CWE-470
AllowedUse of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Abstraction: Base · Status: Draft
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
112 vulnerabilities reference this CWE, most recent first.
GHSA-59MX-MHM6-4342
Vulnerability from github – Published: 2025-11-07 18:30 – Updated: 2025-11-07 21:31In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-63690"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-07T16:15:42Z",
"severity": "CRITICAL"
},
"details": "In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat\u0027s built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.",
"id": "GHSA-59mx-mhm6-4342",
"modified": "2025-11-07T21:31:20Z",
"published": "2025-11-07T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63690"
},
{
"type": "WEB",
"url": "https://github.com/pig-mesh/pig/issues/1199"
},
{
"type": "WEB",
"url": "https://github.com/LockeTom/vulnerability/blob/main/md/pig_Remote_Code_Execution_Vulnerability.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5FF5-9FCW-VG88
Vulnerability from github – Published: 2025-10-10 23:41 – Updated: 2025-10-10 23:41Summary
When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.
Details
Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.
It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.
This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.
As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.
Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.
PoC
- Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
nvm useyarn run buildnode ./dist/server/entry.mjscurl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'- Observe that the response reflects the malicious
X-Forwarded-Hostheader
For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.
Impact
This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "astro"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61925"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-10T23:41:29Z",
"nvd_published_at": "2025-10-10T20:15:38Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhen running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwarded-Host` header that is reflected when using the recommended `Astro.url` property as there is no validation that the value is safe.\n\n### Details\nAstro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. \n\nIt is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value.\n\nThis could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.\n\nAs this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.\n\nMany other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.\n\n### PoC\n- Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server\n- `nvm use`\n- `yarn run build`\n- `node ./dist/server/entry.mjs`\n- `curl --location \u0027http://localhost:4321/\u0027 --header \u0027X-Forwarded-Host: www.evil.com\u0027 --header \u0027Host: www.example.com\u0027`\n- Observe that the response reflects the malicious `X-Forwarded-Host` header\n\nFor the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above `curl` request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.\n\n### Impact\n\nThis could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.",
"id": "GHSA-5ff5-9fcw-vg88",
"modified": "2025-10-10T23:41:29Z",
"published": "2025-10-10T23:41:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61925"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/commit/6ee63bfac4856f21b4d4633021b3d2ee059e553f"
},
{
"type": "WEB",
"url": "https://github.com/Chisnet/minimal_dynamic_astro_server"
},
{
"type": "PACKAGE",
"url": "https://github.com/withastro/astro"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Astro\u0027s `X-Forwarded-Host` is reflected without validation"
}
GHSA-692M-F288-97HP
Vulnerability from github – Published: 2023-06-06 21:30 – Updated: 2024-04-04 04:36Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx.
{
"affected": [],
"aliases": [
"CVE-2023-33652"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-06T19:15:12Z",
"severity": "HIGH"
},
"details": "Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx.",
"id": "GHSA-692m-f288-97hp",
"modified": "2024-04-04T04:36:30Z",
"published": "2023-06-06T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33652"
},
{
"type": "WEB",
"url": "https://blog.assetnote.io/2023/05/10/sitecore-round-two"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6JJ2-MFWJ-34Q5
Vulnerability from github – Published: 2025-09-03 15:30 – Updated: 2025-09-03 15:30Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.
{
"affected": [],
"aliases": [
"CVE-2025-53693"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-03T13:15:49Z",
"severity": "CRITICAL"
},
"details": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.",
"id": "GHSA-6jj2-mfwj-34q5",
"modified": "2025-09-03T15:30:33Z",
"published": "2025-09-03T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53693"
},
{
"type": "WEB",
"url": "https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce"
},
{
"type": "WEB",
"url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-77XX-RXVH-Q682
Vulnerability from github – Published: 2022-10-06 18:52 – Updated: 2023-01-11 22:59Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.hsqldb:hsqldb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41853"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-06T21:16:51Z",
"nvd_published_at": "2022-10-06T18:17:00Z",
"severity": "CRITICAL"
},
"details": "Those using `java.sql.Statement` or `java.sql.PreparedStatement` in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property \"hsqldb.method_class_names\" to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used. From version 2.7.1 all classes by default are not accessible except those in `java.lang.Math` and need to be manually enabled.",
"id": "GHSA-77xx-rxvh-q682",
"modified": "2023-01-11T22:59:28Z",
"published": "2022-10-06T18:52:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00020.html"
},
{
"type": "PACKAGE",
"url": "https://sourceforge.net/projects/hsqldb"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5313"
},
{
"type": "WEB",
"url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "HyperSQL DataBase vulnerable to remote code execution when processing untrusted input"
}
GHSA-7JX7-3846-M7W7
Vulnerability from github – Published: 2026-02-09 20:36 – Updated: 2026-02-09 22:39Relationship to Previously Patched Vulnerability
This vulnerability is in addition to the RCE vulnerability patched in GHSA-255j-qw47-wjh5. That advisory addressed a similar RCE vulnerability that affected two specific routes:
/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview
This one addresses some additional endpoints that were not covered in the https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5.
