CWE-914— Improper Control of Dynamically-Identified Variables
The product does not properly restrict reading from or writing to dynamically-identified variables.— MITRE CWE catalog
8 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-914page 1 of 1
- CVE-2023-33175CRITICALCVSS 9.1EG 9.12023-05-30
ToUI is a Python package for creating user interfaces (websites and desktop apps) from HTML. ToUI is using Flask-Caching (SimpleCache) to store user variables. Websites that use `Website.user_vars` property. It affects versions 2.0.1 to 2.…
- CVE-2024-24914HIGHCVSS 8.0EG 8.02024-11-07
Authenticated Gaia users can inject code or commands by global variables through special HTTP requests. A Security fix that mitigates this vulnerability is available.
- CVE-2024-54198HIGHCVSS 8.5EG 8.52024-12-10
In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These cre…
- CVE-2025-14051MEDIUMCVSS 6.3EG 6.32025-12-04
A flaw has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function getById/updateAddress/deleteAddress of the file /mall-ums/app-api/v1/addresses/. Executing manipulation can lead to improper control of dynamically-ident…
- CVE-2025-14085MEDIUMCVSS 6.3EG 6.32025-12-05
A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables.…
- CVE-2026-34444CRITICALCVSS 10.0EG 10.02026-04-06
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypa…
- CVE-2026-35173MEDIUMCVSS 6.5EG 6.52026-04-06
Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions (Edit Post, Edit Draft, Edit Own Post, Edit Own Dr…
- CVE-2026-44006CRITICALCVSS 10.0EG 10.02026-05-13
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.
Map vulnerabilities like CWE-914 to your infrastructure
EchelonGraph correlates every CVE — across CWE-914 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →