CWE-915 · Improperly Controlled Modification of Dynamically-Determined Object Attributes
119 CVEs classified under CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-33453 | Critical | 10.0 | 2026-04-27 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap c… |
CVE-2026-34208 | Critical | 10.0 | 2026-04-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this p… |
CVE-2026-56142 | Critical | 9.9 | 2026-06-19 | In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authenticatio… |
CVE-2025-69691 | Critical | 9.9 | 2026-05-08 | Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available… |
CVE-2026-27591 | Critical | 9.9 | 2026-03-11 | Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed auth… |
CVE-2026-33228 | Critical | 9.8 | 2026-03-20 | flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as di… |
CVE-2026-32640 | Critical | 9.8 | 2026-03-16 | SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through… |
CVE-2026-29063 | Critical | 9.8 | 2026-03-06 | Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via th… |
CVE-2024-55638 | Critical | 9.8 | 2024-12-10 | Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before… |
CVE-2024-55637 | Critical | 9.8 | 2024-12-10 | Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 b… |
CVE-2024-55636 | Critical | 9.8 | 2024-12-10 | Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 b… |
CVE-2024-5452 | Critical | 9.8 | 2024-06-06 | A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user in… |
CVE-2026-46441 | Critical | 9.6 | 2026-06-08 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the… |
CVE-2026-42861 | Critical | 9.6 | 2026-06-08 | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the… |
CVE-2026-22783 | Critical | 9.6 | 2026-01-12 | Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore fil… |
CVE-2025-69690 | Critical | 9.1 | 2026-05-08 | Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_command… |
CVE-2026-34179 | Critical | 9.1 | 2026-04-09 | In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH re… |
CVE-2025-68109 | Critical | 9.1 | 2025-12-17 | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file exte… |
CVE-2024-0404 | Critical | 9.1 | 2024-04-16 | A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high… |
CVE-2026-48150 | Critical | 9.0 | 2026-05-27 | Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user w… |