CWE-915
AllowedImproperly Controlled Modification of Dynamically-Determined Object Attributes
Abstraction: Base · Status: Incomplete
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
275 vulnerabilities reference this CWE, most recent first.
CVE-2026-27125 (GCVE-0-2026-27125)
Vulnerability from cvelistv5 – Published: 2026-02-20 22:29 – Updated: 2026-02-25 21:33- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
| URL | Tags |
|---|---|
| https://github.com/sveltejs/svelte/security/advis… | x_refsource_CONFIRM |
| https://github.com/sveltejs/svelte/commit/73098bb… | x_refsource_MISC |
| https://github.com/sveltejs/svelte/releases/tag/s… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T21:33:01.018593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T21:33:14.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "svelte",
"vendor": "sveltejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.51.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. \u003cdiv {...attrs}\u003e) enumerates inherited properties from the object\u0027s prototype chain rather than only own properties. In environments where Object.prototype has already been polluted \u2014 a precondition outside of Svelte\u0027s control \u2014 this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T22:29:45.364Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp"
},
{
"name": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f"
},
{
"name": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sveltejs/svelte/releases/tag/svelte@5.51.5"
}
],
"source": {
"advisory": "GHSA-crpf-4hrx-3jrp",
"discovery": "UNKNOWN"
},
"title": "Svelte SSR attribute spreading includes inherited properties from prototype chain"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27125",
"datePublished": "2026-02-20T22:29:45.364Z",
"dateReserved": "2026-02-17T18:42:27.043Z",
"dateUpdated": "2026-02-25T21:33:14.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24140 (GCVE-0-2026-24140)
Vulnerability from cvelistv5 – Published: 2026-01-23 23:59 – Updated: 2026-01-26 16:17- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
| URL | Tags |
|---|---|
| https://github.com/franklioxygen/MyTube/security/… | x_refsource_CONFIRM |
| https://github.com/franklioxygen/MyTube/commit/9d… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| franklioxygen | MyTube |
Affected:
< 1.7.79
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T16:14:35.666469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:58.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MyTube",
"vendor": "franklioxygen",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.79"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application\u0027s saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record\u003cstring, any\u003e as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T23:59:56.045Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6"
}
],
"source": {
"advisory": "GHSA-c938-x24g-fxcx",
"discovery": "UNKNOWN"
},
"title": "MyTube has Mass Assignment via Settings Management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24140",
"datePublished": "2026-01-23T23:59:56.045Z",
"dateReserved": "2026-01-21T18:38:22.475Z",
"dateUpdated": "2026-01-26T16:17:58.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23522 (GCVE-0-2026-23522)
Vulnerability from cvelistv5 – Published: 2026-01-19 16:53 – Updated: 2026-01-20 21:35| URL | Tags |
|---|---|
| https://github.com/lobehub/lobe-chat/security/adv… | x_refsource_CONFIRM |
| https://github.com/lobehub/lobe-chat/commit/2c176… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23522",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T21:35:33.327391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T21:35:39.441Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lobe-chat",
"vendor": "lobehub",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-next.193"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it\u0027s enabling attackers to delete other users\u0027 KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target\u0027s KB ID and target\u0027s file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T16:53:32.371Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r"
},
{
"name": "https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6"
}
],
"source": {
"advisory": "GHSA-j7xp-4mg9-x28r",
"discovery": "UNKNOWN"
},
"title": "Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23522",
"datePublished": "2026-01-19T16:53:32.371Z",
"dateReserved": "2026-01-13T18:22:43.980Z",
"dateUpdated": "2026-01-20T21:35:39.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22814 (GCVE-0-2026-22814)
Vulnerability from cvelistv5 – Published: 2026-01-13 19:42 – Updated: 2026-01-14 17:26- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
| URL | Tags |
|---|---|
| https://github.com/adonisjs/lucid/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22814",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:26:06.187349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:26:12.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lucid",
"vendor": "adonisjs",
"versions": [
{
"status": "affected",
"version": "\u003c 21.8.2"
},
{
"status": "affected",
"version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-next.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T19:42:14.346Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f"
}
],
"source": {
"advisory": "GHSA-g5gc-h5hp-555f",
"discovery": "UNKNOWN"
},
"title": "Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22814",
"datePublished": "2026-01-13T19:42:14.346Z",
"dateReserved": "2026-01-09T22:50:10.288Z",
"dateUpdated": "2026-01-14T17:26:12.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22783 (GCVE-0-2026-22783)
Vulnerability from cvelistv5 – Published: 2026-01-12 18:27 – Updated: 2026-01-12 18:52| URL | Tags |
|---|---|
| https://github.com/dfir-iris/iris-web/security/ad… | x_refsource_CONFIRM |
| https://github.com/dfir-iris/iris-web/commit/57c1… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22783",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-12T18:51:44.715000Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T18:52:04.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iris-web",
"vendor": "dfir-iris",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.24"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file\u0027s file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T18:27:38.259Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v"
},
{
"name": "https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7"
}
],
"source": {
"advisory": "GHSA-qhqj-8qw6-wp8v",
"discovery": "UNKNOWN"
},
"title": "Iris Allows Arbitrary File Deletion via Mass Assignment in Datastore File Management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22783",
"datePublished": "2026-01-12T18:27:38.259Z",
"dateReserved": "2026-01-09T18:27:19.388Z",
"dateUpdated": "2026-01-12T18:52:04.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21886 (GCVE-0-2026-21886)
Vulnerability from cvelistv5 – Published: 2026-03-17 15:26 – Updated: 2026-03-17 16:09| URL | Tags |
|---|---|
| https://github.com/OpenCTI-Platform/opencti/secur… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| OpenCTI-Platform | opencti |
Affected:
< 6.9.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21886",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T16:09:27.056285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T16:09:31.748Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opencti",
"vendor": "OpenCTI-Platform",
