VYPR

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

BaseIncomplete

Description

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (145)

page 1 of 8
  • CVE-2026-34208CriApr 6, 2026
    risk 0.65cvss 10.0epss 0.01

    SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject).…

  • CVE-2025-69691CriMay 8, 2026
    risk 0.64cvss 9.9epss 0.01

    Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

  • CVE-2026-45058CriMay 28, 2026
    risk 0.61cvss epss 0.00

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync…

  • CVE-2025-69690CriMay 8, 2026
    risk 0.59cvss 9.1epss 0.01

    Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are…

  • CVE-2026-33453CriApr 27, 2026
    risk 0.58cvss 10.0epss 0.05

    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP…

  • CVE-2025-58367CriSep 5, 2025
    risk 0.58cvss epss 0.01

    DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class pollution via the Delta class constructor, and when combined with a gadget available in DeltaDiff, it can lead to Denial of Service and Remote…

  • CVE-2026-41277HigApr 23, 2026
    risk 0.57cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore…

  • CVE-2026-5708HigApr 6, 2026
    risk 0.57cvss 8.8epss 0.01

    Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile…

  • CVE-2026-32640CriMar 16, 2026
    risk 0.57cvss 9.8epss 0.00

    SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through to direct access inside the sandbox. If the objects you've passed in as names to SimpleEval have modules or other…

  • CVE-2023-32079HigAug 24, 2023
    risk 0.57cvss 8.8epss 0.01

    Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1,…

  • CVE-2020-28271CriNov 12, 2020
    risk 0.57cvss 9.8epss 0.03

    Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service and may lead to remote code execution.

  • CVE-2026-46441CriJun 8, 2026
    risk 0.55cvss 9.6epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties…

  • CVE-2026-42861CriJun 8, 2026
    risk 0.55cvss 9.6epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties…

  • CVE-2025-14341HigMay 7, 2026
    risk 0.54cvss 8.3epss 0.00

    Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding. This issue affects DivvyDrive: from…

  • CVE-2025-2304CriMar 14, 2025
    risk 0.54cvss epss 0.01

    A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to…

  • CVE-2026-41267HigApr 23, 2026
    risk 0.53cvss 8.1epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed…

  • CVE-2025-24370CriFeb 3, 2025
    risk 0.53cvss epss 0.00

    Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn are vulnerable to python class pollution vulnerability. The vulnerability arises from the core functionality `set_property_value`, which can be remotely triggered…

  • CVE-2026-48150CriMay 27, 2026
    risk 0.52cvss 9.0epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and…

  • CVE-2026-40569CriApr 21, 2026
    risk 0.52cvss 9.0epss 0.00

    FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings endpoints of FreeScout (`connectionIncomingSave()` at `app/Http/Controllers/MailboxesController.php:468` and…

  • CVE-2026-34179CriApr 9, 2026
    risk 0.52cvss 9.1epss 0.00

    In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker…