CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Parent: CWE-913 - Improper Control of Dynamically-Managed Code Resources

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

72 vulnerabilities with CWE-915
CVE-2026-33453 CRITICAL
Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet Pre-Auth Remote Code Execution
CVSS 10.0
CVE-2026-42044 MEDIUM
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
CVSS 6.5
CVE-2026-40897 HIGH
mathjs <15.2.0 - Code Injection
CVSS 8.8
CVE-2026-41043 MEDIUM
Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues
CVSS 6.5
CVE-2026-41277 HIGH
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
CVSS 8.8
CVE-2026-41267 HIGH
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
CVSS 8.1
CVE-2026-40569 CRITICAL
FreeScout's Mass Assignment in Mailbox Connection Settings Enables Silent Email Exfiltration
CVSS 9.0
CVE-2026-34427 HIGH
Vvveb < 1.0.8.1 Privilege Escalation via admin/user/save
CVSS 8.8
CVE-2026-40486 MEDIUM
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
CVSS 4.3
CVE-2026-34179 CRITICAL
Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
CVSS 9.1
CVE-2026-5708 HIGH
Improper Control of User-Modifiable Attributes in RES CreateSession API
CVSS 8.8
CVE-2026-34208 CRITICAL
SandboxJS: Sandbox integrity escape
CVSS 10.0
CVE-2026-34445 HIGH
ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings.
CVSS 8.6
CVE-2026-5251 MEDIUM
z-9527 admin User Update Endpoint user.js dynamically-determined object attributes
CVSS 6.3
CVE-2026-5248 MEDIUM
gougucms User Registration Login.php reg_submit dynamically-determined object attributes
CVSS 6.3
CVE-2026-34406 HIGH
APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint
CVSS 8.8
CVE-2026-27953 HIGH
ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor
CVSS 7.1
CVE-2026-32742 MEDIUM
Parse Server session creation endpoint allows overwriting server-generated session fields
CVSS 4.3
CVE-2026-29056 HIGH
Kanboard's privilege escalation via mass assignment in user invite registration allows any invited user to become admin
CVSS 8.8
CVE-2026-21886 MEDIUM
OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities
CVSS 6.5
CVE-2026-32640 CRITICAL
(SimpleEval) Objects (including modules) can leak dangerous modules through to direct access inside the sandbox.
CVSS 9.8
CVE-2026-27591 CRITICAL
Winter CMS <1.0.477/1.1.12/1.2.12 - Privilege Escalation
CVSS 9.9
CVE-2026-31815 MEDIUM
django-unicorn <0.67.0 - Auth Bypass
CVSS 5.3
CVE-2026-30822 HIGH
Flowise <3.0.13 - Code Injection
CVSS 7.7
CVE-2026-28781 MEDIUM
Craft CMS <4.17.0-beta.1/5.9.0-beta.1 - Privilege Escalation
CVSS 6.5
Details
Vulnerabilities 72
Links
MITRE CWE Entry Search this CWE With Exploits