CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Parent: CWE-913 - Improper Control of Dynamically-Managed Code Resources

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

98 vulnerabilities with CWE-915
CVE-2026-46517 HIGH
LMDeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
CVSS 7.8
CVE-2026-46480 HIGH
Flowise: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
CVSS 8.8
CVE-2026-46479 HIGH
Flowise: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
CVSS 8.8
CVE-2026-46478 HIGH
Flowise: DatasetRow create+update mass-assignment allows cross-workspace row takeover
CVSS 8.8
CVE-2026-46477 HIGH
Flowise: Dataset create+update mass-assignment allows cross-workspace dataset takeover
CVSS 8.8
CVE-2026-46476 HIGH
Flowise: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
CVSS 8.8
CVE-2026-46475 HIGH
Flowise: Assistant create+update mass-assignment allows cross-workspace assistant takeover
CVSS 8.8
CVE-2026-46441 CRITICAL
Flowise: Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reassignment
CVSS 9.6
CVE-2026-42863 HIGH
Flowise: Mass Assignment in Chatflow Update Endpoint Allows Cross-Workspace AgentFlow Reassignment
CVSS 8.1
CVE-2026-42862 MEDIUM
Flowise: Mass Assignment in Tool Update Endpoint Allows Cross-Workspace Resource Reassignment
CVSS 5.0
CVE-2026-42861 CRITICAL
Flowise: Mass Assignment in Variable Update Endpoint Allows Cross-Workspace Resource Reassignment
CVSS 9.6
CVE-2026-42540 MEDIUM
IRIS <2.4.28 - Mass Assignment
CVSS 4.3
CVE-2026-45058 CRITICAL
electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark
CVE-2026-44635 HIGH
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`
CVSS 7.5
CVE-2026-48150 CRITICAL
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
CVSS 9.0
CVE-2026-8327 MEDIUM
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass.
CVSS 4.3
CVE-2026-6366 MEDIUM
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002
CVSS 6.6
CVE-2026-46721 MEDIUM
Broken Access Control in extension "Frontend User Registration" (sf_register)
CVE-2026-45396 MEDIUM
Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation
CVSS 5.4
CVE-2026-45229 HIGH
Quark Drive < 0.8.5 Mass Assignment via POST /update
CVSS 8.8
CVE-2026-31252 MEDIUM
CosyVoice <=6e01309 Remote Code Execution via Insecure Model File Deserialization
CVSS 5.7
CVE-2026-31251 HIGH
CosyVoice thru 6e01309 - Deserialization
CVSS 7.3
CVE-2026-41139 HIGH
Unsafe array index getter in mathjs
CVSS 8.8
CVE-2026-33453 CRITICAL
Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet Pre-Auth Remote Code Execution
CVSS 10.0
CVE-2026-42044 MEDIUM
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
CVSS 6.5
Details
Vulnerabilities 98
Links
MITRE CWE Entry Search this CWE With Exploits