CWE-915 · Improperly Controlled Modification of Dynamically-Determined Object Attributes

119 CVEs classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). Browse by severity and year.

Top CVEs for CWE-915
CVESeverityScorePublishedSummary
CVE-2026-33453Critical10.02026-04-27Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap c…
CVE-2026-34208Critical10.02026-04-06SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this p…
CVE-2026-56142Critical9.92026-06-19In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authenticatio…
CVE-2025-69691Critical9.92026-05-08Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available…
CVE-2026-27591Critical9.92026-03-11Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed auth…
CVE-2026-33228Critical9.82026-03-20flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as di…
CVE-2026-32640Critical9.82026-03-16SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through…
CVE-2026-29063Critical9.82026-03-06Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via th…
CVE-2024-55638Critical9.82024-12-10Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before…
CVE-2024-55637Critical9.82024-12-10Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 b…
CVE-2024-55636Critical9.82024-12-10Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 b…
CVE-2024-5452Critical9.82024-06-06A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user in…
CVE-2026-46441Critical9.62026-06-08Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the…
CVE-2026-42861Critical9.62026-06-08Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the…
CVE-2026-22783Critical9.62026-01-12Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore fil…
CVE-2025-69690Critical9.12026-05-08Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_command…
CVE-2026-34179Critical9.12026-04-09In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH re…
CVE-2025-68109Critical9.12025-12-17ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file exte…
CVE-2024-0404Critical9.12024-04-16A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high…
CVE-2026-48150Critical9.02026-05-27Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user w…