CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Parent: CWE-913 - Improper Control of Dynamically-Managed Code Resources

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

98 vulnerabilities with CWE-915
CVE-2026-40897 HIGH
mathjs 13.1.1-15.1.9 - Remote Code Execution via Expression Parser
CVSS 8.8
CVE-2026-41043 MEDIUM
Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues
CVSS 6.5
CVE-2026-41277 HIGH
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
CVSS 8.8
CVE-2026-41267 HIGH
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
CVSS 8.1
CVE-2026-40569 CRITICAL
FreeScout's Mass Assignment in Mailbox Connection Settings Enables Silent Email Exfiltration
CVSS 9.0
CVE-2026-34427 HIGH
Vvveb < 1.0.8.1 Privilege Escalation via admin/user/save
CVSS 8.8
CVE-2026-40486 MEDIUM
Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
CVSS 4.3
CVE-2026-34179 CRITICAL
Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
CVSS 9.1
CVE-2026-5708 HIGH
Improper Control of User-Modifiable Attributes in RES CreateSession API
CVSS 8.8
CVE-2026-34208 CRITICAL
SandboxJS: Sandbox integrity escape
CVSS 10.0
CVE-2026-34445 HIGH
ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings.
CVSS 8.6
CVE-2026-5251 MEDIUM
z-9527 admin User Update Endpoint user.js dynamically-determined object attributes
CVSS 6.3
CVE-2026-5248 MEDIUM
gougucms User Registration Login.php reg_submit dynamically-determined object attributes
CVSS 6.3
CVE-2026-34406 HIGH
APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint
CVSS 8.8
CVE-2026-27953 HIGH
ormar <0.23.1 Model Constructor - Pydantic Validation Bypass
CVSS 7.1
CVE-2026-32742 MEDIUM
Parse Server session creation endpoint allows overwriting server-generated session fields
CVSS 4.3
CVE-2026-29056 HIGH
Kanboard's privilege escalation via mass assignment in user invite registration allows any invited user to become admin
CVSS 8.8
CVE-2026-21886 MEDIUM
OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities
CVSS 6.5
CVE-2026-32640 CRITICAL
(SimpleEval) Objects (including modules) can leak dangerous modules through to direct access inside the sandbox.
CVSS 9.8
CVE-2026-27591 CRITICAL
Winter CMS <1.0.477/1.1.12/1.2.12 - Privilege Escalation
CVSS 9.9
CVE-2026-31815 MEDIUM
django-unicorn <0.67.0 - Auth Bypass
CVSS 5.3
CVE-2026-30822 HIGH
Flowise < 3.0.13 - Unauthenticated Arbitrary Database Field Injection via Lead Creation
CVSS 7.7
CVE-2026-28781 MEDIUM
Craft CMS <4.17.0-beta.1/5.9.0-beta.1 - Privilege Escalation
CVSS 6.5
CVE-2026-28219 MEDIUM
Discourse <2025.12.2/2026.1.1/2026.2.0 - Privilege Escalation
CVSS 4.3
CVE-2026-27125 MEDIUM
svelte < 5.51.5 - Prototype Pollution in Server-Side Rendering Attribute Spreading
CVSS 6.8
Details
Vulnerabilities 98
Links
MITRE CWE Entry Search this CWE With Exploits