Common Weakness Enumeration

CWE-915

Allowed

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Abstraction: Base · Status: Incomplete

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

275 vulnerabilities reference this CWE, most recent first.

GHSA-X6C6-VG4W-8R3R

Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-25 21:31
VLAI
Details

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plg_user_k2. A Registered Joomla user, by including the field K2UserForm=1 in a standard com_users profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the #__k2_users table — none of which are exposed by the K2 frontend profile-edit form.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T16:16:36Z",
    "severity": "MODERATE"
  },
  "details": "K2 \u2264 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table \u2014 none of which are exposed by the K2 frontend profile-edit form.",
  "id": "GHSA-x6c6-vg4w-8r3r",
  "modified": "2026-06-25T21:31:29Z",
  "published": "2026-06-25T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48943"
    },
    {
      "type": "WEB",
      "url": "https://www.getk2.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7HC-R9M3-67VR

Vulnerability from github – Published: 2026-07-11 00:31 – Updated: 2026-07-13 21:31
VLAI
Details

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0., from 0.0.0 to 11.1..

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-55804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T22:16:43Z",
    "severity": "MODERATE"
  },
  "details": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.",
  "id": "GHSA-x7hc-r9m3-67vr",
  "modified": "2026-07-13T21:31:18Z",
  "published": "2026-07-11T00:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55804"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2026-006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMJC-63PR-2MPG

Vulnerability from github – Published: 2026-05-20 00:31 – Updated: 2026-06-05 18:18
VLAI
Summary
Drupal core allows Object Injection
Details

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.

This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "10.5.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.6.0"
            },
            {
              "fixed": "10.6.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.2.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.3.0"
            },
            {
              "fixed": "11.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-6366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T18:18:11Z",
    "nvd_published_at": "2026-05-19T23:16:58Z",
    "severity": "MODERATE"
  },
  "details": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\n\nThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.",
  "id": "GHSA-xmjc-63pr-2mpg",
  "modified": "2026-06-05T18:18:11Z",
  "published": "2026-05-20T00:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6366"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/drupal/core"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2026-002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Drupal core allows Object Injection"
}

GHSA-XP9C-82X8-7F67

Vulnerability from github – Published: 2021-02-26 16:31 – Updated: 2021-09-22 13:55
VLAI
Summary
Prototype Pollution in Node-Red
Details

Impact

Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime.

Patches

The vulnerability is patched in the 1.2.8 release.

Workarounds

A workaround is to ensure only authorised users are able to access the editor url.

For more information

If you have any questions or comments about this advisory: * Email us at team@nodered.org

Acknowledgements

Thanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@node-red/runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-26T16:22:38Z",
    "nvd_published_at": "2021-02-26T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nNode-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime.\n\n### Patches\n\nThe vulnerability is patched in the 1.2.8 release.\n\n### Workarounds\n\nA workaround is to ensure only authorised users are able to access the editor url.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [team@nodered.org](mailto:team@nodered.org)\n\n### Acknowledgements\n\nThanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.",
  "id": "GHSA-xp9c-82x8-7f67",
  "modified": "2021-09-22T13:55:00Z",
  "published": "2021-02-26T16:31:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21297"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/node-red/node-red"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@node-red/editor-api"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@node-red/runtime"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Prototype Pollution in Node-Red"
}

GHSA-XVR9-JR9P-GRF3

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2026-07-05 00:31
VLAI
Details

PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502",
      "CWE-915"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-04T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.",
  "id": "GHSA-xvr9-jr9p-grf3",
  "modified": "2026-07-05T00:31:17Z",
  "published": "2022-05-24T17:43:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24036"
    },
    {
      "type": "WEB",
      "url": "https://tech.feedyourhead.at/content/ForkCMS-PHP-Object-Injection-CVE-2020-24036"
    },
    {
      "type": "WEB",
      "url": "https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories/ait-sa-20210215-04"
    },
    {
      "type": "WEB",
      "url": "http://forkcms.com"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/161764/ForkCMS-PHP-Object-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/Mar/31"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation
  • If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
  • For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.

Mitigation
Implementation Architecture and Design

Strategy: Refactoring

Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

No CAPEC attack patterns related to this CWE.