Common Weakness Enumeration

CWE-470

Allowed

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Abstraction: Base · Status: Draft

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

111 vulnerabilities reference this CWE, most recent first.

CVE-2026-40008 (GCVE-0-2026-40008)

Vulnerability from cvelistv5 – Published: 2026-07-10 07:13 – Updated: 2026-07-10 14:54
VLAI
Title
Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
Summary
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB. The pipe processor reads a fully qualified Java class name and instantiates it using Class.forName().newInstance() without any validation or allowlisting. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache IoTDB Affected: 1.0.0 , < 2.0.10 (semver)
Create a notification for this product.
Credits
Andrea Cosentino
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-40008",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T14:06:47.206817Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T14:06:50.865Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-07-10T14:54:56.744Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/07/10/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache IoTDB",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.0.10",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Andrea Cosentino"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUse of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in Apache IoTDB.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe pipe processor reads a fully\nqualified Java class name and\ninstantiates it using Class.forName().newInstance() without any\nvalidation or allowlisting.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache IoTDB: from 1.0.0 before 2.0.10.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.0.10, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in Apache IoTDB.\nThe pipe processor reads a fully\nqualified Java class name and\ninstantiates it using Class.forName().newInstance() without any\nvalidation or allowlisting.\n\n\nThis issue affects Apache IoTDB: from 1.0.0 before 2.0.10.\n\nUsers are recommended to upgrade to version 2.0.10, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T07:13:27.770Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/fm8cpvzbox2qqy99ztglm8wkk1nrg9ng"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-40008",
    "datePublished": "2026-07-10T07:13:27.770Z",
    "dateReserved": "2026-04-08T08:42:56.547Z",
    "dateUpdated": "2026-07-10T14:54:56.744Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34216 (GCVE-0-2026-34216)

Vulnerability from cvelistv5 – Published: 2026-05-19 20:31 – Updated: 2026-05-20 13:06
VLAI
Title
CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in SettingsController.php
Summary
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowlist validation, allowing for authenticated Remote Code Execution. An authenticated admin-level user could supply an arbitrary class name available in the Composer autoloader, potentially triggering unintended constructor or magic method execution. The update() method reads settings_class directly from the HTTP request and passed it to new $settings_class() and $settings_class::getValidations() without verifying that the provided value corresponds to a legitimate settings class: Because PHP resolves class names against the Composer autoloader at runtime, any autoloadable class in the application or its dependencies could be instantiated. Depending on the classes available in the dependency tree, this can trigger unintended side effects through constructors or magic methods (__construct, __toString, __wakeup), following a PHP object injection / gadget chain pattern. This issue has been fixed in version 1.2.0.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
References
Impacted products
Vendor Product Version
Ctrlpanel-gg panel Affected: < 1.2.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34216",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T13:06:22.083678Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T13:06:25.535Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-vcg3-fjrx-rg5q"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "panel",
          "vendor": "Ctrlpanel-gg",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowlist validation, allowing for authenticated Remote Code Execution. An authenticated admin-level user could supply an arbitrary class name available in the Composer autoloader, potentially triggering unintended constructor or magic method execution. The update() method reads settings_class directly from the HTTP request and passed it to new $settings_class() and $settings_class::getValidations() without verifying that the provided value corresponds to a legitimate settings class: Because PHP resolves class names against the Composer autoloader at runtime, any autoloadable class in the application or its dependencies could be instantiated. Depending on the classes available in the dependency tree, this can trigger unintended side effects through constructors or magic methods (__construct, __toString, __wakeup), following a PHP object injection / gadget chain pattern. This issue has been fixed in version 1.2.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-19T20:31:16.162Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-vcg3-fjrx-rg5q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-vcg3-fjrx-rg5q"
        },
        {
          "name": "https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0"
        }
      ],
      "source": {
        "advisory": "GHSA-vcg3-fjrx-rg5q",
        "discovery": "UNKNOWN"
      },
      "title": "CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in SettingsController.php"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34216",
    "datePublished": "2026-05-19T20:31:16.162Z",
    "dateReserved": "2026-03-26T15:57:52.324Z",
    "dateUpdated": "2026-05-20T13:06:25.535Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33157 (GCVE-0-2026-33157)

Vulnerability from cvelistv5 – Published: 2026-03-24 17:22 – Updated: 2026-03-25 03:56
VLAI
Title
Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
Summary
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
Impacted products
Vendor Product Version
craftcms cms Affected: >= 5.6.0, < 5.9.13
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33157",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T03:56:03.039Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.6.0, \u003c 5.9.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (\"as\" and \"on\" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T17:22:00.966Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e"
        },
        {
          "name": "https://github.com/craftcms/cms/releases/tag/5.9.13",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/releases/tag/5.9.13"
        }
      ],
      "source": {
        "advisory": "GHSA-2fph-6v5w-89hh",
        "discovery": "UNKNOWN"
      },
      "title": "Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33157",
    "datePublished": "2026-03-24T17:22:00.966Z",
    "dateReserved": "2026-03-17T21:17:08.886Z",
    "dateUpdated": "2026-03-25T03:56:03.039Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32264 (GCVE-0-2026-32264)

Vulnerability from cvelistv5 – Published: 2026-03-16 19:02 – Updated: 2026-03-17 15:20
VLAI
Title
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
Summary
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
Impacted products
Vendor Product Version
craftcms cms Affected: >= 4.0.0-RC1, < 4.17.5
Affected: >= 5.0.0-RC1, < 5.9.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32264",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T15:20:18.988874Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-17T15:20:28.421Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-RC1, \u003c 4.17.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0-RC1, \u003c 5.9.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-16T19:02:22.720Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748"
        },
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620"
        }
      ],
      "source": {
        "advisory": "GHSA-4484-8v2f-5748",
        "discovery": "UNKNOWN"
      },
      "title": "Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32264",
    "datePublished": "2026-03-16T19:02:22.720Z",
    "dateReserved": "2026-03-11T15:05:48.397Z",
    "dateUpdated": "2026-03-17T15:20:28.421Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32263 (GCVE-0-2026-32263)

Vulnerability from cvelistv5 – Published: 2026-03-16 18:57 – Updated: 2026-03-17 15:21
VLAI
Title
Craft CMS vulnerable to behavior injection RCE via EntryTypesController
Summary
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
Impacted products
Vendor Product Version
craftcms cms Affected: >= 5.6.0, < 5.9.11
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32263",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T15:21:06.191953Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-17T15:21:16.718Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.6.0, \u003c 5.9.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via \"as\" or \"on\" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-16T18:57:50.342Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j"
        },
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7"
        }
      ],
      "source": {
        "advisory": "GHSA-qx2q-q59v-wf3j",
        "discovery": "UNKNOWN"
      },
      "title": "Craft CMS vulnerable to behavior injection RCE via EntryTypesController"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32263",
    "datePublished": "2026-03-16T18:57:50.342Z",
    "dateReserved": "2026-03-11T15:05:48.397Z",
    "dateUpdated": "2026-03-17T15:21:16.718Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25498 (GCVE-0-2026-25498)

Vulnerability from cvelistv5 – Published: 2026-02-09 19:55 – Updated: 2026-02-10 15:59
VLAI
Title
Craft has a potential authenticated Remote Code Execution via malicious attached Behavior
Summary
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
Impacted products
Vendor Product Version
craftcms cms Affected: >= 5.0.0-RC1, < 5.8.22
Affected: >= 4.0.0-RC1, < 4.16.18
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25498",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-10T15:32:09.006023Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-10T15:59:54.896Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0-RC1, \u003c 5.8.22"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-RC1, \u003c 4.16.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T19:55:06.558Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748"
        },
        {
          "name": "https://github.com/craftcms/cms/releases/tag/5.8.22",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
        }
      ],
      "source": {
        "advisory": "GHSA-7jx7-3846-m7w7",
        "discovery": "UNKNOWN"
      },
      "title": "Craft has a potential authenticated Remote Code Execution via malicious attached Behavior"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25498",
    "datePublished": "2026-02-09T19:55:06.558Z",
    "dateReserved": "2026-02-02T16:31:35.824Z",
    "dateUpdated": "2026-02-10T15:59:54.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24246 (GCVE-0-2026-24246)

