CWE-829

Inclusion of Functionality from Untrusted Control Sphere

MITRE

No catalog description on file. The MITRE CWE site has the canonical reference.

CVEs (total)

Critical

High

Medium

Low

Severity distribution

Recent CVEs

showing 10 of 10

CVE-2026-53810High· 8.8EPSS 0%18 h ago
OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata
CVE-2025-32463Critical· 9.3KEVEXPLOITEPSS 57%21 h ago
Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
CVE-2026-46529—EPSS 0%1 d ago
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution
CVE-2026-47174—EPSS 0%1 d ago
In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment sec
CVE-2026-47172—EPSS 0%1 d ago
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow
CVE-2026-52858—EPSS 0%1 d ago
Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +pytho
CVE-2022-49036High· 7.8EPSS 0%2 d ago
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified
CVE-2026-47292High· 7.8EPSS 0%3 d ago
Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.
CVE-2026-4255High· 7.8EPSS 0%4 d ago
A DLL search order hijacking vulnerability in Thermalright TR-VISION HOME on Windows (64-bit) allows a local attacker to escalate privileges via DLL side-loading. The application loads certain dynamic-link library (DLL) dependencies using t
CVE-2026-11269High· 7.1EPSS 0%4 d ago
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity:

CWE catalog data sourced from MITRE. CVE associations come from NVD weakness mappings; some CVEs carry multiple CWEs.