CWE-470
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Description
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-138
CVEs mapped to this weakness (36)
page 1 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42027 | Cri | 0.64 | 9.8 | 0.01 | May 4, 2026 | Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via… | ||
| CVE-2026-46562 | cri | 0.59 | — | 0.01 | May 27, 2026 | # Remote Code Execution via Mission Database algorithm override ## Summary The Nashorn `ScriptEngine` used to evaluate user-supplied algorithm text in `MdbOverrideApi.updateAlgorithm` is constructed without a `ClassFilter`, allowing a user with the `ChangeMissionDatabase`… | ||
| CVE-2018-1000613 | — | Cri | 0.57 | 9.8 | 0.05 | Jul 9, 2018 | Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that… | |
| CVE-2024-7059 | Hig | 0.52 | 8.0 | 0.01 | Nov 5, 2024 | A high-severity vulnerability that can lead to arbitrary code execution on the system hosting the Web SDK role was found in the Genetec Security Center product line. | ||
| CVE-2018-5511 | Hig | 0.51 | 7.2 | 0.15 | Apr 13, 2018 | On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. | ||
| CVE-2026-44011 | Hig | 0.49 | — | 0.00 | May 12, 2026 | Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The… | ||
| CVE-2026-44339 | Hig | 0.49 | 8.6 | 0.00 | May 8, 2026 | PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default… | ||
| CVE-2026-8178 | Hig | 0.46 | 8.1 | 0.01 | May 8, 2026 | An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in… | ||
| CVE-2026-41175 | Hig | 0.46 | 8.1 | 0.00 | Apr 22, 2026 | Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.… | ||
| CVE-2024-53850 | Hig | 0.46 | 8.2 | 0.01 | Dec 26, 2024 | The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI. | ||
| CVE-2026-44795 | hig | 0.45 | — | — | Jun 22, 2026 | ### Impact There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing: * CloudFormation deployments * CloudFoundry Baking The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to… | ||
| CVE-2025-12967 | Hig | 0.45 | 8.0 | 0.00 | Nov 10, 2025 | An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. We… | ||
| CVE-2024-1574 | Med | 0.44 | 6.7 | 0.00 | Jul 4, 2024 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in the licensing feature of Mitsubishi Electric GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 and prior, Mitsubishi Electric Hyper… | ||
| CVE-2026-34216 | Med | 0.43 | 6.6 | 0.01 | May 19, 2026 | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation… | ||
| CVE-2026-46718 | Med | 0.42 | 6.5 | 0.00 | Jun 2, 2026 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite. This issue affects Apache Calcite: from 1.5.0 before 1.42. Users are recommended to upgrade to version 1.42, which fixes the issue. | ||
| CVE-2025-31119 | Hig | 0.42 | 7.6 | 0.00 | Apr 3, 2025 | generator-jhipster-entity-audit is a JHipster module to enable entity audit and audit log page. Prior to 5.9.1, generator-jhipster-entity-audit allows unsafe reflection when having Javers selected as Entity Audit Framework. If an attacker manages to place some malicious classes… | ||
| CVE-2018-25239 | — | Med | 0.40 | 6.2 | 0.00 | Apr 4, 2026 | Smart VPN 1.1.3.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the search interface. Attackers can paste a buffer of 2100 characters into the top right search bar to trigger an unhandled… | |
| CVE-2017-7536 | — | Hig | 0.39 | 7.0 | 0.00 | Jan 10, 2018 | In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By… | |
| CVE-2026-44174 | hig | 0.38 | — | 0.00 | May 26, 2026 | ### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites and has a high real-world impact.** ---- ### Introduction Arbitrary method call is… | ||
| CVE-2004-2331 | Med | 0.36 | 5.5 | 0.01 | Dec 31, 2004 | ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox security restrictions and obtain sensitive information by using Java reflection methods to access trusted Java objects without using the CreateObject function or cfobject tag. |
- risk 0.64cvss 9.8epss 0.01
Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via…
- risk 0.59cvss —epss 0.01
# Remote Code Execution via Mission Database algorithm override ## Summary The Nashorn `ScriptEngine` used to evaluate user-supplied algorithm text in `MdbOverrideApi.updateAlgorithm` is constructed without a `ClassFilter`, allowing a user with the `ChangeMissionDatabase`…
- risk 0.57cvss 9.8epss 0.05
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that…
- risk 0.52cvss 8.0epss 0.01
A high-severity vulnerability that can lead to arbitrary code execution on the system hosting the Web SDK role was found in the Genetec Security Center product line.
- risk 0.51cvss 7.2epss 0.15
On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.
- risk 0.49cvss —epss 0.00
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The…
- risk 0.49cvss 8.6epss 0.00
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default…
- risk 0.46cvss 8.1epss 0.01
An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in…
- risk 0.46cvss 8.1epss 0.00
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.…
- risk 0.46cvss 8.2epss 0.01
The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI.
- risk 0.45cvss —epss —
### Impact There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing: * CloudFormation deployments * CloudFoundry Baking The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to…
- risk 0.45cvss 8.0epss 0.00
An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. We…
- risk 0.44cvss 6.7epss 0.00
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in the licensing feature of Mitsubishi Electric GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 and prior, Mitsubishi Electric Hyper…
- risk 0.43cvss 6.6epss 0.01
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation…
- risk 0.42cvss 6.5epss 0.00
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite. This issue affects Apache Calcite: from 1.5.0 before 1.42. Users are recommended to upgrade to version 1.42, which fixes the issue.
- risk 0.42cvss 7.6epss 0.00
generator-jhipster-entity-audit is a JHipster module to enable entity audit and audit log page. Prior to 5.9.1, generator-jhipster-entity-audit allows unsafe reflection when having Javers selected as Entity Audit Framework. If an attacker manages to place some malicious classes…
- risk 0.40cvss 6.2epss 0.00
Smart VPN 1.1.3.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the search interface. Attackers can paste a buffer of 2100 characters into the top right search bar to trigger an unhandled…
- risk 0.39cvss 7.0epss 0.00
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By…
- risk 0.38cvss —epss 0.00
### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. **This vulnerability is of high severity for affected sites and has a high real-world impact.** ---- ### Introduction Arbitrary method call is…
- risk 0.36cvss 5.5epss 0.01
ColdFusion MX 6.1 and 6.1 J2EE allows local users to bypass sandbox security restrictions and obtain sensitive information by using Java reflection methods to access trusted Java objects without using the CreateObject function or cfobject tag.