CWE-627 5 CVEs MITRE definition ↗

CWE-627: Dynamic Variable Evaluation

Overview

CWE-627 (Dynamic Variable Evaluation) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.

Security impact
Security impact: Depends on product and context; use CVE records, severity scores, and MITRE guidance to prioritize.

Description

In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.

Background details

Extended context from the CWE catalog (rendered from MITRE XHTML).

Many interpreted languages support the use of a "$$varname" construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as "variable variables." Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2).

Applicable platforms

Kind Name Class Prevalence OS / CPE
language PHP Undetermined
language Perl Undetermined

Related CVEs in this database

These CVEs are mapped to this weakness in this database and kept for traceability and search.

CVE Published Summary
CVE-2026-2452 2026-02-16 Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final…
CVE-2026-2451 2026-02-16 Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final…
CVE-2026-2415 2026-02-16 Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final…
CVE-2024-8953 2025-03-20 In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted in…
CVE-2023-31032 2024-01-12 NVIDIA DGX A100 SBIOS contains a vulnerability where a user may cause a dynamic variable evaluation by local access. A successful exploit of this vulnerability may lead to denial of service.

Content submission

Name
CWE Content Team
Organization
MITRE
Date
2007-05-07
Version
Draft 6

Content modifications

Date Name Version Importance Comment
2008-07-01 Eric Dalci 1.0 updated Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Applicable_Platforms, Relationships
2008-10-14 CWE Content Team 1.0.1 updated Background_Details, Description
2011-03-29 CWE Content Team 1.12 updated Description
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Common_Consequences, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2013-02-21 CWE Content Team 2.4 updated Common_Consequences, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities
2014-07-30 CWE Content Team 2.8 updated Relationships
2017-11-08 CWE Content Team 3.0 updated References
2020-02-24 CWE Content Team 4.0 updated Relationships
2020-06-25 CWE Content Team 4.1 updated Potential_Mitigations
2023-04-27 CWE Content Team 4.11 updated References, Relationships, Type
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
cvelogic Threat Intelligence