CWE-915— Improperly Controlled Modification of Dynamically-Determined Object Attributes
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.— MITRE CWE catalog
140 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-915page 1 of 3
- CVE-2018-11135HIGHCVSS 8.8EG 7.52018-05-31
The script '/adminui/error_details.php' in the Quest KACE System Management Appliance 8.0.318 allows authenticated users to conduct PHP object injection attacks.
- CVE-2018-6195HIGHCVSS 7.2EG 7.22018-01-30
admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via…
- CVE-2019-9057HIGHCVSS 8.8EG 8.82019-03-26
An issue was discovered in CMS Made Simple 2.2.8. In the module FilePicker, it is possible to reach an unserialize call with an untrusted parameter, and achieve authenticated object injection.
- CVE-2019-9058HIGHCVSS 7.2EG 7.22019-03-26
An issue was discovered in CMS Made Simple 2.2.8. In the administrator page admin/changegroupperm.php, it is possible to send a crafted value in the sel_groups parameter that leads to authenticated object injection.
- CVE-2020-11066HIGHCVSS 8.7EG 8.72020-05-14
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object …
- CVE-2020-11872HIGHCVSS 7.5EG 7.52020-04-17
The Cloud Functions subsystem in OpenTrace 1.0 might allow fabrication attacks by making billions of TempID requests before an AES-256-GCM key rotation occurs.
- CVE-2020-24036HIGHCVSS 8.8EG 8.82021-03-04
PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.
- CVE-2020-28269CRITICALCVSS 9.8EG 9.82020-11-12
Prototype pollution vulnerability in 'field' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2020-7616MEDIUMCVSS 5.3EG 5.32020-04-07
express-mock-middleware through 0.0.6 is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the `Object.prototype`. Exploitation of this vulnerability requires creatio…
- CVE-2020-7617MEDIUMCVSS 4.4EG 9.82020-04-02
ini-parser through 0.0.2 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of Object.prototype using a '__proto__' payload.
- CVE-2020-7644HIGHCVSS 8.1EG 8.12020-04-28
fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload.
- CVE-2020-7679HIGHCVSS 7.3EG 7.32020-06-19
In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.
- CVE-2020-7702CRITICALCVSS 9.8EG 9.82020-08-17
All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.
- CVE-2020-7703CRITICALCVSS 9.8EG 9.82020-08-17
All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function.
- CVE-2021-21297HIGHCVSS 7.7EG 7.72021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default J…
- CVE-2021-21304HIGHCVSS 7.2EG 7.22021-02-08
Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "lib/utils/object/set.ts". This method i…
- CVE-2021-21368MEDIUMCVSS 6.7EG 6.72021-03-12
msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "__proto__", it assigns t…
- CVE-2021-23402HIGHCVSS 7.3EG 7.32021-07-02
All versions of package record-like-deep-assign are vulnerable to Prototype Pollution via the main functionality.
- CVE-2021-23417MEDIUMCVSS 5.6EG 5.62021-07-28
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
- CVE-2021-23421MEDIUMCVSS 5.6EG 9.82021-08-11
All versions of package merge-change are vulnerable to Prototype Pollution via the utils.set function.
- CVE-2021-23452HIGHCVSS 8.6EG 8.62021-10-20
This affects all versions of package x-assign. The global proto object can be polluted using the __proto__ object.
- CVE-2021-25945CRITICALCVSS 9.8EG 9.82021-05-26
Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-25948CRITICALCVSS 9.8EG 9.82021-06-10
Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.
- CVE-2021-27582CRITICALCVSS 9.1EG 9.12021-02-23
org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAt…
- CVE-2021-32807MEDIUMCVSS 4.4EG 4.42021-07-30
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. T…
- CVE-2021-32811HIGHCVSS 7.5EG 7.52021-08-02
Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.…
- CVE-2022-24802HIGHCVSS 8.1EG 8.12022-04-01
deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecords(). This issue has been patched in ver…
- CVE-2022-2625HIGHCVSS 8.0EG 8.02022-08-18
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and…
- CVE-2022-31106HIGHCVSS 8.3EG 8.32022-06-28
Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An attacker can craft a malicious payload and …
- CVE-2022-4068MEDIUMCVSS 5.4EG 5.42022-11-20
A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an a…
- CVE-2022-43441HIGHCVSS 8.1EG 8.12023-03-16
A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trig…
- CVE-2022-48359HIGHCVSS 7.5EG 7.52023-03-27
The recovery mode for updates has a vulnerability that causes arbitrary disk modification. Successful exploitation of this vulnerability may affect confidentiality.
- CVE-2023-0574MEDIUMCVSS 6.8EG 9.82023-02-09
Server-Side Request Forgery (SSRF), Improperly Controlled Modification of Dynamically-Determined Object Attributes, Improper Restriction of Excessive Authentication Attempts vulnerability in YugaByte, Inc. Yugabyte Managed allows Accessing…
- CVE-2023-32079HIGHCVSS 8.8EG 8.82023-08-24
Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixe…
- CVE-2023-39983MEDIUMCVSS 5.3EG 5.32023-09-02
A vulnerability that poses a potential risk of polluting the MXsecurity sqlite database and the nsm-web UI has been identified in MXsecurity versions prior to v1.0.1. This vulnerability might allow an unauthenticated remote attacker to reg…
- CVE-2024-0404CRITICALCVSS 9.1EG 9.12024-04-16
A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the …
- CVE-2024-10359MEDIUMCVSS 4.6EG 4.62025-03-20
In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the user ID field through mass assignment. This allows an attacker to inject a different user ID into the …
- CVE-2024-3283HIGHCVSS 7.2EG 7.22024-04-10
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level use…
- CVE-2024-5452CRITICALCVSS 9.8EG 9.82024-06-06
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The librar…
- CVE-2024-55636CRITICALCVSS 9.8EG 9.82024-12-10
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of method…
- CVE-2024-55637CRITICALCVSS 9.8EG 9.82024-12-10
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of method…
- CVE-2024-55638CRITICALCVSS 9.8EG 9.82024-12-10
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods th…
- CVE-2024-57708MEDIUMCVSS 5.7EG 5.72025-06-25
An issue in OneTrust SDK v.6.33.0 allows a local attacker to cause a denial of service via the Object.setPrototypeOf, __proto__, and Object.assign components. NOTE: this is disputed by the Supplier who does not agree it is a prototype poll…
- CVE-2025-13081MEDIUMCVSS 5.9EG 5.92025-11-18
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 bef…
- CVE-2025-14341HIGHCVSS 8.3EG 8.32026-05-07
Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding…
- CVE-2025-2304CRITICALCVSS 9.4EG 9.42025-03-14
A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! …
- CVE-2025-24370CRITICALCVSS 9.3EG 9.32025-02-03
Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn are vulnerable to python class pollution vulnerability. The vulnerability arises from the core functionality `set_property…
- CVE-2025-30358HIGHCVSS 8.1EG 8.12025-03-27
Mesop is a Python-based UI framework that allows users to build web applications. A class pollution vulnerability in Mesop prior to version 0.14.1 allows attackers to overwrite global variables and class attributes in certain Mesop modules…
- CVE-2025-31674HIGHCVSS 7.5EG 7.52025-03-31
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 be…
- CVE-2025-49597LOWCVSS 3.9EG 3.92025-06-13
handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deseri…
Map vulnerabilities like CWE-915 to your infrastructure
EchelonGraph correlates every CVE — across CWE-915 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →