Common Weakness Enumeration

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

CVE-2026-50281 (GCVE-0-2026-50281)

Vulnerability from cvelistv5 – Published: 2026-07-02 16:02 – Updated: 2026-07-02 19:44
VLAI
Title
Craft CMS: Mass assignment via id in newAttributes during bulk duplicate overwrites existing elements
Summary
Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and writes the attacker's attributes into the victim's existing entry row. ElementsController::beforeAction() pulls the request body into $this->_attributes and rejects requests that ship an id or canonicalId key at the top level, actionBulkDuplicate(), reads a separate newAttributes array and passes it straight through to the service layer. Elements::duplicateElement() clones the source element, sets id to null, and then hands the attacker's array to Craft::configure(), which overwrites the reset id with any numeric value inside $newAttributes. PHP Yii's saveElement() then performs an UPDATE against the row with that primary key instead of an INSERT. The attackers's title, slug, authorId, postDate, and UID land on the victim's entry. safeAttributes() on Entry includes id because the base element model exposes it, so the Collection::only() filter does not strip it. This issue has been fixed in version 5.9.21.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
Vendor Product Version
craftcms cms Affected: >= 5.7.0, < 5.9.21
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50281",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T19:33:59.852902Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T19:44:23.581Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.7.0, \u003c 5.9.21"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and writes the attacker\u0027s attributes into the victim\u0027s existing entry row. ElementsController::beforeAction() pulls the request body into $this-\u003e_attributes and rejects requests that ship an id or canonicalId key at the top level, actionBulkDuplicate(), reads a separate newAttributes array and passes it straight through to the service layer. Elements::duplicateElement() clones the source element, sets id to null, and then hands the attacker\u0027s array to Craft::configure(), which  overwrites the reset id with any numeric value inside $newAttributes. PHP Yii\u0027s saveElement() then performs an UPDATE against the row with that primary key instead of an INSERT. The attackers\u0027s title, slug, authorId, postDate, and UID land on the victim\u0027s entry. safeAttributes() on Entry includes id because the base element model exposes it, so the Collection::only() filter does not strip it. This issue has been fixed in version 5.9.21."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-02T16:02:14.029Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-x5m4-g2cq-52pq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x5m4-g2cq-52pq"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/8f6587c25050bbb6e080d59c71f6bb8932fc8600",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/8f6587c25050bbb6e080d59c71f6bb8932fc8600"
        }
      ],
      "source": {
        "advisory": "GHSA-x5m4-g2cq-52pq",
        "discovery": "UNKNOWN"
      },
      "title": "Craft CMS: Mass assignment via id in newAttributes during bulk duplicate overwrites existing elements"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-50281",
    "datePublished": "2026-07-02T16:02:14.029Z",
    "dateReserved": "2026-06-04T16:26:05.985Z",
    "dateUpdated": "2026-07-02T19:44:23.581Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5248 (GCVE-0-2026-5248)

Vulnerability from cvelistv5 – Published: 2026-04-01 00:45 – Updated: 2026-04-01 12:14
VLAI
Title
gougucms User Registration Login.php reg_submit dynamically-determined object attributes
Summary
A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\app\home\controller\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-915 - Dynamically-Determined Object Attributes
  • CWE-913 - Dynamically-Managed Code Resources
Assigner
References
URL Tags
https://vuldb.com/vuln/354429 vdb-entrytechnical-description
https://vuldb.com/vuln/354429/cti signaturepermissions-required
https://vuldb.com/submit/780589 third-party-advisory
https://thinhneee.github.io/posts/gougu-mass-assign/ exploit
Impacted products
Vendor Product Version
n/a gougucms Affected: 4.08.18
    cpe:2.3:a:gougucms:gougucms:*:*:*:*:*:*:*:*
Credits
thinhnee (VulDB User) VulDB
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5248",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T12:12:35.114498Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T12:14:32.764Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gougucms:gougucms:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "User Registration Handler"
          ],
          "product": "gougucms",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "4.08.18"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "thinhnee (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\\app\\home\\controller\\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-913",
              "description": "Dynamically-Managed Code Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T00:45:12.460Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-354429 | gougucms User Registration Login.php reg_submit dynamically-determined object attributes",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/354429"
        },
        {
          "name": "VDB-354429 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/354429/cti"
        },
        {
          "name": "Submit #780589 | \u52fe\u80a1\u5f00\u6e90 gougucms v4.08.18 Business Logic Errors",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/780589"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://thinhneee.github.io/posts/gougu-mass-assign/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-31T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-03-31T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-03-31T18:06:04.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "gougucms User Registration Login.php reg_submit dynamically-determined object attributes"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-5248",
    "datePublished": "2026-04-01T00:45:12.460Z",
    "dateReserved": "2026-03-31T16:00:46.705Z",
    "dateUpdated": "2026-04-01T12:14:32.764Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5251 (GCVE-0-2026-5251)

Vulnerability from cvelistv5 – Published: 2026-04-01 02:30 – Updated: 2026-04-01 13:12
VLAI
Title
z-9527 admin User Update Endpoint user.js dynamically-determined object attributes
Summary
A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-915 - Dynamically-Determined Object Attributes
  • CWE-913 - Dynamically-Managed Code Resources
Assigner
References
URL Tags
https://vuldb.com/vuln/354441 vdb-entrytechnical-description
https://vuldb.com/vuln/354441/cti signaturepermissions-required
https://vuldb.com/submit/780607 third-party-advisory
https://github.com/CC-T-454455/Vulnerabilities/tr… exploit
Impacted products
Vendor Product Version
z-9527 admin Affected: 1.0
Affected: 2.0
Create a notification for this product.
Credits
VulDB
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5251",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T13:12:39.257313Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T13:12:46.568Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "User Update Endpoint"
          ],
          "product": "admin",
          "vendor": "z-9527",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            },
            {
              "status": "affected",
              "version": "2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-913",
              "description": "Dynamically-Managed Code Resources",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T02:30:14.392Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-354441 | z-9527 admin User Update Endpoint user.js dynamically-determined object attributes",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/354441"
        },
        {
          "name": "VDB-354441 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/354441/cti"
        },
        {
          "name": "Submit #780607 | z-9527 admin \u2264 commit 72aaf2d Dynamically-Determined Object Attributes",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/780607"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/CC-T-454455/Vulnerabilities/tree/master/z9527-admin/vulnerability-11"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-31T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-03-31T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-03-31T18:16:45.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "z-9527 admin User Update Endpoint user.js dynamically-determined object attributes"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-5251",
    "datePublished": "2026-04-01T02:30:14.392Z",
    "dateReserved": "2026-03-31T16:11:37.477Z",
    "dateUpdated": "2026-04-01T13:12:46.568Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54351 (GCVE-0-2026-54351)

Vulnerability from cvelistv5 – Published: 2026-06-26 20:45 – Updated: 2026-06-29 15:19
VLAI
Title
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
Summary
Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite the internal appId property by including it in the webhook POST body. When the automation is processed asynchronously (the default path for webhooks without a collect step), the worker executes the attacker-defined automation in the context of the victim's workspace, granting full read/write access to the victim's database. This vulnerability is fixed in 3.39.9.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
Vendor Product Version
Budibase budibase Affected: < 3.39.9
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54351",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T15:02:38.654892Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T15:19:57.939Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "budibase",
          "vendor": "Budibase",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.39.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite the internal appId property by including it in the webhook POST body. When the automation is processed asynchronously (the default path for webhooks without a collect step), the worker executes the attacker-defined automation in the context of the victim\u0027s workspace, granting full read/write access to the victim\u0027s database. This vulnerability is fixed in 3.39.9."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T20:45:35.017Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-rgvg-3wpc-h44p"
        }
      ],
      "source": {
        "advisory": "GHSA-rgvg-3wpc-h44p",
        "discovery": "UNKNOWN"
      },
      "title": "Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54351",
    "datePublished": "2026-06-26T20:45:35.017Z",
    "dateReserved": "2026-06-12T19:23:22.317Z",
    "dateUpdated": "2026-06-29T15:19:57.939Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54515 (GCVE-0-2026-54515)

