CWE-829— Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.— MITRE CWE catalog
265 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-829page 5 of 6
- CVE-2026-1699CRITICALCVSS 10.0EG 10.02026-01-30
In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbit…
- CVE-2026-22208CRITICALCVSS 9.6EG 9.62026-02-17
OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing …
- CVE-2026-22217MEDIUMCVSS 6.1EG 6.12026-03-18
OpenClaw version 2026.2.22 prior to 2026.2.23 contains an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable…
- CVE-2026-22283HIGHCVSS 7.5EG 7.52026-06-17
Dell PowerFlex Manager, version(s) prior to 5.1.0.1, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading…
- CVE-2026-22551MEDIUMCVSS 6.5EG 6.52026-06-18
In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an att…
- CVE-2026-22816HIGHCVSS 7.4EG 7.42026-01-16
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository…
- CVE-2026-22865HIGHCVSS 7.4EG 7.42026-01-16
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository…
- CVE-2026-25931HIGHCVSS 7.8EG 7.82026-02-09
vscode-spell-checker is a basic spell checker that works well with code and documents. Prior to v4.5.4, DocumentSettings._determineIsTrusted treats the configuration value cSpell.trustedWorkspace as the authoritative trust flag. The value …
- CVE-2026-26079MEDIUMCVSS 4.7EG 4.72026-02-11
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
- CVE-2026-28135HIGHCVSS 8.2EG 8.22026-03-05
Inclusion of Functionality from Untrusted Control Sphere vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Royal Elementor Addons: fro…
- CVE-2026-28500CRITICALCVSS 9.1EG 8.62026-03-16
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verifi…
- CVE-2026-32920HIGHCVSS 8.4EG 8.42026-03-31
OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plug…
- CVE-2026-40154CRITICALCVSS 9.3EG 9.32026-04-09
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks t…
- CVE-2026-40156HIGHCVSS 7.8EG 7.82026-04-10
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_fr…
- CVE-2026-40313CRITICALCVSS 9.1EG 9.12026-04-14
PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credential…
- CVE-2026-40903CRITICALCVSS 9.1EG 9.12026-04-21
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository …
- CVE-2026-40959CRITICALCVSS 9.3EG 9.32026-04-16
Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.
- CVE-2026-41253MEDIUMCVSS 6.9EG 6.92026-04-18
In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname wit…
- CVE-2026-41295HIGHCVSS 7.8EG 7.82026-04-21
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a …
- CVE-2026-41336HIGHCVSS 7.8EG 7.82026-04-23
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted…
- CVE-2026-41355HIGHCVSS 7.3EG 7.32026-04-23
OpenClaw before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway…
- CVE-2026-41396HIGHCVSS 7.8EG 7.82026-04-28
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugi…
- CVE-2026-42089HIGHCVSS 8.6EG 8.62026-05-26
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names wi…
- CVE-2026-42510HIGHCVSS 7.2EG 6.62026-04-28
OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface.
- CVE-2026-4255HIGHCVSS 7.8EG 7.82026-03-16
A DLL search order hijacking vulnerability in Thermalright TR-VISION HOME on Windows (64-bit) allows a local attacker to escalate privileges via DLL side-loading. The application loads certain dynamic-link library (DLL) dependencies using …
- CVE-2026-43003HIGHCVSS 7.5EG 8.02026-05-01
An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malic…
- CVE-2026-43569HIGHCVSS 8.8EG 8.82026-05-05
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by craft…
- CVE-2026-43571HIGHCVSS 8.8EG 8.82026-05-05
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace…
- CVE-2026-43940HIGHCVSS 8.4EG 8.42026-05-08
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied wi…
- CVE-2026-43944CRITICALCVSS 9.6EG 9.62026-05-08
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Expl…
- CVE-2026-43999CRITICALCVSS 9.9EG 9.92026-05-13
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads an…
- CVE-2026-44312MEDIUMCVSS 5.8EG 5.82026-05-14
css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The con…
- CVE-2026-44336CRITICALCVSS 9.6EG 9.62026-05-08
PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praison…
- CVE-2026-44358HIGHCVSS 8.2EG 8.22026-05-28
Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into…
- CVE-2026-44484CRITICALCVSS 9.8EG 9.82026-05-14
PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harvesting mechanism.
- CVE-2026-44688HIGHCVSS 8.8EG 8.82026-06-18
In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository wi…
- CVE-2026-44691HIGHCVSS 8.8EG 8.82026-06-18
In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, wh…
- CVE-2026-44995HIGHCVSS 7.3EG 7.32026-05-11
OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup v…
- CVE-2026-45184MEDIUMCVSS 6.5EG 6.52026-05-09
Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.
- CVE-2026-46529HIGHCVSS 7.8EG 7.82026-06-10
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code executio…
- CVE-2026-46580HIGHCVSS 8.8EG 8.82026-06-18
In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An attacker could craft a malicious reposi…
- CVE-2026-47172CRITICALCVSS 9.5EG 9.52026-06-11
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflo…
- CVE-2026-47174CRITICALCVSS 9.5EG 9.52026-06-11
In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment se…
- CVE-2026-47292HIGHCVSS 7.8EG 7.82026-06-09
Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.
- CVE-2026-48124HIGHCVSS 8.5EG 8.52026-06-15
Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious worksp…
- CVE-2026-50195CRITICALCVSS 9.9EG 9.92026-06-19
containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's con…
- CVE-2026-5241CRITICALCVSS 9.6EG 8.02026-06-03
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_…
- CVE-2026-52858HIGHCVSS 7.8EG 7.82026-06-11
Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +pyth…
- CVE-2026-53810HIGHCVSS 8.8EG 8.82026-06-11
OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata…
- CVE-2026-54325MEDIUMCVSS 4.4EG 4.42026-06-17
Pi is a minimal terminal coding harness. Pi before 0.79.0 loaded project-local configuration and resources from a repository's .pi directory without first asking the user to trust that repository. This included project-local extensions, wh…
Map vulnerabilities like CWE-829 to your infrastructure
EchelonGraph correlates every CVE — across CWE-829 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →