CWE-913
Improper Control of Dynamically-Managed Code Resources
Description
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Hierarchy (View 1000)
CVEs mapped to this weakness (63)
page 3 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-31674 | 0.00 | — | 0.01 | Mar 31, 2025 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. | |||
| CVE-2024-40637 | 0.00 | — | 0.00 | Jul 16, 2024 | dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is… | |||
| CVE-2024-37014 | 0.00 | — | 0.01 | Jun 10, 2024 | Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script. | |||
| CVE-2024-5452 | 0.00 | — | 0.26 | Jun 6, 2024 | A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to… | |||
| CVE-2023-5763 | — | 0.00 | — | 0.01 | Nov 3, 2023 | In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners. | ||
| CVE-2022-4318 | 0.00 | — | 0.00 | Sep 25, 2023 | A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable. | |||
| CVE-2023-37271 | 0.00 | — | 0.01 | Jul 11, 2023 | RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least… | |||
| CVE-2023-35930 | 0.00 | — | 0.00 | Jun 26, 2023 | SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example,… | |||
| CVE-2023-33175 | — | 0.00 | — | 0.01 | May 30, 2023 | ToUI is a Python package for creating user interfaces (websites and desktop apps) from HTML. ToUI is using Flask-Caching (SimpleCache) to store user variables. Websites that use `Website.user_vars` property. It affects versions 2.0.1 to 2.4.0. This issue has been patched in… | ||
| CVE-2023-29199 | 0.00 | — | 0.04 | Apr 14, 2023 | There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host… | |||
| CVE-2023-29017 | 0.00 | — | 0.63 | Apr 6, 2023 | vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections… | |||
| CVE-2022-43441 | 0.00 | — | 0.02 | Mar 16, 2023 | A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability. | |||
| CVE-2022-3225 | 0.00 | — | 0.01 | Sep 16, 2022 | Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20. | |||
| CVE-2022-36067 | 0.00 | — | 0.48 | Sep 6, 2022 | vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in… | |||
| CVE-2021-23267 | 0.00 | — | 0.01 | May 16, 2022 | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods. | |||
| CVE-2021-23448 | — | 0.00 | — | 0.01 | Oct 11, 2021 | All versions of package config-handler are vulnerable to Prototype Pollution when loading config files. | ||
| CVE-2021-32813 | 0.00 | — | 0.01 | Aug 3, 2021 | Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a… | |||
| CVE-2021-25947 | — | 0.00 | — | 0.03 | Jun 3, 2021 | Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution. | ||
| CVE-2021-21413 | 0.00 | — | 0.01 | Mar 30, 2021 | isolated-vm is a library for nodejs which gives you access to v8's Isolate interface. Versions of isolated-vm before v4.0.0 have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference… | |||
| CVE-2021-26276 | — | 0.00 | — | 0.01 | Jan 27, 2021 | scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data |
- CVE-2025-31674Mar 31, 2025risk 0.00cvss —epss 0.01
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
- CVE-2024-40637Jul 16, 2024risk 0.00cvss —epss 0.00
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is…
- CVE-2024-37014Jun 10, 2024risk 0.00cvss —epss 0.01
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.
- CVE-2024-5452Jun 6, 2024risk 0.00cvss —epss 0.26
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to…
- CVE-2023-5763Nov 3, 2023risk 0.00cvss —epss 0.01
In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.
- CVE-2022-4318Sep 25, 2023risk 0.00cvss —epss 0.00
A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
- CVE-2023-37271Jul 11, 2023risk 0.00cvss —epss 0.01
RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least…
- CVE-2023-35930Jun 26, 2023risk 0.00cvss —epss 0.00
SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions. Any user making a negative authorization decision based on the results of a `LookupResources` request with 1.22.0 is affected. For example,…
- CVE-2023-33175May 30, 2023risk 0.00cvss —epss 0.01
ToUI is a Python package for creating user interfaces (websites and desktop apps) from HTML. ToUI is using Flask-Caching (SimpleCache) to store user variables. Websites that use `Website.user_vars` property. It affects versions 2.0.1 to 2.4.0. This issue has been patched in…
- CVE-2023-29199Apr 14, 2023risk 0.00cvss —epss 0.04
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host…
- CVE-2023-29017Apr 6, 2023risk 0.00cvss —epss 0.63
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections…
- CVE-2022-43441Mar 16, 2023risk 0.00cvss —epss 0.02
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.
- CVE-2022-3225Sep 16, 2022risk 0.00cvss —epss 0.01
Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20.
- CVE-2022-36067Sep 6, 2022risk 0.00cvss —epss 0.48
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in…
- CVE-2021-23267May 16, 2022risk 0.00cvss —epss 0.01
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.
- CVE-2021-23448Oct 11, 2021risk 0.00cvss —epss 0.01
All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.
- CVE-2021-32813Aug 3, 2021risk 0.00cvss —epss 0.01
Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a…
- CVE-2021-25947Jun 3, 2021risk 0.00cvss —epss 0.03
Prototype pollution vulnerability in 'nestie' versions 0.0.0 through 1.0.0 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-21413Mar 30, 2021risk 0.00cvss —epss 0.01
isolated-vm is a library for nodejs which gives you access to v8's Isolate interface. Versions of isolated-vm before v4.0.0 have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference…
- CVE-2021-26276Jan 27, 2021risk 0.00cvss —epss 0.01
scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data