Vulnerability from cvelistv5 – Published: 2026-06-23 20:50 – Updated: 2026-06-24 12:22
VLAI
Title
jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
Summary
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
Impacted products
Vendor Product Version
FasterXML jackson-databind Affected: >= 2.8.0, < 2.18.9
Affected: >= 2.19.0, < 2.21.5
Affected: >= 3.1.0, < 3.1.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54515",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T12:21:39.803339Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T12:22:56.445Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jackson-databind",
          "vendor": "FasterXML",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.8.0, \u003c 2.18.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.19.0, \u003c 2.21.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 3.1.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map \u2014 restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T20:52:23.714Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5jmj-h7xm-6q6v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-5jmj-h7xm-6q6v"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/issues/5962",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/issues/5962"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/issues/5964",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/issues/5964"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/commit/0e1b0b211f7a53baa62ba2f4c9bd006c7bf4d5fa",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/commit/0e1b0b211f7a53baa62ba2f4c9bd006c7bf4d5fa"
        }
      ],
      "source": {
        "advisory": "GHSA-5jmj-h7xm-6q6v",
        "discovery": "UNKNOWN"
      },
      "title": "jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54515",
    "datePublished": "2026-06-23T20:50:25.715Z",
    "dateReserved": "2026-06-15T18:40:01.650Z",
    "dateUpdated": "2026-06-24T12:22:56.445Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54516 (GCVE-0-2026-54516)

Vulnerability from cvelistv5 – Published: 2026-06-23 20:48 – Updated: 2026-06-24 13:00
VLAI
Title
jackson-databind: Renamed @JsonIgnore'd setters can deserialize via private fields
Summary
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
Impacted products
Vendor Product Version
FasterXML jackson-databind Affected: >= 2.21.0, < 2.21.4
Affected: >= 3.0.0, < 3.1.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54516",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T13:00:07.957018Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T13:00:17.780Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jackson-databind",
          "vendor": "FasterXML",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.21.0, \u003c 2.21.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.1.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty(\"renamed\") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T20:48:52.730Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-9fxm-vc8v-hj55",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-9fxm-vc8v-hj55"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/pull/5967",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/pull/5967"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/pull/5968",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/pull/5968"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/commit/c3d56dd25d52319828147c5b9aeabf2d485c250a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/commit/c3d56dd25d52319828147c5b9aeabf2d485c250a"
        },
        {
          "name": "https://github.com/FasterXML/jackson-databind/commit/e88cb17006b6af4883b973058f0bb6486e5074af",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/commit/e88cb17006b6af4883b973058f0bb6486e5074af"
        }
      ],
      "source": {
        "advisory": "GHSA-9fxm-vc8v-hj55",
        "discovery": "UNKNOWN"
      },
      "title": "jackson-databind: Renamed @JsonIgnore\u0027d setters can deserialize via private fields"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54516",
    "datePublished": "2026-06-23T20:48:52.730Z",
    "dateReserved": "2026-06-15T18:40:01.650Z",
    "dateUpdated": "2026-06-24T13:00:17.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54601 (GCVE-0-2026-54601)

Vulnerability from cvelistv5 – Published: 2026-07-07 21:16 – Updated: 2026-07-08 13:53
VLAI
Title
FastGPT: reTrainingCollection allows server-owned datasetId override causing cross-tenant authorization confusion
Summary
FastGPT is an open source AI knowledge base platform. From 4.14.17 to before 4.15.0-beta4, FastGPT allows an authenticated tenant user to call POST /api/core/dataset/collection/create/reTrainingCollection in a way that persists a server-owned datasetId value from another tenant. This creates mixed dataset objects and downstream dataset, collection, and training endpoints then make authorization decisions from inconsistent ownership anchors, allowing cross-tenant read, update, and delete access when mixed object ids are known. This issue is fixed in version 4.15.0-beta4.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
Impacted products
Vendor Product Version
labring FastGPT Affected: >= 4.14.17, < 4.15.0-beta4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54601",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-08T13:52:48.582115Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-08T13:53:13.863Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-qxcq-48gr-93pj"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FastGPT",
          "vendor": "labring",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.14.17, \u003c 4.15.0-beta4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FastGPT is an open source AI knowledge base platform. From 4.14.17 to before 4.15.0-beta4, FastGPT allows an authenticated tenant user to call POST /api/core/dataset/collection/create/reTrainingCollection in a way that persists a server-owned datasetId value from another tenant. This creates mixed dataset objects and downstream dataset, collection, and training endpoints then make authorization decisions from inconsistent ownership anchors, allowing cross-tenant read, update, and delete access when mixed object ids are known. This issue is fixed in version 4.15.0-beta4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-07T21:16:12.976Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/labring/FastGPT/security/advisories/GHSA-qxcq-48gr-93pj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/labring/FastGPT/security/advisories/GHSA-qxcq-48gr-93pj"
        },
        {
          "name": "https://github.com/labring/FastGPT/pull/7071",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/labring/FastGPT/pull/7071"
        },
        {
          "name": "https://github.com/labring/FastGPT/commit/54a53e7d4399f1dfa2913394442c3cf6de672fb3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/labring/FastGPT/commit/54a53e7d4399f1dfa2913394442c3cf6de672fb3"
        },
        {
          "name": "https://github.com/labring/FastGPT/releases/tag/v4.15.0-beta4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/labring/FastGPT/releases/tag/v4.15.0-beta4"
        }
      ],
      "source": {
        "advisory": "GHSA-qxcq-48gr-93pj",
        "discovery": "UNKNOWN"
      },
      "title": "FastGPT: reTrainingCollection allows server-owned datasetId override causing cross-tenant authorization confusion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54601",
    "datePublished": "2026-07-07T21:16:12.976Z",
    "dateReserved": "2026-06-15T19:45:23.539Z",
    "dateUpdated": "2026-07-08T13:53:13.863Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-55223 (GCVE-0-2026-55223)

