CWE-15

External Control of System or Configuration Setting

Parent: CWE-642 - External Control of Critical State Data

One or more system settings or configuration elements can be externally controlled by a user.

65 vulnerabilities with CWE-15
CVE-2026-0418 MEDIUM
Certain NETGEAR devices allow administrators to tamper with system
CVE-2026-46399 CRITICAL
haxtheweb haxcms-nodejs - Authenticated Remote Code Execution via File Overwrite
CVE-2026-1784 HIGH
Ose-cluster-ingress-operator: remote code execution through haproxy configuration injection
CVSS 8.8
CVE-2026-45087 CRITICAL
Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode
CVSS 10.0
CVE-2026-41489 HIGH
Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks
CVSS 8.8
CVE-2026-43531 HIGH
OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File
CVSS 7.3
CVE-2026-41384 HIGH
OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend
CVSS 7.8
CVE-2026-41294 HIGH
OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File
CVSS 8.6
CVE-2026-0232 MEDIUM
Cortex XDR Agent: Local Administrator can disable the agent on Windows
CVE-2026-35650 HIGH
OpenClaw < 2026.3.22 - Environment Variable Override Bypass via Inconsistent Sanitization
CVSS 7.5
CVE-2026-33092 HIGH
Acronis True Image < 42902 / OEM < 42571 - Local Privilege Escalation via Environment Variable
CVSS 7.8
CVE-2026-22750 HIGH
SSL bundle configuration silently bypassed in Spring Cloud Gateway
CVSS 7.5
CVE-2026-30817 MEDIUM
Arbitrary File Reading Vulnerability in dnsmasq Module in TP-Link AX53
CVSS 5.7
CVE-2026-30816 MEDIUM
Arbitrary File Reading Vulnerability in OpenVPN Module in TP-Link AX53
CVSS 5.7
CVE-2026-22177 MEDIUM
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars
CVSS 6.1
CVE-2026-21422 LOW
Dell PowerScale OneFS 9.10.0-9.12.0 - Privilege Escalation
CVSS 3.4
CVE-2026-27203 HIGH
eBay API MCP Server - Code Injection
CVSS 8.3
CVE-2026-22708 CRITICAL
Cursor < 2.3 - Environment Variable Manipulation via Shell Built-in Execution
CVSS 9.8
CVE-2026-0495 MEDIUM
SAP Fiori App - Privilege Escalation
CVSS 5.1
CVE-2025-13091 MEDIUM
Shopire WordPress Theme <=1.0.57 - Privilege Escalation
CVSS 4.3
CVE-2025-64726 HIGH
Socket Firewall <0.15.5 - Malicious Project Config Code Execution
CVE-2025-62527 HIGH
Taguette < 1.5.0 - Email Address Hijacking via Password Reset Link
CVSS 7.1
CVE-2025-43792 MEDIUM
Liferay Portal <7.4.3.105 - Info Disclosure
CVSS 5.3
CVE-2025-41452 MEDIUM
Danfoss AK-SM8xxA Series < 4.3.1 - Authenticated Denial of Service via Web Interface Configuration
CVE-2025-8283 LOW
netavark - Info Disclosure
CVSS 3.7
Details
Vulnerabilities 65
Links
MITRE CWE Entry Search this CWE With Exploits