CWE-829

Inclusion of Functionality from Untrusted Control Sphere

Parent: CWE-669 - Incorrect Resource Transfer Between Spheres

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

230 vulnerabilities with CWE-829
CVE-2026-43003 HIGH
OpenStack ironic-python-agent <11.5.0 - Code Injection
CVSS 8.0
CVE-2026-41396 HIGH
OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root
CVSS 7.8
CVE-2026-42510 MEDIUM
OpenStack Ironic <=25.0.0 - Command Injection
CVSS 6.6
CVE-2026-6357 MEDIUM
pip self-update functionality can import newly installed modules after wheel installation
CVE-2026-41355 HIGH
OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion
CVSS 7.3
CVE-2026-41336 HIGH
OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override
CVSS 7.8
CVE-2026-6859 HIGH
Instructlab: instructlab: arbitrary code execution due to hardcoded `trust_remote_code=true`
CVSS 8.8
CVE-2026-40903 CRITICAL
Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential Persistence
CVSS 9.1
CVE-2026-41295 HIGH
OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup
CVSS 7.8
CVE-2026-41253 MEDIUM
iTerm2 <=3.6.9 - Code Execution
CVSS 6.9
CVE-2026-6482 HIGH
Local Privilege Escalation via OpenSSL configuration file in Insight Agent
CVSS 7.8
CVE-2026-40959 CRITICAL
Luanti 5 <5.15.2 - Sandbox Escape
CVSS 9.3
CVE-2026-40313 CRITICAL
PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence
CVSS 9.1
CVE-2026-40156 HIGH
PraisonAI Affected by Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
CVSS 7.8
CVE-2026-40154 CRITICAL
PraisonAI Affected by Untrusted Remote Template Code Execution
CVSS 9.3
CVE-2026-1342 HIGH
Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access
CVSS 8.5
CVE-2026-34442 MEDIUM
FreeScout: Host Header Injection Leading to External Resource Loading and Open Redirect in FreeScout
CVSS 5.4
CVE-2026-32920 HIGH
OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins
CVSS 8.4
CVE-2026-3991 HIGH
Elevation of Privileges in Symantec Data Loss Prevention Windows Endpoint
CVSS 7.8
CVE-2026-33075 HIGH
FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml
CVSS 8.8
CVE-2026-22217 MEDIUM
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback
CVSS 6.1
CVE-2026-4295 HIGH
Arbitrary code execution via crafted project files in Kiro IDE
CVSS 7.8
CVE-2026-4255 HIGH
TR-VISION HOME <= 2.0.5 - DLL Search Order Hijacking Privilege Escalation
CVE-2026-28135 HIGH
WP Royal Elementor Addons <=1.7.1049 - Auth Bypass
CVSS 8.2
CVE-2026-1628 MEDIUM
Mattermost Desktop App <=5.13.3 - Open Redirect
CVSS 4.6
Details
Vulnerabilities 230
Links
MITRE CWE Entry Search this CWE With Exploits