Vulnerability from cvelistv5 – Published: 2026-06-30 22:56 – Updated: 2026-07-01 13:38
VLAI
Title
c3p0 exposes a deserialization "sink" via JDBC DataSource bean properties
Summary
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties — triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-502 - Deserialization of Untrusted Data
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
Vendor Product Version
swaldman c3p0 Affected: < 0.14.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55223",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T13:37:58.554398Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T13:38:12.928Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "c3p0",
          "vendor": "swaldman",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0,  c3p0 in combination with other libraries, can compose to a \"sink\" for  deserialization gadgets. The JDBC spec\u0027s DataSource.getConnection() and  ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as \"properties\" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious  DataSource objects whose property lookups invoke vulnerable drivers, then  smuggle them in serialized form to where an application deserializes and auto-resolves bean properties \u2014 triggering the attack. This requires a  susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the  CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an  essential component of the trigger. This issue has been fixed in version 0.14.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T22:56:55.895Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/swaldman/c3p0/security/advisories/GHSA-w6w4-rjh9-9r58",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/swaldman/c3p0/security/advisories/GHSA-w6w4-rjh9-9r58"
        },
        {
          "name": "https://github.com/swaldman/c3p0/commit/7b022c4b6694dabc6204254dc917af9c38f2cb27",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/swaldman/c3p0/commit/7b022c4b6694dabc6204254dc917af9c38f2cb27"
        }
      ],
      "source": {
        "advisory": "GHSA-w6w4-rjh9-9r58",
        "discovery": "UNKNOWN"
      },
      "title": "c3p0 exposes a deserialization \"sink\" via JDBC DataSource bean properties"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-55223",
    "datePublished": "2026-06-30T22:56:55.895Z",
    "dateReserved": "2026-06-16T16:16:32.628Z",
    "dateUpdated": "2026-07-01T13:38:12.928Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-55736 (GCVE-0-2026-55736)

Vulnerability from cvelistv5 – Published: 2026-06-23 18:21 – Updated: 2026-07-09 14:53
VLAI
Title
Private action arguments can be set by user input in Ash
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete. In the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary. An attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation. This issue affects ash: from 3.0.0 before 3.29.3.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
EEF
Impacted products
Vendor Product Version
ash-project ash Affected: 3.0.0 , < 3.29.3 (semver)
    cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
Create a notification for this product.
ash-project ash Affected: 5967ed3a483ab949866e6d7b043b043e61703f17 , < d9b3100219b3ea86d73202bf7368c03a7688efea (git)
    cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Alfred Vié Zach Daniel Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55736",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T14:53:04.134939Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T14:53:33.529Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/ash-project/ash/security/advisories/GHSA-f4hc-ppw9-4hhw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Ash.Changeset\u0027"
          ],
          "packageName": "ash",
          "packageURL": "pkg:hex/ash",
          "product": "ash",
          "programFiles": [
            "lib/ash/changeset/changeset.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:cast_params/4"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:get_action_argument/2"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:atomic_params/4"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:has_argument?/2"
            }
          ],
          "repo": "https://github.com/ash-project/ash",
          "vendor": "ash-project",
          "versions": [
            {
              "lessThan": "3.29.3",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Ash.Changeset\u0027"
          ],
          "packageName": "ash-project/ash",
          "packageURL": "pkg:github/ash-project/ash",
          "product": "ash",
          "programFiles": [
            "lib/ash/changeset/changeset.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:cast_params/4"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:get_action_argument/2"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:atomic_params/4"
            },
            {
              "name": "\u0027Elixir.Ash.Changeset\u0027:has_argument?/2"
            }
          ],
          "repo": "https://github.com/ash-project/ash",
          "vendor": "ash-project",
          "versions": [
            {
              "lessThan": "d9b3100219b3ea86d73202bf7368c03a7688efea",
              "status": "affected",
              "version": "5967ed3a483ab949866e6d7b043b043e61703f17",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn action must declare a private argument (one defined with \u003ctt\u003epublic?: false\u003c/tt\u003e) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into \u003ctt\u003eAsh.Changeset.for_create/3\u003c/tt\u003e, \u003ctt\u003efor_update/3\u003c/tt\u003e, \u003ctt\u003efor_destroy/3\u003c/tt\u003e, or into an atomic or bulk update.\u003c/p\u003e"
            }
          ],
          "value": "An action must declare a private argument (one defined with public?: false) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into Ash.Changeset.for_create/3, for_update/3, for_destroy/3, or into an atomic or bulk update."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.29.3",
                  "versionStartIncluding": "3.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Alfred Vi\u00e9"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Zach Daniel"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.\u003cp\u003eAction arguments declared with \u003ctt\u003epublic?: false\u003c/tt\u003e are meant to be set internally (for example via \u003ctt\u003eAsh.Changeset.set_private_argument/3\u003c/tt\u003e) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.\u003c/p\u003e\u003cp\u003eIn the regular changeset path (\u003ctt\u003efor_create\u003c/tt\u003e, \u003ctt\u003efor_update\u003c/tt\u003e, \u003ctt\u003efor_destroy\u003c/tt\u003e), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (\u003ctt\u003eAsh.Changeset.fully_atomic_changeset/4\u003c/tt\u003e, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.\u003c/p\u003e\u003cp\u003eAn attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an \u003ctt\u003eacting_user_id\u003c/tt\u003e driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from 3.0.0 before 3.29.3.\u003c/p\u003e"
            }
          ],
          "value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.\n\nAction arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.\n\nIn the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.\n\nAn attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.\n\nThis issue affects ash: from 3.0.0 before 3.29.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-77",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-77 Manipulating User-Controlled Variables"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T18:21:13.033Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/ash-project/ash/security/advisories/GHSA-f4hc-ppw9-4hhw"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-55736.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-55736"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/ash-project/ash/commit/d9b3100219b3ea86d73202bf7368c03a7688efea"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Private action arguments can be set by user input in Ash",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-55736",
    "datePublished": "2026-06-23T18:21:13.033Z",
    "dateReserved": "2026-06-17T10:44:34.365Z",
    "dateUpdated": "2026-07-09T14:53:33.529Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-56276 (GCVE-0-2026-56276)

Vulnerability from cvelistv5 – Published: 2026-06-20 15:24 – Updated: 2026-06-22 13:50
VLAI
Title
Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override
Summary
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
Impacted products
Vendor Product Version
Flowise Flowise Affected: 0 , < 3.1.2 (semver)
Unaffected: 3.1.2 (semver)
Create a notification for this product.
Date Public
2026-05-14 00:00
Credits
berkdedekarginoglu
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-56276",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T13:49:32.938401Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T13:50:11.103Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-59fh-9f3p-7m39"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/flowise",
          "product": "Flowise",
          "vendor": "Flowise",
          "versions": [
            {
              "lessThan": "3.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "3.1.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.1.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "berkdedekarginoglu"
        }
      ],
      "datePublic": "2026-05-14T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-20T15:24:44.035Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GHSA Advisory GHSA-59fh-9f3p-7m39",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-59fh-9f3p-7m39"
        },
        {
          "name": "VulnCheck Advisory: Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/flowise-mass-assignment-in-put-api-v1-user-allows-password-hash-override"
        }
      ],
      "title": "Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-56276",
    "datePublished": "2026-06-20T15:24:44.035Z",
    "dateReserved": "2026-06-20T01:47:54.001Z",
    "dateUpdated": "2026-06-22T13:50:11.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phase: Implementation

Description:

  • If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.
  • For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
Mitigation

Phases: Architecture and Design, Implementation

Description:

  • If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation

Phase: Implementation

Strategy: Input Validation

Description:

  • For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Mitigation

Phases: Implementation, Architecture and Design

Strategy: Refactoring

Description:

  • Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page