CWE-829 · Inclusion of Functionality from Untrusted Control Sphere

273 CVEs classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). Browse by severity and year.

Top CVEs for CWE-829
CVESeverityScorePublishedSummary
CVE-2026-1699Critical10.02026-01-30In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and exec…
CVE-2025-70974Critical10.02026-01-09Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may b…
CVE-2025-0982Critical10.02025-02-06Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScr…
CVE-2021-41037Critical10.02022-07-08In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoin…
CVE-2022-1161Critical10.02022-04-11An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5…
CVE-2020-4561Critical10.02021-06-01IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access…
CVE-2026-43999Critical9.92026-05-13vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the…
CVE-2026-27941Critical9.92026-02-26OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_r…
CVE-2026-58116Critical9.82026-06-30LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplyin…
CVE-2026-44484Critical9.82026-05-14PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a cre…
CVE-2025-70046Critical9.82026-03-09An issue pertaining to CWE-829: Inclusion of Functionality from Untrusted Control Sphere was discovered in Miazzy oa-front-service master.
CVE-2026-26974Critical9.82026-02-20Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files includin…
CVE-2026-0770Critical9.82026-01-23Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers…
CVE-2025-11023Critical9.82025-10-23Inclusion of Functionality from Untrusted Control Sphere, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion…
CVE-2025-59828Critical9.82025-09-24Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when…
CVE-2025-27668Critical9.82025-03-05Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Arbitrary Content Inclusion via Iframe OVE-20230524-00…
CVE-2024-49649Critical9.82025-01-07Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online build-app-…
CVE-2024-38476Critical9.82024-07-01Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend application…
CVE-2023-4488Critical9.82023-10-20The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows…
CVE-2022-24119Critical9.82022-12-26Certain General Electric Renewable Energy products have a hidden feature for unauthenticated remote access to the device configuration shell. This affects iNET…