClassIncomplete

Description

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.

Hierarchy (View 1000)

CVEs mapped to this weakness (63)

page 1 of 4
  • CVE-2006-7079CriMar 2, 2007
    risk 0.68cvss 9.8epss 0.13

    Variable extraction vulnerability in include/common.php in exV2 2.0.4.3 and earlier allows remote attackers to overwrite arbitrary program variables and conduct directory traversal attacks to execute arbitrary code by modifying the $xoopsOption['pagetype'] variable.

  • CVE-2017-3202CriJun 11, 2018
    risk 0.64cvss 9.8epss 0.08

    The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this…

  • CVE-2014-9852CriMar 17, 2017
    risk 0.64cvss 9.8epss 0.03

    distribute-cache.c in ImageMagick re-uses objects after they have been destroyed, which allows remote attackers to have unspecified impact via unspecified vectors.

  • CVE-2026-34156CriMar 31, 2026
    risk 0.63cvss 9.9epss 0.36

    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by…

  • CVE-2026-48700CriMay 22, 2026
    risk 0.60cvss epss 0.00

    An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user…

  • CVE-2026-47208CriJun 12, 2026
    risk 0.58cvss 10.0epss 0.01

    vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in…

  • CVE-2026-47137CriJun 12, 2026
    risk 0.58cvss 10.0epss 0.00

    vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require…

  • CVE-2026-47131CriJun 12, 2026
    risk 0.58cvss 10.0epss 0.00

    vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor…

  • CVE-2026-47210CriJun 12, 2026
    risk 0.57cvss 9.8epss 0.01

    vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising /…

  • CVE-2026-40217HigApr 10, 2026
    risk 0.57cvss 8.8epss 0.01

    LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.

  • CVE-2025-13426HigDec 5, 2025
    risk 0.57cvss epss 0.00

    A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the…

  • CVE-2026-44336CriMay 8, 2026
    risk 0.55cvss 9.6epss 0.01

    PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and…

  • CVE-2017-3200HigJun 11, 2018
    risk 0.53cvss 8.1epss 0.06

    The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends…

  • CVE-2026-53753criJun 16, 2026
    risk 0.52cvss epss 0.00

    ### Summary The `_safe_eval_expression()` function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (`gi_frame`, `f_back`, `f_builtins`) do NOT start with underscore, enabling…

  • CVE-2026-7381CriApr 29, 2026
    risk 0.52cvss 9.1epss 0.00

    Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is not considered in the middleware…

  • CVE-2025-54065HigDec 3, 2025
    risk 0.51cvss 7.9epss 0.00

    GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control…

  • CVE-2012-2055HigApr 5, 2012
    risk 0.49cvss 7.5epss 0.02

    GitHub Enterprise before 20120304 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the public_key[user_id] value via a modified URL for the public-key update form, related to a "mass assignment"…

  • CVE-2024-27758HigMar 12, 2024
    risk 0.48cvss 8.4epss 0.01

    In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.

  • CVE-2026-48775MedJun 16, 2026
    risk 0.44cvss 6.8epss 0.00

    LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where…

  • CVE-2026-5251MedApr 1, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is…