CVEs classified under CWE-915, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-50160 — CVSS 10.0 (critical): Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the…
CVE-2026-33453 — CVSS 10.0 (critical): Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache…
CVE-2025-58367: DeepDiff is a project focused on Deep Difference and search of any Python data. Versions 5.0.0 through 8.6.0 are vulnerable to class…
CVE-2026-56142 — CVSS 9.9 (critical): In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by…
CVE-2025-2304: A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the 'updated_ajax'…
CVE-2025-24370: Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn are vulnerable to…
CVE-2026-34179 — CVSS 9.1 (critical): In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when…
CVE-2024-0404 — CVSS 9.1 (critical): A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing…
CVE-2026-48150 — CVSS 9.0 (critical): Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware…
CVE-2026-46480 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and…
CVE-2026-46479 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and…
CVE-2026-46478 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and…
CVE-2026-46477 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update…
CVE-2026-46476 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and…
CVE-2026-46475 — CVSS 8.8 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and…
CVE-2026-45229 — CVSS 8.8 (high): Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to…
CVE-2026-41139 — CVSS 8.8 (high): Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be…
CVE-2026-6912 — CVSS 8.8 (high): Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel…
CVE-2026-40897 — CVSS 8.8 (high): Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary…
CVE-2026-34427 — CVSS 8.8 (high): Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated…
CVE-2026-5708 — CVSS 8.8 (high): Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to…
CVE-2026-34406 — CVSS 8.8 (high): APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed for penetration…
CVE-2026-29056 — CVSS 8.8 (high): Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint…
CVE-2025-15602 — CVSS 8.8 (high): Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against…
CVE-2023-32079 — CVSS 8.8 (high): Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a…
CVE-2026-45687 — CVSS 8.5 (high): Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5…
CVE-2026-54351 — CVSS 8.2 (high): Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes…
CVE-2026-22814: @adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment…
CVE-2025-30358 — CVSS 8.1 (high): Mesop is a Python-based UI framework that allows users to build web applications. A class pollution vulnerability in Mesop prior to version…
CVE-2026-30822 — CVSS 7.7 (high): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can…
CVE-2025-52656 — CVSS 7.6 (high): HCL MyXalytics: 6.6. is affected by Mass Assignment vulnerability. Mass Assignment occurs when user input is automatically bound to…
CVE-2025-7104 — CVSS 7.5 (high): A mass assignment vulnerability exists in danny-avila/librechat, affecting all versions. This vulnerability allows attackers to manipulate…
CVE-2022-48359 — CVSS 7.5 (high): The recovery mode for updates has a vulnerability that causes arbitrary disk modification. Successful exploitation of this vulnerability…
CVE-2024-3283 — CVSS 7.2 (high): A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass…
CVE-2026-43925: FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment…
CVE-2026-27125 — CVSS 6.8 (medium): svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div…
CVE-2026-6366 — CVSS 6.6 (medium): Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection…
CVE-2026-48943 — CVSS 6.5 (medium): K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field…
CVE-2026-42044 — CVSS 6.5 (medium): Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a…
CVE-2026-54601 — CVSS 6.3 (medium): FastGPT is an open source AI knowledge base platform. From 4.14.17 to before 4.15.0-beta4, FastGPT allows an authenticated tenant user to…
CVE-2025-9315: An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object…
CVE-2026-56276: Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly…
CVE-2026-55736: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the…
CVE-2025-13081 — CVSS 5.9 (medium): Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object…
CVE-2026-45396 — CVSS 5.4 (medium): Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the POST…
CVE-2026-54516 — CVSS 5.3 (medium): jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until…
CVE-2026-54515 — CVSS 5.3 (medium): jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until…
CVE-2024-10359 — CVSS 4.6 (medium): In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in the preset creation functionality where a user can manipulate the…
CVE-2026-42540 — CVSS 4.3 (medium): IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28…
CVE-2026-40486 — CVSS 4.3 (medium): Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH…