VYPR

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

BaseDraft

Description

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-138

CVEs mapped to this weakness (36)

page 2 of 2
  • CVE-2024-22258MedMar 20, 2024
    risk 0.33cvss 6.1epss 0.01

    Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the…

  • CVE-2022-41853Oct 6, 2022
    risk 0.06cvss epss 0.04

    Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code…

  • CVE-2026-48817Jun 15, 2026
    risk 0.00cvss epss 0.00

    ### Summary When dispatching a request, `HTTPEndpoint` selects the handler by lowercasing the HTTP method and looking it up as an attribute with `getattr`, without restricting the lookup to a known set of HTTP verbs. When an `HTTPEndpoint` subclass is registered through…

  • CVE-2026-33157Mar 24, 2026
    risk 0.00cvss epss 0.01

    Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing…

  • CVE-2026-32264Mar 16, 2026
    risk 0.00cvss epss 0.01

    Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel…

  • CVE-2026-32263Mar 16, 2026
    risk 0.00cvss epss 0.01

    Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2…

  • CVE-2026-25498Feb 9, 2026
    risk 0.00cvss epss 0.01

    Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize…

  • CVE-2025-68455Jan 5, 2026
    risk 0.00cvss epss 0.01

    Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft…

  • CVE-2025-61925Oct 10, 2025
    risk 0.00cvss epss 0.00

    Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As…

  • CVE-2024-4990Mar 20, 2025
    risk 0.00cvss epss 0.79

    In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing…

  • CVE-2024-28121Mar 12, 2024
    risk 0.00cvss epss 0.02

    stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of…

  • CVE-2023-34102Jun 5, 2023
    risk 0.00cvss epss 0.02

    Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or…

  • CVE-2021-31522Jan 6, 2022
    risk 0.00cvss epss 0.03

    Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

  • CVE-2019-10174Nov 25, 2019
    risk 0.00cvss epss 0.03

    A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious…

  • CVE-2019-1003041Mar 28, 2019
    risk 0.00cvss epss 0.03

    A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

  • CVE-2019-1003040Mar 28, 2019
    risk 0.00cvss epss 0.03

    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.