Vulnerability from cvelistv5 – Published: 2026-07-01 14:56 – Updated: 2026-07-01 15:59
VLAI
Summary
NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of dynamically managed code resources. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
Impacted products
Vendor Product Version
NVIDIA Megatron-Bridge Affected: Versions 0.0 to 0.4.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24246",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T15:59:33.583373Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T15:59:51.577Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "All platforms"
          ],
          "product": "Megatron-Bridge",
          "vendor": "NVIDIA",
          "versions": [
            {
              "status": "affected",
              "version": "Versions 0.0 to 0.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of dynamically managed code resources. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure."
            }
          ],
          "value": "NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of dynamically managed code resources. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Code execution, escalation of privileges, data tampering, information disclosure"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T14:56:10.358Z",
        "orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
        "shortName": "nvidia"
      },
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24246"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-24246"
        },
        {
          "url": "https://github.com/NVIDIA/product-security/tree/main/2026/5841"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "NVIDIA PSIRT"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
    "assignerShortName": "nvidia",
    "cveId": "CVE-2026-24246",
    "datePublished": "2026-07-01T14:56:10.358Z",
    "dateReserved": "2026-01-21T19:09:47.375Z",
    "dateUpdated": "2026-07-01T15:59:51.577Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23923 (GCVE-0-2026-23923)

Vulnerability from cvelistv5 – Published: 2026-03-24 18:29 – Updated: 2026-03-25 19:25
VLAI
Title
Unauthenticated arbitrary PHP class instantiation
Summary
An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
References
Impacted products
Vendor Product Version
Zabbix Zabbix Affected: 7.4.0 , ≤ 7.4.6 (git)
Create a notification for this product.
Credits
Zabbix wants to thank pitticus for submitting this report on the HackerOne bug bounty platform.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23923",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T19:24:53.942052Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T19:25:01.128Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "Frontend"
          ],
          "product": "Zabbix",
          "repo": "https://git.zabbix.com/",
          "vendor": "Zabbix",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.4.7",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.4.6",
              "status": "affected",
              "version": "7.4.0",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe action can be invoked by any user able to reach Frontend.\u003c/p\u003e"
            }
          ],
          "value": "The action can be invoked by any user able to reach Frontend."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Zabbix wants to thank pitticus for submitting this report on the HackerOne bug bounty platform."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn unauthenticated attacker can exploit the Frontend \u0027validate\u0027 action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.\u003c/p\u003e"
            }
          ],
          "value": "An unauthenticated attacker can exploit the Frontend \u0027validate\u0027 action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-138",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-138: Reflection Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T18:29:23.165Z",
        "orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
        "shortName": "Zabbix"
      },
      "references": [
        {
          "url": "https://support.zabbix.com/browse/ZBX-27641"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate the affected components to their respective fixed versions.\u003c/p\u003e"
            }
          ],
          "value": "Update the affected components to their respective fixed versions."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unauthenticated arbitrary PHP class instantiation",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8",
    "assignerShortName": "Zabbix",
    "cveId": "CVE-2026-23923",
    "datePublished": "2026-03-24T18:29:23.165Z",
    "dateReserved": "2026-01-19T14:02:54.327Z",
    "dateUpdated": "2026-03-25T19:25:01.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-13772 (GCVE-0-2026-13772)

