Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-627 (动态变量执行) — Vulnerability Class 5

5 vulnerabilities classified as CWE-627 (动态变量执行). AI Chinese analysis included.

CWE-627 represents a critical input validation weakness occurring in dynamic programming environments where user-supplied data directly influences variable names at runtime. This flaw allows attackers to manipulate the execution context by injecting malicious strings that resolve to arbitrary variables or functions, bypassing intended security controls. Exploitation typically involves crafting specific payloads that trick the interpreter into accessing sensitive memory locations or executing unintended code paths, potentially leading to data exfiltration or remote code execution. To mitigate this risk, developers must rigorously sanitize all user inputs before they are used in dynamic evaluation contexts. Implementing strict allowlists for permitted variable names, avoiding direct concatenation of user data into variable references, and utilizing static analysis tools to detect unsafe dynamic evaluations are essential practices for preventing this vulnerability and ensuring application integrity.

MITRE CWE Description
In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions. The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityModify Application Data, Execute Unauthorized Code or Commands
An attacker could gain unauthorized access to internal program variables and execute arbitrary code.
Mitigations (3)
ImplementationRefactor the code to avoid dynamic variable evaluation whenever possible.
ImplementationUse only allowlists of acceptable variable or function names.
ImplementationFor function names, ensure that you are only calling functions that accept the proper number of arguments, to avoid unexpected null arguments.
CVE IDTitleCVSSSeverityPublished
CVE-2026-2452 Unsafe variable evaluation in email templates — pretix-newsletter 7.5AIHighAI2026-02-16
CVE-2026-2451 Unsafe variable evaluation in email templates — pretix-doistep 7.5AIHighAI2026-02-16
CVE-2026-2415 Unsafe variable evaluation in email templates — pretix 7.5AIHighAI2026-02-16
CVE-2024-8953 Unsafe eval usage in composiohq/composio — composiohq/composio 9.8 -2025-03-20
CVE-2023-31032 CVE — DGX A100 7.5 High2024-01-12

Vulnerabilities classified as CWE-627 (动态变量执行) represent 5 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.