CWE-627: Dynamic Variable Evaluation
Also known as: Dynamic evaluation
In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.
Last updated
Overview
The resultant vulnerabilities depend on the behavior of the application, both at the crossover point and in any control/data flow that is reachable by the related variables or functions.
Background
Many interpreted languages support the use of a "$$varname" construct to set a variable whose name is specified by the $varname variable. In PHP, these are referred to as "variable variables." Functions might also be invoked using similar syntax, such as $$funcname(arg1, arg2).
Real-world CVEs
5 recorded CVEs are caused by CWE-627 (Dynamic Variable Evaluation). The highest-severity and most recent are shown first. 3 new CWE-627 CVEs have been recorded so far in 2026 (1 in 2025).