Vulnerability from cvelistv5 – Published: 2026-06-30 19:21 – Updated: 2026-07-03 03:56
VLAI
Title
IBM WebSphere eXtreme Scale's OQL is affected by remote code execution
Summary
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
ibm
References
URL Tags
https://www.ibm.com/support/pages/node/7278593 vendor-advisorypatch
Impacted products
Vendor Product Version
IBM WebSphere Extreme Scale Affected: 8.6.1.0 , ≤ 8.6.1.6 (semver)
    cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-13772",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-03T03:56:12.467Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:websphere_extreme_scale:8.6.1.6:*:*:*:*:*:*:*"
          ],
          "product": "WebSphere Extreme Scale",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "8.6.1.6",
              "status": "affected",
              "version": "8.6.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 \u0027s Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries\u003c/p\u003e"
            }
          ],
          "value": "IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 \u0027s Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T19:21:43.212Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7278593"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIf eXtreme Scale is being used as a Session Cache (Session Grid), this vulnerability is not applicable. In a Session Grid deployment, applications typically use eXtreme Scale only to store and retrieve HTTP session data and do not create or execute Object Query Language (OQL) queries against the session data. As a result, the vulnerable OQL functionality is not exercised.\u003cbr/\u003eIf eXtreme Scale is being used as a Simple Grid and the application executes OQL queries, the risk can be mitigated through application code changes. Recommended mitigation strategies include:\u003cbr/\u003e1. Never concatenate user-supplied input directly into OQL statements. Use query parameters wherever possible.\u003cbr/\u003e2. Restrict dynamically specified class names to a predefined allow list of approved classes.\u003cbr/\u003e3. Do not allow end users to construct or modify OQL query syntax.\u003cbr/\u003e4. Avoid dynamically loading comparator classes or using reflection-based sorting based on user input.\u003cbr/\u003e5. Validate and sanitize all user-supplied values before they are used to construct OQL queries.\u003cbr/\u003eThese mitigations help prevent untrusted input from influencing OQL execution and eliminate the attack paths associated with this vulnerability.\u003c/p\u003e"
            }
          ],
          "value": "If eXtreme Scale is being used as a Session Cache (Session Grid), this vulnerability is not applicable. In a Session Grid deployment, applications typically use eXtreme Scale only to store and retrieve HTTP session data and do not create or execute Object Query Language (OQL) queries against the session data. As a result, the vulnerable OQL functionality is not exercised.If eXtreme Scale is being used as a Simple Grid and the application executes OQL queries, the risk can be mitigated through application code changes. Recommended mitigation strategies include:1. Never concatenate user-supplied input directly into OQL statements. Use query parameters wherever possible.2. Restrict dynamically specified class names to a predefined allow list of approved classes.3. Do not allow end users to construct or modify OQL query syntax.4. Avoid dynamically loading comparator classes or using reflection-based sorting based on user input.5. Validate and sanitize all user-supplied values before they are used to construct OQL queries.These mitigations help prevent untrusted input from influencing OQL execution and eliminate the attack paths associated with this vulnerability."
        }
      ],
      "title": "IBM WebSphere eXtreme Scale\u0027s OQL is affected by remote code execution",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2026-13772",
    "datePublished": "2026-06-30T19:21:43.212Z",
    "dateReserved": "2026-06-29T21:47:01.091Z",
    "dateUpdated": "2026-07-03T03:56:12.467Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8178 (GCVE-0-2026-8178)

Vulnerability from cvelistv5 – Published: 2026-05-08 18:36 – Updated: 2026-05-08 20:06
VLAI
Title
Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver
Summary
An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8178",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T20:06:23.595236Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T20:06:28.690Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/aws/amazon-redshift-jdbc-driver",
          "defaultStatus": "unaffected",
          "product": "Amazon Redshift JDBC Driver",
          "vendor": "Amazon",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application\u0027s classpath.\u003c/p\u003e\u003cp\u003eTo mitigate this issue, users should upgrade to version 2.2.2 or later.\u003c/p\u003e"
            }
          ],
          "value": "An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application\u0027s classpath.\n\n\n\nTo mitigate this issue, users should upgrade to version 2.2.2 or later."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-138",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-138: Reflection Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T18:40:14.397Z",
        "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "shortName": "AMZN"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/aws/amazon-redshift-jdbc-driver/releases/tag/v2.2.2"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://aws.amazon.com/security/security-bulletins/2026-028-aws/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-wmmv-vvg5-993q"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
    "assignerShortName": "AMZN",
    "cveId": "CVE-2026-8178",
    "datePublished": "2026-05-08T18:36:46.950Z",
    "dateReserved": "2026-05-08T16:01:18.527Z",
    "dateUpdated": "2026-05-08T20:06:28.690Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

Refactor your code to avoid using reflection.

Mitigation
Architecture and Design

Do not use user-controlled inputs to select and load classes or code.

Mitigation
Implementation

Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.

CAPEC-138: Reflection Injection

An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.