CWE•Base•Incomplete•20 recent CVEs
CWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes
Description
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
[object Object]
Common consequences
- Integrity→Modify Application DataAn attacker could modify sensitive data or program variables.
- Integrity→Execute Unauthorized Code or Commands
- Other,Integrity→Varies by Context,Alter Execution Logic
Potential mitigations
- Implementation[object Object]
- Architecture and Design,ImplementationIf available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
- ImplementationFor any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
- Implementation,Architecture and DesignRefactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-464802026-06-08CVE-2026-464792026-06-08CVE-2026-464782026-06-08CVE-2026-464772026-06-08CVE-2026-464762026-06-08CVE-2026-464752026-06-08CVE-2026-464412026-06-08CVE-2026-428632026-06-08CVE-2026-428622026-06-08CVE-2026-428612026-06-08CVE-2026-425404.32026-06-04CVE-2026-450582026-05-28CVE-2026-446357.52026-05-27CVE-2026-481509.02026-05-27CVE-2026-83274.32026-05-21CVE-2026-63666.62026-05-19CVE-2026-467212026-05-19CVE-2026-453965.42026-05-15CVE-2026-452298.82026-05-13CVE-2026-312525.72026-05-11