CWE-470
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Description
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-138
CVEs mapped to this weakness (36)
page 2 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-22258 | Med | 0.33 | 6.1 | 0.01 | Mar 20, 2024 | Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the… | ||
| CVE-2022-41853 | — | 0.06 | — | 0.04 | Oct 6, 2022 | Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code… | ||
| CVE-2026-48817 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary When dispatching a request, `HTTPEndpoint` selects the handler by lowercasing the HTTP method and looking it up as an attribute with `getattr`, without restricting the lookup to a known set of HTTP verbs. When an `HTTPEndpoint` subclass is registered through… | |||
| CVE-2026-33157 | 0.00 | — | 0.01 | Mar 24, 2026 | Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing… | |||
| CVE-2026-32264 | 0.00 | — | 0.01 | Mar 16, 2026 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel… | |||
| CVE-2026-32263 | 0.00 | — | 0.01 | Mar 16, 2026 | Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2… | |||
| CVE-2026-25498 | 0.00 | — | 0.01 | Feb 9, 2026 | Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize… | |||
| CVE-2025-68455 | 0.00 | — | 0.01 | Jan 5, 2026 | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft… | |||
| CVE-2025-61925 | 0.00 | — | 0.00 | Oct 10, 2025 | Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As… | |||
| CVE-2024-4990 | 0.00 | — | 0.79 | Mar 20, 2025 | In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing… | |||
| CVE-2024-28121 | — | 0.00 | — | 0.02 | Mar 12, 2024 | stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of… | ||
| CVE-2023-34102 | 0.00 | — | 0.02 | Jun 5, 2023 | Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or… | |||
| CVE-2021-31522 | — | 0.00 | — | 0.03 | Jan 6, 2022 | Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions. | ||
| CVE-2019-10174 | — | 0.00 | — | 0.03 | Nov 25, 2019 | A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious… | ||
| CVE-2019-1003041 | 0.00 | — | 0.03 | Mar 28, 2019 | A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. | |||
| CVE-2019-1003040 | 0.00 | — | 0.03 | Mar 28, 2019 | A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. |
- risk 0.33cvss 6.1epss 0.01
Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the…
- CVE-2022-41853Oct 6, 2022risk 0.06cvss —epss 0.04
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code…
- CVE-2026-48817Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary When dispatching a request, `HTTPEndpoint` selects the handler by lowercasing the HTTP method and looking it up as an attribute with `getattr`, without restricting the lookup to a known set of HTTP verbs. When an `HTTPEndpoint` subclass is registered through…
- CVE-2026-33157Mar 24, 2026risk 0.00cvss —epss 0.01
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing…
- CVE-2026-32264Mar 16, 2026risk 0.00cvss —epss 0.01
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel…
- CVE-2026-32263Mar 16, 2026risk 0.00cvss —epss 0.01
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2…
- CVE-2026-25498Feb 9, 2026risk 0.00cvss —epss 0.01
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize…
- CVE-2025-68455Jan 5, 2026risk 0.00cvss —epss 0.01
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft…
- CVE-2025-61925Oct 10, 2025risk 0.00cvss —epss 0.00
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As…
- CVE-2024-4990Mar 20, 2025risk 0.00cvss —epss 0.79
In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing…
- CVE-2024-28121Mar 12, 2024risk 0.00cvss —epss 0.02
stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. In affected versions more methods than expected can be called on reflex instances. Being able to call some of…
- CVE-2023-34102Jun 5, 2023risk 0.00cvss —epss 0.02
Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or…
- CVE-2021-31522Jan 6, 2022risk 0.00cvss —epss 0.03
Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
- CVE-2019-10174Nov 25, 2019risk 0.00cvss —epss 0.03
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious…
- CVE-2019-1003041Mar 28, 2019risk 0.00cvss —epss 0.03
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.
- CVE-2019-1003040Mar 28, 2019risk 0.00cvss —epss 0.03
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.