CWE-913 · Improper Control of Dynamically-Managed Code Resources
92 CVEs classified under CWE-913 (Improper Control of Dynamically-Managed Code Resources). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-47208 | Critical | 10.0 | 2026-06-12 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code w… |
CVE-2026-47137 | Critical | 10.0 | 2026-06-12 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 26… |
CVE-2026-47131 | Critical | 10.0 | 2026-06-12 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.cal… |
CVE-2026-23830 | Critical | 10.0 | 2026-01-28 | SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `Sandbo… |
CVE-2023-29017 | Critical | 10.0 | 2023-04-06 | vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects pass… |
CVE-2022-36067 | Critical | 10.0 | 2022-09-06 | vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandb… |
CVE-2026-34156 | Critical | 9.9 | 2026-03-31 | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow S… |
CVE-2026-25049 | Critical | 9.9 | 2026-02-04 | n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows c… |
CVE-2025-68613 | Critical | 9.9 | 2025-12-19 | n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Ex… |
CVE-2026-53753 | Critical | 9.8 | 2026-06-23 | Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST… |
CVE-2026-47210 | Critical | 9.8 | 2026-06-12 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host proces… |
CVE-2026-22709 | Critical | 9.8 | 2026-01-26 | vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be b… |
CVE-2025-25270 | Critical | 9.8 | 2025-07-08 | An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations. |
CVE-2024-8953 | Critical | 9.8 | 2025-03-20 | In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to… |
CVE-2024-5452 | Critical | 9.8 | 2024-06-06 | A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user in… |
CVE-2023-43177 | Critical | 9.8 | 2023-11-18 | CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. |
CVE-2023-4041 | Critical | 9.8 | 2023-08-23 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Out-of-bounds Write, Download of Code Without Integrity Check vulnerability in Silicon… |
CVE-2023-29199 | Critical | 9.8 | 2023-04-14 | There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleEx… |
CVE-2022-44000 | Critical | 9.8 | 2022-11-16 | An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system comma… |
CVE-2021-22387 | Critical | 9.8 | 2021-08-02 | There is an Improper Control of Dynamically Managing Code Resources Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow… |