VYPR

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

BaseIncomplete

Description

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (145)

page 4 of 8
  • CVE-2026-54515medJun 23, 2026
    risk 0.19cvss epss 0.00

    ## Summary In `BeanDeserializerBase.createContextual()`, per-property `@JsonIgnoreProperties` exclusions are applied by `_handleByNameInclusion()`, producing a `contextual` deserializer whose `BeanPropertyMap` has the ignored properties removed. The subsequent per-property…

  • CVE-2025-49597LowJun 13, 2025
    risk 0.18cvss 3.9epss 0.00

    handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an…

  • CVE-2026-23522LowJan 19, 2026
    risk 0.17cvss 3.7epss 0.00

    LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is…

  • CVE-2019-0230Sep 14, 2020
    risk 0.11cvss epss 0.97

    Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

  • CVE-2024-55638Dec 9, 2024
    risk 0.01cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods that is exploitable when an insecure…

  • CVE-2026-32742Mar 18, 2026
    risk 0.00cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session…

  • CVE-2026-27591Mar 11, 2026
    risk 0.00cvss epss 0.00

    Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions…

  • CVE-2026-31815Mar 10, 2026
    risk 0.00cvss epss 0.00

    Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended…

  • CVE-2026-30822Mar 7, 2026
    risk 0.00cvss epss 0.13

    Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13.

  • CVE-2026-28781Mar 4, 2026
    risk 0.00cvss epss 0.00

    Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request,…

  • CVE-2026-27125Feb 20, 2026
    risk 0.00cvss epss 0.00

    svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. ) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype…

  • CVE-2025-68924Jan 16, 2026
    risk 0.00cvss epss 0.01

    In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution.

  • CVE-2025-66400Dec 1, 2025
    risk 0.00cvss epss 0.00

    mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the…

  • CVE-2025-13081Nov 18, 2025
    risk 0.00cvss epss 0.00

    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

  • CVE-2025-31674Mar 31, 2025
    risk 0.00cvss epss 0.01

    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

  • CVE-2024-53677Dec 11, 2024
    risk 0.00cvss epss 0.78

    File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts:…

  • CVE-2024-55637Dec 9, 2024
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure…

  • CVE-2024-55636Dec 9, 2024
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of methods that is exploitable when an insecure…

  • CVE-2024-5452Jun 6, 2024
    risk 0.00cvss epss 0.26

    A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to…

  • CVE-2022-43441Mar 16, 2023
    risk 0.00cvss epss 0.02

    A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability.