Skip to main content

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

87 CVEs Avg CVSS 7.5 MITRE
21
CRITICAL
35
HIGH
26
MEDIUM
4
LOW
17
POC
0
KEV

Monthly

CVE-2026-56679 HIGH This Week

Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable application-wide login by abusing a mass-assignment flaw in the PATCH /api/settings endpoint. Because the endpoint persists the entire request body without a field whitelist, a low-privileged user can flip security-critical settings such as requireLogin, thereby exposing sensitive routes like /api/keys and /api/providers to unauthenticated access. No public exploit identified at time of analysis; the issue is fixed in version 0.5.4.

Information Disclosure 9Router
NVD GitHub
CVSS 4.0
8.7
CVE-2026-59888 MEDIUM PATCH This Month

Deserialization logic in FasterXML jackson-databind 2.15.0 through 2.18.7, 2.21.3, and 3.1.3 allows unauthenticated remote callers to bypass @JsonIgnore annotations on Java Record types when a PropertyNamingStrategy is configured. The renamed JSON key - e.g., 'internal_role' produced by SnakeCaseStrategy from 'internalRole' - is not registered in the ignore list, so Jackson's constructor-parameter binding accepts the attacker-supplied value despite the developer's explicit exclusion directive. No public exploit tooling has been identified at time of analysis, but the upstream fix PR includes a runnable proof-of-concept test that fully demonstrates the bypass, lowering the bar for independent reproduction.

Authentication Bypass Java Jackson Databind
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-58477 HIGH POC This Week

Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated attackers overwrite sensitive settings - including the passphrase and listening port - by injecting arbitrary parameter names into HTTP requests. Because the application binds request parameters directly to internal configuration objects without an allow-list, the same effect can be triggered blindly through cross-site request forgery against an authenticated operator's browser. Publicly available exploit code exists (ZeroScience ZSL-2026-5997), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

CSRF Sip
NVD
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-55804 PHP MEDIUM PATCH This Month

Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (CWE-915) exposes sites to high-severity confidentiality and integrity compromise when triggered by an authenticated user with high privileges. Affected branches include the entire 10.x line before 10.5.12 and 10.6.11, the fully unsupported 11.0.x and 11.1.x trees, and the 11.2.x and 11.3.x lines before 11.2.14 and 11.3.12 respectively. No active exploitation is confirmed (not in CISA KEV) and EPSS sits at just 0.16% (6th percentile), making this a patch-priority rather than emergency-response scenario.

Code Injection Drupal Core
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-55803 PHP MEDIUM PATCH This Month

Object injection via a mass assignment flaw in Drupal Core enables an authenticated administrator to manipulate dynamically-determined PHP object attributes, potentially compromising confidentiality and data integrity of the application. Affected versions span multiple active and end-of-life branches: 10.5.x through 10.5.12, 10.6.0 through 10.6.11, 11.2.0 through 11.2.14, 11.3.0 through 11.3.12, and the entirely unsupported 11.0.x and 11.1.x branches. No public exploit code is identified at time of analysis, and EPSS at 0.16% (6th percentile) signals very low observed exploitation activity despite the C:H/I:H impact potential.

Code Injection Drupal Core
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-15083 PHP MEDIUM PATCH This Month

Object injection in the Drupal ECA (Event - Condition - Action) contributed module exposes sites running affected versions to limited confidentiality and integrity compromise by authenticated low-privileged users. The vulnerability stems from improperly controlled modification of dynamically-determined object attributes (CWE-915, a mass-assignment class of flaw), allowing a crafted request to inject object properties and influence internal application logic within ECA's event-driven workflow engine. No confirmed active exploitation exists, and EPSS at 0.20% (10th percentile) reflects low observed threat pressure across the landscape, though a vendor patch has been issued per the Drupal security advisory.

Code Injection Eca
NVD VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13244 PHP HIGH PATCH This Week

Object injection in the Drupal Tealium iQ Tag Management contributed module (versions before 2.4.0) lets authenticated attackers manipulate dynamically-determined object attributes to compromise data confidentiality and integrity. Because the CVSS vector (AV:N/AC:L/PR:L) indicates a low-privileged authenticated user over the network, any user with a foothold on the site can potentially abuse the flaw; there is no public exploit identified at time of analysis and the EPSS probability is low (0.42%). Drupal has published advisory SA-CONTRIB-2026-064 and released a fixed version.

Code Injection Tealium Iq Tag Management
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-55810 PHP HIGH PATCH This Week

Object injection in the Drupal Plotly.js Graphing contributed module (all releases 0.0.0 through 3.0.2) lets an authenticated attacker with low privileges tamper with dynamically-determined object attributes, undermining both confidentiality and integrity of the site. The flaw stems from improperly controlled modification of object properties (CWE-915), and the network-reachable, low-complexity CVSS 3.1 vector (8.1) reflects meaningful severity; however, EPSS is only 0.16% (6th percentile) and no public exploit identified at time of analysis. It is not listed in CISA KEV.

Code Injection Plotly Js Graphing
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-55809 PHP HIGH PATCH This Week

Object injection in the Drupal contrib module Flag attendance field (all versions up to and including 1.2) lets an authenticated user with low privileges pass attacker-controlled data into a dynamically-determined object attribute (CWE-915), enabling PHP object injection and high-impact compromise of data confidentiality and integrity. The Drupal Security Team published advisory SA-CONTRIB-2026-049 and a fixed release is available. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.17%, 7th percentile).

Code Injection Flag Attendance Field
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-12535 PHP CRITICAL PATCH Act Now

Object injection in the Drupal Formatter Field contributed module (all versions from 0.0.0 up to but not including 2.0.0) allows remote unauthenticated attackers to improperly modify dynamically-determined object attributes, potentially leading to arbitrary code execution or full site compromise. The flaw carries a CVSS 9.8 rating, but with no public exploit identified and a low EPSS probability (0.17%, 7th percentile), and SSVC currently rates exploitation as 'none'. A vendor patch is available via Drupal advisory SA-CONTRIB-2026-048.

Code Injection Formatter Field
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVSS 8.7
HIGH This Week

Authentication bypass in 9Router (AI router & token saver) prior to 0.5.4 lets any authenticated user disable application-wide login by abusing a mass-assignment flaw in the PATCH /api/settings endpoint. Because the endpoint persists the entire request body without a field whitelist, a low-privileged user can flip security-critical settings such as requireLogin, thereby exposing sensitive routes like /api/keys and /api/providers to unauthenticated access. No public exploit identified at time of analysis; the issue is fixed in version 0.5.4.

Information Disclosure 9Router
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Deserialization logic in FasterXML jackson-databind 2.15.0 through 2.18.7, 2.21.3, and 3.1.3 allows unauthenticated remote callers to bypass @JsonIgnore annotations on Java Record types when a PropertyNamingStrategy is configured. The renamed JSON key - e.g., 'internal_role' produced by SnakeCaseStrategy from 'internalRole' - is not registered in the ignore list, so Jackson's constructor-parameter binding accepts the attacker-supplied value despite the developer's explicit exclusion directive. No public exploit tooling has been identified at time of analysis, but the upstream fix PR includes a runnable proof-of-concept test that fully demonstrates the bypass, lowering the bar for independent reproduction.

