CWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes

Abstraction: Base · CVEs in our corpus: 75

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (0)AI

Control	Title	Family	Why it addresses this CWE
No NIST controls proposed yet.

Top CVEs of this weakness type, ranked by Risk Priority

CVE	Risk	CVSS	EPSS	Published
`CVE-2024-5452`	5.7	9.8	0.6262	2024-06-06
`CVE-2022-4068`	4.3	5.4	0.5437	2022-11-20
`CVE-2025-68109`	3.3	9.1	0.2544	2025-12-17
`CVE-2024-55636`	2.6	9.8	0.1147	2024-12-10
`CVE-2024-55637`	2.6	9.8	0.0998	2024-12-10
`CVE-2024-55638`	2.6	9.8	0.0993	2024-12-10
`CVE-2022-43441`	2.0	8.1	0.0690	2023-03-16
`CVE-2026-27591`	2.0	9.9	0.0009	2026-03-11
`CVE-2026-32640`	2.0	9.8	0.0005	2026-03-16
`CVE-2026-34208`	2.0	10.0	0.0020	2026-04-06
`CVE-2026-33453`	2.0	10.0	0.0046	2026-04-27
`CVE-2026-22783`	1.9	9.6	0.0009	2026-01-12
`CVE-2019-9057`	1.8	8.8	0.0091	2019-03-26
`CVE-2020-11066`	1.8	8.7	0.0053	2020-05-14
`CVE-2023-32079`	1.8	8.8	0.0055	2023-08-24
`CVE-2024-0404`	1.8	9.1	0.0025	2024-04-16
`CVE-2025-30358`	1.8	8.1	0.0369	2025-03-27
`CVE-2025-15602`	1.8	8.8	0.0003	2026-03-06
`CVE-2026-29056`	1.8	8.8	0.0024	2026-03-18
`CVE-2026-34406`	1.8	8.8	0.0041	2026-03-31
`CVE-2026-5708`	1.8	8.8	0.0007	2026-04-06
`CVE-2026-34179`	1.8	9.1	0.0011	2026-04-09
`CVE-2026-34427`	1.8	8.8	0.0033	2026-04-20
`CVE-2026-40569`	1.8	9.0	0.0006	2026-04-21
`CVE-2026-41277`	1.8	8.8	0.0013	2026-04-23