VYPR

CWE-913

Improper Control of Dynamically-Managed Code Resources

ClassIncomplete

Description

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.

Hierarchy (View 1000)

CVEs mapped to this weakness (63)

page 3 of 4
  • CVE-2025-31674Mar 31, 2025
    risk 0.00cvss epss 0.01

    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

  • CVE-2024-40637Jul 16, 2024
    risk 0.00cvss epss 0.00

    dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is…

  • CVE-2024-37014Jun 10, 2024
    risk 0.00cvss epss 0.01

    Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.

  • CVE-2024-5452Jun 6, 2024
    risk 0.00cvss epss 0.26

    A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to…

  • CVE-2023-5763Nov 3, 2023
    risk 0.00cvss epss 0.01

    In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.

  • CVE-2022-4318Sep 25, 2023
    risk 0.00cvss epss 0.00

    A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.

  • CVE-2023-37271Jul 11, 2023
    risk 0.00cvss epss 0.01

    RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least…

  • CVE-2023-35930Jun 26, 2023
    risk 0.00cvss epss 0.00

    SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example,…

  • CVE-2023-33175May 30, 2023
    risk 0.00cvss epss 0.01

    ToUI is a Python package for creating user interfaces (websites and desktop apps) from HTML. ToUI is using Flask-Caching (SimpleCache) to store user variables. Websites that use `Website.user_vars` property. It affects versions 2.0.1 to 2.4.0. This issue has been patched in…

  • CVE-2023-29199Apr 14, 2023
    risk 0.00cvss epss 0.04

    There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host…

  • CVE-2023-29017Apr 6, 2023
    risk 0.00cvss epss 0.63

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections…

  • CVE-2022-43441Mar 16, 2023
    risk 0.00cvss epss 0.02

    A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.

  • CVE-2022-3225Sep 16, 2022
    risk 0.00cvss epss 0.01

    Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20.

  • CVE-2022-36067Sep 6, 2022
    risk 0.00cvss epss 0.48

    vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in…

  • CVE-2021-23267May 16, 2022
    risk 0.00cvss epss 0.01

    Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.

  • CVE-2021-23448Oct 11, 2021
    risk 0.00cvss epss 0.01

    All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.

  • CVE-2021-32813Aug 3, 2021
    risk 0.00cvss epss 0.01

    Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a…

  • CVE-2021-25947Jun 3, 2021
    risk 0.00cvss epss 0.03

    Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution.

  • CVE-2021-21413Mar 30, 2021
    risk 0.00cvss epss 0.01

    isolated-vm is a library for nodejs which gives you access to v8's Isolate interface. Versions of isolated-vm before v4.0.0 have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference…

  • CVE-2021-26276Jan 27, 2021
    risk 0.00cvss epss 0.01

    scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data