Authentication Bypass Java Jackson Databind
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Configuration tampering in the Sustainable Irrigation Platform (SIP) through version 5.2.16 lets remote unauthenticated attackers overwrite sensitive settings - including the passphrase and listening port - by injecting arbitrary parameter names into HTTP requests. Because the application binds request parameters directly to internal configuration objects without an allow-list, the same effect can be triggered blindly through cross-site request forgery against an authenticated operator's browser. Publicly available exploit code exists (ZeroScience ZSL-2026-5997), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

CSRF Sip
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (CWE-915) exposes sites to high-severity confidentiality and integrity compromise when triggered by an authenticated user with high privileges. Affected branches include the entire 10.x line before 10.5.12 and 10.6.11, the fully unsupported 11.0.x and 11.1.x trees, and the 11.2.x and 11.3.x lines before 11.2.14 and 11.3.12 respectively. No active exploitation is confirmed (not in CISA KEV) and EPSS sits at just 0.16% (6th percentile), making this a patch-priority rather than emergency-response scenario.

Code Injection Drupal Core
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Object injection via a mass assignment flaw in Drupal Core enables an authenticated administrator to manipulate dynamically-determined PHP object attributes, potentially compromising confidentiality and data integrity of the application. Affected versions span multiple active and end-of-life branches: 10.5.x through 10.5.12, 10.6.0 through 10.6.11, 11.2.0 through 11.2.14, 11.3.0 through 11.3.12, and the entirely unsupported 11.0.x and 11.1.x branches. No public exploit code is identified at time of analysis, and EPSS at 0.16% (6th percentile) signals very low observed exploitation activity despite the C:H/I:H impact potential.

Code Injection Drupal Core
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Object injection in the Drupal ECA (Event - Condition - Action) contributed module exposes sites running affected versions to limited confidentiality and integrity compromise by authenticated low-privileged users. The vulnerability stems from improperly controlled modification of dynamically-determined object attributes (CWE-915, a mass-assignment class of flaw), allowing a crafted request to inject object properties and influence internal application logic within ECA's event-driven workflow engine. No confirmed active exploitation exists, and EPSS at 0.20% (10th percentile) reflects low observed threat pressure across the landscape, though a vendor patch has been issued per the Drupal security advisory.

Code Injection Eca
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Object injection in the Drupal Tealium iQ Tag Management contributed module (versions before 2.4.0) lets authenticated attackers manipulate dynamically-determined object attributes to compromise data confidentiality and integrity. Because the CVSS vector (AV:N/AC:L/PR:L) indicates a low-privileged authenticated user over the network, any user with a foothold on the site can potentially abuse the flaw; there is no public exploit identified at time of analysis and the EPSS probability is low (0.42%). Drupal has published advisory SA-CONTRIB-2026-064 and released a fixed version.

Code Injection Tealium Iq Tag Management
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Object injection in the Drupal Plotly.js Graphing contributed module (all releases 0.0.0 through 3.0.2) lets an authenticated attacker with low privileges tamper with dynamically-determined object attributes, undermining both confidentiality and integrity of the site. The flaw stems from improperly controlled modification of object properties (CWE-915), and the network-reachable, low-complexity CVSS 3.1 vector (8.1) reflects meaningful severity; however, EPSS is only 0.16% (6th percentile) and no public exploit identified at time of analysis. It is not listed in CISA KEV.

Code Injection Plotly Js Graphing
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Object injection in the Drupal contrib module Flag attendance field (all versions up to and including 1.2) lets an authenticated user with low privileges pass attacker-controlled data into a dynamically-determined object attribute (CWE-915), enabling PHP object injection and high-impact compromise of data confidentiality and integrity. The Drupal Security Team published advisory SA-CONTRIB-2026-049 and a fixed release is available. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.17%, 7th percentile).

Code Injection Flag Attendance Field
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Object injection in the Drupal Formatter Field contributed module (all versions from 0.0.0 up to but not including 2.0.0) allows remote unauthenticated attackers to improperly modify dynamically-determined object attributes, potentially leading to arbitrary code execution or full site compromise. The flaw carries a CVSS 9.8 rating, but with no public exploit identified and a low EPSS probability (0.17%, 7th percentile), and SSVC currently rates exploitation as 'none'. A vendor patch is available via Drupal advisory SA-CONTRIB-2026-048.

Code Injection Formatter Field
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy