Threats Tagged 'cwe-915'

A vulnerability in FasterXML jackson-databind versions from 2.21.0 until 2.21.4 and 3.1.4 allows an attacker to bypass @JsonIgnore on a setter by renaming a property with @JsonProperty on the getter. This leads to direct modification of a private backing field during deserialization. The issue is fixed in version 3.1.4.

A vulnerability in FasterXML jackson-databind versions from 2.8.0 until fixed versions allows ignored properties to become writable again due to improper handling of property exclusions combined with case-insensitivity processing. This issue is identified as CWE-915 and affects the BeanDeserializerBase.createContextual() method. The vulnerability has a medium severity with a CVSS score of 5.3 and is fixed in versions 2.18.9, 2.21.5, and 3.1.4.

CVE-2026-55736 is a vulnerability in ash-project ash versions from 3.0.0 up to but not including 3.29.3. It allows users to set private action arguments that should only be controlled by trusted server-side code due to incomplete filtering of private arguments in changesets. This can lead to integrity violations or privilege escalation depending on how the private arguments are used by the application.

In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authentication details to accounts was possible

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2.

FlowiseAI Flowise versions prior to 3.1.2 contain a vulnerability where the DatasetRow create and update functionality allows mass-assignment that can lead to cross-workspace row takeover. This issue is classified under CWE-915, indicating improper control of dynamically-determined object attributes. The vulnerability has been fixed in version 3.1.2.

Flowise versions prior to 3.1.2 contain a vulnerability where mass-assignment in dataset creation and update allows cross-workspace dataset takeover. This issue has been addressed in version 3.1.2. The vulnerability involves improperly controlled modification of dynamically-determined object attributes, classified as CWE-915.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2.