Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-470 (使用外部可控制的输入来选择类或代码(不安全的反射)) — Vulnerability Class 35

35 vulnerabilities classified as CWE-470 (使用外部可控制的输入来选择类或代码(不安全的反射)). AI Chinese analysis included.

CWE-470 represents a critical input validation weakness where applications utilize reflection to dynamically select classes or methods based on externally controlled data without adequate safeguards. Attackers typically exploit this vulnerability by injecting malicious payloads that reference unintended or dangerous classes, potentially leading to remote code execution, denial of service, or unauthorized access to sensitive system resources. This occurs because the application blindly trusts user-supplied strings to determine program flow, bypassing standard security controls. To mitigate this risk, developers must implement strict allow-listing mechanisms that restrict reflection to a predefined set of safe, expected classes. Additionally, input sanitization and rigorous validation should be applied to ensure that only authorized identifiers are processed, effectively neutralizing the threat of arbitrary code execution through unsafe reflection.

MITRE CWE Description
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.
Common Consequences (3)
Integrity, Confidentiality, Availability, OtherExecute Unauthorized Code or Commands, Alter Execution Logic
The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state.
Availability, OtherDoS: Crash, Exit, or Restart, Other
The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the product to exit or hang.
ConfidentialityRead Application Data
By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536.
Mitigations (3)
Architecture and DesignRefactor your code to avoid using reflection.
Architecture and DesignDo not use user-controlled inputs to select and load classes or code.
ImplementationApply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.
Examples (1)
A common reason that programmers use the reflection API is to implement their own command dispatcher. The following example shows a command dispatcher that does not use reflection:
String ctl = request.getParameter("ctl"); Worker ao = null; if (ctl.equals("Add")) { ao = new AddCommand(); } else if (ctl.equals("Modify")) { ao = new ModifyCommand(); } else { throw new UnknownActionError(); } ao.doAction(request);
Good · Java
String ctl = request.getParameter("ctl"); Class cmdClass = Class.forName(ctl + "Command"); Worker ao = (Worker) cmdClass.newInstance(); ao.doAction(request);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-8178 Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver — Amazon Redshift JDBC Driver 8.1 High2026-05-08
CVE-2026-44339 PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute — PraisonAI 8.6 High2026-05-08
CVE-2026-42027 Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader — Apache OpenNLP 9.8AICriticalAI2026-05-04
CVE-2026-41175 Statamic: Unsafe method invocation via query value resolution allows data destruction — cms 8.1 High2026-04-22
CVE-2018-25239 Smart VPN 1.1.3.0 Denial of Service via Search — Smart VPN 6.2 Medium2026-04-04
CVE-2026-23923 Unauthenticated arbitrary PHP class instantiation — Zabbix 9.8 -2026-03-24
CVE-2026-33157 Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior — cms 8.8 -2026-03-24
CVE-2026-32264 Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController — cms 7.2AIHighAI2026-03-16
CVE-2026-32263 Craft CMS vulnerable to behavior injection RCE via EntryTypesController — cms 9.1AICriticalAI2026-03-16
CVE-2026-25498 Craft has a potential authenticated Remote Code Execution via malicious attached Behavior — cms 7.2AIHighAI2026-02-09
CVE-2025-68455 Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior — cms 7.2 -2026-01-05
CVE-2025-34393 Barracuda RMM < 2025.1.1 Service Center Insecure Reflection RCE — RMM 9.8AICriticalAI2025-12-10
CVE-2025-12967 Npgsql 安全漏洞 — JDBC Wrapper 8.0 High2025-11-10
CVE-2025-61925 Astro's `X-Forwarded-Host` is reflected with no validation — astro 6.5 Medium2025-10-10
CVE-2025-53693 HTML Cache Poisoning through Unsafe Reflections — Sitecore Experience Manager (XM) 9.8 Critical2025-09-03
CVE-2025-31119 CWE-470 in generator-jhipster-entity-audit when having Javers selected as Entity Audit Framework — generator-jhipster-entity-audit 7.7 High2025-04-03
CVE-2025-2794 Kentico Xperience <= 13.0.180 Unsafe Reflection — Xperience 7.5 -2025-03-31
CVE-2024-4990 Unsafe Reflection in base Component class in yiisoft/yii2 — yiisoft/yii2 9.8 -2025-03-20
CVE-2024-53850 The Addressing GLPI plugin allows data enumeration through uncontrolled object instantiation — addressing 8.2 High2024-12-26
CVE-2024-7059 Genetec Security Center 安全漏洞 — Genetec Security Center 8.0 High2024-11-05
CVE-2024-8015 Telerik Report Server Insecure Type Resolution — Telerik Reporting 9.1 Critical2024-10-09
CVE-2024-8048 Telerik Reporting Insecure Expression Evaluation — Telerik Reporting 7.8 High2024-10-09
CVE-2024-8014 Telerik Reporting EntityDataSource Insecure Type Resolution — Telerik Reporting 8.8 High2024-10-09
CVE-2024-6096 Unsafe Deserialization Vulnerability — Telerik Reporting 8.8 High2024-07-24
CVE-2024-1574 Mitsubishi Electric MC Works64 安全漏洞 — GENESIS64 6.7 Medium2024-07-04
CVE-2024-28121 Reflex arbitrary method call in stimulus_reflex — stimulus_reflex 8.8 High2024-03-12
CVE-2023-6943 Mitsubishi Electric 多款产品安全漏洞 — EZSocket 9.8 Critical2024-01-30
CVE-2024-0200 Unsafe Reflection in Github Enterprise Server leading to Command Injection — Enterprise Server 7.2 High2024-01-16
CVE-2023-32217 SailPoint IdentityIQ Unsafe use of Reflection Vulnerability — IdentityIQ 9.0 Critical2023-05-31
CVE-2023-0460 Remote code execution in YouTube Android Player API SDK — YouTube Android Player API SDK 5.1 Medium2023-03-01

Vulnerabilities classified as CWE-470 (使用外部可控制的输入来选择类或代码(不安全的反射)) represent 35 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.