"versions": [
{
"status": "affected",
"version": "\u003c 6.9.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations \"IndividualDeletionDeleteMutation\" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutation can be misused to delete unrelated and sensitive objects such as analyses reports etc. This behavior stems from the lack of validation in the API to ensure that the targeted object is contextually related to the mutation being executed. Version 6.9.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-566",
"description": "CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T15:26:30.757Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-mhmx-j75v-2m6x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-mhmx-j75v-2m6x"
}
],
"source": {
"advisory": "GHSA-mhmx-j75v-2m6x",
"discovery": "UNKNOWN"
},
"title": "OpenCTI\u0027s GraphQL Mutations Allow Deletion of Unrelated Entities"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21886",
"datePublished": "2026-03-17T15:26:30.757Z",
"dateReserved": "2026-01-05T17:24:36.929Z",
"dateUpdated": "2026-03-17T16:09:31.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21695 (GCVE-0-2026-21695)
Vulnerability from cvelistv5 – Published: 2026-01-07 23:19 – Updated: 2026-01-08 18:16- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
| URL | Tags |
|---|---|
| https://github.com/kromitgmbh/titra/security/advi… | x_refsource_CONFIRM |
| https://github.com/kromitgmbh/titra/commit/29e6b8… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| kromitgmbh | titra |
Affected:
< 0.99.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21695",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T15:06:15.389331Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T18:16:33.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-gc65-vr47-jppq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "titra",
"vendor": "kromitgmbh",
"versions": [
{
"status": "affected",
"version": "\u003c 0.99.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-07T23:19:01.616Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-gc65-vr47-jppq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-gc65-vr47-jppq"
},
{
"name": "https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938"
}
],
"source": {
"advisory": "GHSA-gc65-vr47-jppq",
"discovery": "UNKNOWN"
},
"title": "Titra API Contains Mass Assignment Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21695",
"datePublished": "2026-01-07T23:19:01.616Z",
"dateReserved": "2026-01-02T18:45:27.397Z",
"dateUpdated": "2026-01-08T18:16:33.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15083 (GCVE-0-2026-15083)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-13 18:18- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | ECA: Event - Condition - Action |
Affected:
0.0.0 , < 2.1.20
(semver)
Affected: 3.0.0 , < 3.0.12 (semver) Affected: 3.1.0 , < 3.1.4 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-15083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T18:17:35.787782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T18:18:06.766Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/eca",
"product": "ECA: Event - Condition - Action",
"repo": "https://git.drupalcode.org/project/eca",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.1.20",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
},
{
"lessThan": "3.0.12",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.4",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Changhai Qi (qichanghai)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "J\u00c3\u00bcrgen Haas (jurgenhaas)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Greg Knaddison (greggles)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Dave Long (longwave)"
}
],
"datePublic": "2026-07-08T17:16:32.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:33.886Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-074"
}
],
"title": "ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-15083",
"datePublished": "2026-07-10T21:46:33.886Z",
"dateReserved": "2026-07-08T15:44:57.178Z",
"dateUpdated": "2026-07-13T18:18:06.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13244 (GCVE-0-2026-13244)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:46 – Updated: 2026-07-13 17:55- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Tealium iQ Tag Management |
Affected:
0.0.0 , < 2.4.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-13244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T17:55:08.289819Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T17:55:31.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tealiumiq",
"product": "Tealium iQ Tag Management",
"repo": "https://git.drupalcode.org/project/tealiumiq",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel Schiavone (schiavone)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Bram Driesen (bramdriesen)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Neil Drumm (drumm)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Juraj Nemec (poker10)"
}
],
"datePublic": "2026-06-26T15:27:49.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Tealium iQ Tag Management allows Object Injection. This issue affects Tealium iQ Tag Management versions: from 0.0.0 to 2.4.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:46:14.260Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-064"
}
],
"title": "Tealium iQ Tag Management - Critical - PHP object injection - SA-CONTRIB-2026-064"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-13244",
"datePublished": "2026-07-10T21:46:14.260Z",
"dateReserved": "2026-06-24T18:00:17.008Z",
"dateUpdated": "2026-07-13T17:55:31.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12535 (GCVE-0-2026-12535)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:43 – Updated: 2026-07-13 18:12- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | Formatter Field |
Affected:
0.0.0 , < 2.0.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-12535",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T18:12:19.318935Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T18:12:44.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/formatter_field",
"product": "Formatter Field",
"repo": "https://git.drupalcode.org/project/formatter_field",
"vendor": "Drupal",
"versions": [
{
"lessThan": "2.0.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Kostia Bohach (_shy)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Benji Fisher (benjifisher)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Drew Webber (mcdruid)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jess (xjm)"
}
],
"datePublic": "2026-06-17T18:38:38.000Z",
"descriptions": [
{
"lang": "en",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection. This issue affects Formatter Field versions: from 0.0.0 to 2.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:43:40.681Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"url": "https://www.drupal.org/sa-contrib-2026-048"
}
],
"title": "Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048"
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-12535",
"datePublished": "2026-07-10T21:43:40.681Z",
"dateReserved": "2026-06-17T14:59:45.420Z",
"dateUpdated": "2026-07-13T18:12:44.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
- For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
Strategy: Input Validation
For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Mitigation
Strategy: Refactoring
Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
No CAPEC attack patterns related to this CWE.