CWE-915
AllowedImproperly Controlled Modification of Dynamically-Determined Object Attributes
Abstraction: Base · Status: Incomplete
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
275 vulnerabilities reference this CWE, most recent first.
GHSA-X6C6-VG4W-8R3R
Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-25 21:31K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plg_user_k2. A Registered Joomla user, by including the field K2UserForm=1 in a standard com_users profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the #__k2_users table — none of which are exposed by the K2 frontend profile-edit form.
{
"affected": [],
"aliases": [
"CVE-2026-48943"
],
"database_specific": {
"cwe_ids": [
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T16:16:36Z",
"severity": "MODERATE"
},
"details": "K2 \u2264 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table \u2014 none of which are exposed by the K2 frontend profile-edit form.",
"id": "GHSA-x6c6-vg4w-8r3r",
"modified": "2026-06-25T21:31:29Z",
"published": "2026-06-25T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48943"
},
{
"type": "WEB",
"url": "https://www.getk2.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7HC-R9M3-67VR
Vulnerability from github – Published: 2026-07-11 00:31 – Updated: 2026-07-13 21:31Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0., from 0.0.0 to 11.1..
{
"affected": [],
"aliases": [
"CVE-2026-55804"
],
"database_specific": {
"cwe_ids": [
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T22:16:43Z",
"severity": "MODERATE"
},
"details": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.",
"id": "GHSA-x7hc-r9m3-67vr",
"modified": "2026-07-13T21:31:18Z",
"published": "2026-07-11T00:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55804"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2026-006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XMJC-63PR-2MPG
Vulnerability from github – Published: 2026-05-20 00:31 – Updated: 2026-06-05 18:18Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.
This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "10.5.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "10.6.0"
},
{
"fixed": "10.6.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.2.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.3.0"
},
{
"fixed": "11.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6366"
],
"database_specific": {
"cwe_ids": [
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T18:18:11Z",
"nvd_published_at": "2026-05-19T23:16:58Z",
"severity": "MODERATE"
},
"details": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.\n\nThis issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7.",
"id": "GHSA-xmjc-63pr-2mpg",
"modified": "2026-06-05T18:18:11Z",
"published": "2026-05-20T00:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6366"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2026-002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Drupal core allows Object Injection"
}
GHSA-XP9C-82X8-7F67
Vulnerability from github – Published: 2021-02-26 16:31 – Updated: 2021-09-22 13:55Impact
Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime.
Patches
The vulnerability is patched in the 1.2.8 release.
Workarounds
A workaround is to ensure only authorised users are able to access the editor url.
For more information
If you have any questions or comments about this advisory: * Email us at team@nodered.org
Acknowledgements
Thanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@node-red/runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21297"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2021-02-26T16:22:38Z",
"nvd_published_at": "2021-02-26T17:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nNode-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime.\n\n### Patches\n\nThe vulnerability is patched in the 1.2.8 release.\n\n### Workarounds\n\nA workaround is to ensure only authorised users are able to access the editor url.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [team@nodered.org](mailto:team@nodered.org)\n\n### Acknowledgements\n\nThanks to the Tencent Woodpecker Security Team for disclosing this vulnerability.",
"id": "GHSA-xp9c-82x8-7f67",
"modified": "2021-09-22T13:55:00Z",
"published": "2021-02-26T16:31:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/node-red/node-red/security/advisories/GHSA-xp9c-82x8-7f67"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21297"
},
{
"type": "PACKAGE",
"url": "https://github.com/node-red/node-red"
},
{
"type": "WEB",
"url": "https://github.com/node-red/node-red/releases/tag/1.2.8"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@node-red/editor-api"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@node-red/runtime"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in Node-Red"
}
GHSA-XVR9-JR9P-GRF3
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2026-07-05 00:31PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.
{
"affected": [],
"aliases": [
"CVE-2020-24036"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-915"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-04T13:15:00Z",
"severity": "HIGH"
},
"details": "PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.",
"id": "GHSA-xvr9-jr9p-grf3",
"modified": "2026-07-05T00:31:17Z",
"published": "2022-05-24T17:43:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24036"
},
{
"type": "WEB",
"url": "https://tech.feedyourhead.at/content/ForkCMS-PHP-Object-Injection-CVE-2020-24036"
},
{
"type": "WEB",
"url": "https://www.ait.ac.at/themen/cyber-security/pentesting/security-advisories/ait-sa-20210215-04"
},
{
"type": "WEB",
"url": "http://forkcms.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/161764/ForkCMS-PHP-Object-Injection.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Mar/31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
- For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
Strategy: Input Validation
For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Mitigation
Strategy: Refactoring
Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
No CAPEC attack patterns related to this CWE.