CWE-915— Improperly Controlled Modification of Dynamically-Determined Object Attributes
95 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-915page 1 of 2
- CVE-2018-11135HIGHCVSS 8.8EG 7.52018-05-31
The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks.
- CVE-2018-6195HIGHCVSS 7.2EG 7.22018-01-30
admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via…
- CVE-2019-9057HIGHCVSS 8.8EG 8.82019-03-26
An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.
- CVE-2019-9058HIGHCVSS 7.2EG 7.22019-03-26
An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection.
- CVE-2020-11066HIGHCVSS 8.7EG 8.72020-05-14
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object …
- CVE-2020-11872HIGHCVSS 7.5EG 7.52020-04-17
The Cloud Functions subsystem in OpenTrace 1.0 might allow fabrication attacks by making billions of TempID requests before an AES-256-GCM key rotation occurs.
- CVE-2020-24036HIGHCVSS 8.8EG 8.82021-03-04
PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.
- CVE-2020-28269CRITICALCVSS 9.8EG 9.82020-11-12
Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-7616MEDIUMCVSS 5.3EG 5.32020-04-07
express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creatio…
- CVE-2020-7617MEDIUMCVSS 4.4EG 9.82020-04-02
ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload.
- CVE-2020-7644HIGHCVSS 8.1EG 8.12020-04-28
fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
- CVE-2020-7679HIGHCVSS 7.3EG 7.32020-06-19
In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.
- CVE-2020-7702CRITICALCVSS 9.8EG 9.82020-08-17
All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.
- CVE-2020-7703CRITICALCVSS 9.8EG 9.82020-08-17
All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.
- CVE-2021-21297HIGHCVSS 7.7EG 7.72021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default J…
- CVE-2021-21304HIGHCVSS 7.2EG 7.22021-02-08
Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method i…
- CVE-2021-21368MEDIUMCVSS 6.7EG 6.72021-03-12
msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns t…
- CVE-2021-23402HIGHCVSS 7.3EG 7.32021-07-02
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
- CVE-2021-23417MEDIUMCVSS 5.6EG 5.62021-07-28
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
- CVE-2021-23421MEDIUMCVSS 5.6EG 9.82021-08-11
All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.
- CVE-2021-23452HIGHCVSS 8.6EG 8.62021-10-20
This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object.
- CVE-2021-25945CRITICALCVSS 9.8EG 9.82021-05-26
Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25948CRITICALCVSS 9.8EG 9.82021-06-10
Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-27582CRITICALCVSS 9.1EG 9.12021-02-23
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAt…
- CVE-2021-32807MEDIUMCVSS 4.4EG 4.42021-07-30
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. T…
- CVE-2021-32811HIGHCVSS 7.5EG 7.52021-08-02
Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.…
- CVE-2022-24802HIGHCVSS 8.1EG 8.12022-04-01
deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in ver…
- CVE-2022-2625HIGHCVSS 8.0EG 8.02022-08-18
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and…
- CVE-2022-31106HIGHCVSS 8.3EG 8.32022-06-28
Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and …
- CVE-2022-4068MEDIUMCVSS 5.4EG 5.42022-11-20
A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an a…
- CVE-2022-43441HIGHCVSS 8.1EG 8.12023-03-16
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trig…
- CVE-2022-48359HIGHCVSS 7.5EG 7.52023-03-27
The recovery mode for updates has a vulnerability that causes arbitrary disk modification. Successful exploitation of this vulnerability may affect confidentiality.
- CVE-2023-0574MEDIUMCVSS 6.8EG 9.82023-02-09
Server-Side Request Forgery (SSRF), Improperly Controlled Modification of Dynamically-Determined Object Attributes, Improper Restriction of Excessive Authentication Attempts vulnerability in YugaByte, Inc. Yugabyte Managed allows Accessing…
- CVE-2023-32079HIGHCVSS 8.8EG 8.82023-08-24
Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixe…
- CVE-2023-39983MEDIUMCVSS 5.3EG 5.32023-09-02
A vulnerability that poses a potential risk of polluting the MXsecurity sqlite database and the nsm-web UI has been identified in MXsecurity versions prior to v1.0.1. This vulnerability might allow an unauthenticated remote attacker to reg…
- CVE-2024-0404CRITICALCVSS 9.1EG 9.12024-04-16
A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the …
- CVE-2024-10359MEDIUMCVSS 4.6EG 4.62025-03-20
In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker to inject a different user ID into the …
- CVE-2024-3283HIGHCVSS 7.2EG 7.22024-04-10
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level use…
- CVE-2024-5452CRITICALCVSS 9.8EG 9.82024-06-06
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The librar…
- CVE-2024-55636CRITICALCVSS 9.8EG 9.82024-12-10
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of method…
- CVE-2024-55637CRITICALCVSS 9.8EG 9.82024-12-10
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of method…
- CVE-2024-55638CRITICALCVSS 9.8EG 9.82024-12-10
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods th…
- CVE-2024-57708MEDIUMCVSS 5.7EG 5.72025-06-25
An issue in OneTrust SDK v.6.33.0 allows a local attacker to cause a denial of service via the Object.setPrototypeOf, __proto__, and Object.assign components. NOTE: this is disputed by the Supplier who does not agree it is a prototype poll…
- CVE-2025-13081MEDIUMCVSS 5.9EG 5.92025-11-18
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 bef…
- CVE-2025-14341HIGHCVSS 8.3EG 8.32026-05-07
Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding…
- CVE-2025-2304CRITICALCVSS 9.4EG 0.02025-03-14
A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! …
- CVE-2025-24370CRITICALCVSS 9.3EG 0.02025-02-03
Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn are vulnerable to python class pollution vulnerability. The vulnerability arises from the core functionality `set_property…
- CVE-2025-30358HIGHCVSS 8.1EG 8.12025-03-27
Mesop is a Python-based UI framework that allows users to build web applications. A class pollution vulnerability in Mesop prior to version 0.14.1 allows attackers to overwrite global variables and class attributes in certain Mesop modules…
- CVE-2025-31674HIGHCVSS 7.5EG 7.52025-03-31
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 be…
- CVE-2025-49597LOWCVSS 3.9EG 3.92025-06-13
handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deseri…
Map vulnerabilities like CWE-915 to your infrastructure
EchelonGraph correlates every CVE — across CWE-915 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →