VYPR

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

BaseIncomplete

Description

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (145)

page 2 of 8
  • CVE-2026-46517HigJun 10, 2026
    risk 0.51cvss 7.8epss 0.00

    LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.

  • CVE-2026-46480HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46479HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46478HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46477HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46476HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-46475HigJun 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2.

  • CVE-2026-45229HigMay 13, 2026
    risk 0.50cvss 8.8epss 0.00

    Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient…

  • CVE-2026-41139HigMay 7, 2026
    risk 0.50cvss 8.8epss 0.01

    Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.

  • CVE-2026-6912HigApr 24, 2026
    risk 0.50cvss 8.8epss 0.00

    Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted…

  • CVE-2026-40897HigApr 24, 2026
    risk 0.50cvss 8.8epss 0.00

    Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary…

  • CVE-2026-34427HigApr 20, 2026
    risk 0.50cvss 8.8epss 0.01

    Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role_id=1 into profile save requests to escalate to Super…

  • CVE-2026-34406HigMar 31, 2026
    risk 0.50cvss 8.8epss 0.01

    APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edit_user endpoint (POST /api/auth/edituser/) allows Any user who can reach…

  • CVE-2025-15602HigMar 6, 2026
    risk 0.50cvss 8.8epss 0.00

    Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user…

  • CVE-2026-34445HigApr 1, 2026
    risk 0.49cvss 8.6epss 0.00

    Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file.…

  • CVE-2026-39942HigApr 9, 2026
    risk 0.48cvss 8.5epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite…

  • CVE-2026-42863HigJun 8, 2026
    risk 0.46cvss 8.1epss 0.00

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as…

  • CVE-2026-22814HigJan 13, 2026
    risk 0.46cvss epss 0.00

    @adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the…

  • CVE-2025-30358HigMar 27, 2025
    risk 0.46cvss 8.1epss 0.01

    Mesop is a Python-based UI framework that allows users to build web applications. A class pollution vulnerability in Mesop prior to version 0.14.1 allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability…

  • CVE-2026-54351higJun 22, 2026
    risk 0.45cvss epss 0.00

    ## Summary The webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in `externalTrigger()` allows an attacker to overwrite the internal `appId` property by…