VYPR

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

BaseDraft

Description

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-138

CVEs mapped to this weakness (36)

page 1 of 2
  • CVE-2026-42027CriMay 4, 2026
    risk 0.64cvss 9.8epss 0.01

    Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description:  The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via…

  • CVE-2026-46562criMay 27, 2026
    risk 0.59cvss epss 0.01

    # Remote Code Execution via Mission Database algorithm override ## Summary The Nashorn `ScriptEngine` used to evaluate user-supplied algorithm text in `MdbOverrideApi.updateAlgorithm` is constructed without a `ClassFilter`, allowing a user with the `ChangeMissionDatabase`…

  • CVE-2018-1000613CriJul 9, 2018
    risk 0.57cvss 9.8epss 0.05

    Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that…

  • CVE-2024-7059HigNov 5, 2024
    risk 0.52cvss 8.0epss 0.01

    A high-severity vulnerability that can lead to arbitrary code execution on the system hosting the Web SDK role was found in the Genetec Security Center product line.

  • CVE-2018-5511HigApr 13, 2018
    risk 0.51cvss 7.2epss 0.15

    On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.

  • CVE-2026-44011HigMay 12, 2026
    risk 0.49cvss epss 0.00

    Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The…

  • CVE-2026-44339HigMay 8, 2026
    risk 0.49cvss 8.6epss 0.00

    PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default…

  • CVE-2026-8178HigMay 8, 2026
    risk 0.46cvss 8.1epss 0.01

    An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in…

  • CVE-2026-41175HigApr 22, 2026
    risk 0.46cvss 8.1epss 0.00

    Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.…

  • CVE-2024-53850HigDec 26, 2024
    risk 0.46cvss 8.2epss 0.01

    The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI.

  • CVE-2026-44795higJun 22, 2026
    risk 0.45cvss epss

    ### Impact There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing: * CloudFormation deployments * CloudFoundry Baking The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to…

  • CVE-2025-12967HigNov 10, 2025
    risk 0.45cvss 8.0epss 0.00

    An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. We…

  • CVE-2024-1574MedJul 4, 2024
    risk 0.44cvss 6.7epss 0.00

    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in the licensing feature of Mitsubishi Electric GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 and prior, Mitsubishi Electric Hyper…

  • CVE-2026-34216MedMay 19, 2026
    risk 0.43cvss 6.6epss 0.01

    CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation…

  • CVE-2026-46718MedJun 2, 2026
    risk 0.42cvss 6.5epss 0.00

    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite. This issue affects Apache Calcite: from 1.5.0 before 1.42. Users are recommended to upgrade to version 1.42, which fixes the issue.

  • CVE-2025-31119HigApr 3, 2025
    risk 0.42cvss 7.6epss 0.00

    generator-jhipster-entity-audit is a JHipster module to enable entity audit and audit log page. Prior to 5.9.1, generator-jhipster-entity-audit allows unsafe reflection when having Javers selected as Entity Audit Framework. If an attacker manages to place some malicious classes…

  • CVE-2018-25239MedApr 4, 2026
    risk 0.40cvss 6.2epss 0.00

    Smart VPN 1.1.3.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the search interface. Attackers can paste a buffer of 2100 characters into the top right search bar to trigger an unhandled…

  • CVE-2017-7536HigJan 10, 2018
    risk 0.39cvss 7.0epss 0.00

    In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By…

  • CVE-2026-44174higMay 26, 2026
    risk 0.38cvss epss 0.00

    ### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites and has a high real-world impact.** ---- ### Introduction Arbitrary method call is…

  • CVE-2004-2331MedDec 31, 2004
    risk 0.36cvss 5.5epss 0.01

    ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox security restrictions and obtain sensitive information by using Java reflection methods to access trusted Java objects without using the CreateObject function or cfobject tag.