The patched vulnerability used a malicious AttributeTypecastBehavior with a wildcard event listener ("on *": "self::beforeSave") and __construct() syntax to trigger RCE via the typecastBeforeSave callback. The fix was implemented in commits:
- 6e608a1
- 27f5588
- ec43c49
This vulnerability follows the same attack pattern (behavior injection via "as <behavior>" syntax) but affects a different code path (assembleLayoutFromPost() in Fields.php) that was not patched in those commits. The attack vector uses typecastAfterValidate instead of typecastBeforeSave and does not require the wildcard event listener syntax, demonstrating that multiple entry points exist for this type of vulnerability.
Executive Summary
A Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.
Vulnerability Details
Attack Prerequisites
- Authentication: Admin-level access required
- Network Access: Access to admin panel (
/admin)
Location
- File:
src/services/Fields.php - Function:
assembleLayoutFromPost()(lines 1125-1143) - Root Cause: Missing
cleanseConfig()call on user-suppliedfieldLayoutPOST parameter
Vulnerable Code Path
// src/services/Fields.php:1125-1133
public function assembleLayoutFromPost(?string $namespace = null): FieldLayout
{
$paramPrefix = $namespace ? rtrim($namespace, '.') . '.' : '';
$request = Craft::$app->getRequest();
$config = JsonHelper::decode($request->getBodyParam("{$paramPrefix}fieldLayout"));
// ... additional config values added ...
$layout = $this->createLayout($config); // <-- No cleanseConfig() call!
// ...
}
// src/services/Fields.php:1089-1093
public function createLayout(array $config): FieldLayout
{
$config['class'] = FieldLayout::class;
return Craft::createObject($config); // <-- Untrusted data passed directly
}
Attack Chain
The exploitation leverages Yii2's object configuration system and behavior attachment mechanism:
- Behavior Injection: Attacker includes
'as rce'key in thefieldLayoutJSON POST parameter - Object Creation:
Craft::createObject()processes the config through Yii2'sBaseYii::configure() - Behavior Attachment: Yii2's
Component::__set()detects the'as 'prefix and attaches the behavior - RCE Trigger: When
validate()is called on the model,EVENT_AFTER_VALIDATEfires - Command Execution:
AttributeTypecastBehaviorcalls the configured typecast function (ConsoleProcessus::execute) with theuidattribute value as the command
RCE Gadget Chain
FieldLayout POST parameter
→ Craft::createObject()
→ Yii2 Component::__set() with 'as rce' key
→ AttributeTypecastBehavior attached
→ Model::validate() called
→ EVENT_AFTER_VALIDATE triggered
→ typecastAfterValidate → typecastAttributes()
→ call_user_func(['Psy\Readline\Hoa\ConsoleProcessus', 'execute'], $command)
→ Shell command execution
Affected Controllers
The assembleLayoutFromPost() function is called by multiple admin controllers:
| Controller | Action | Permission Required |
|---|---|---|
TagsController |
actionSaveTagGroup() |
Admin |
CategoriesController |
actionSaveGroup() |
Admin |
EntryTypesController |
actionSave() |
Admin |
GlobalsController |
actionSaveSet() |
Admin |
VolumesController |
actionSave() |
Admin |
UsersController |
actionSaveUserFieldLayout() |
Admin |
AddressesController |
actionSaveAddressFieldLayout() |
Admin |
References
- https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748
- GHSA-255j-qw47-wjh5 - Previously patched RCE vulnerability via behavior injection (affecting different endpoints)
- CVE-2024-4990 - Related vulnerability that inspired the behavior injection attack pattern
- Yii2 GHSA-gcmh-9pjj-7fp4 - Original Yii framework report (framework team declined to fix at framework level)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.21"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.8.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.16.17"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.16.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25498"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-09T20:36:43Z",
"nvd_published_at": "2026-02-09T20:15:58Z",
"severity": "HIGH"
},
"details": "## Relationship to Previously Patched Vulnerability\n\nThis vulnerability is **in addition to** the RCE vulnerability patched in [GHSA-255j-qw47-wjh5](https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5). That advisory addressed a similar RCE vulnerability that affected two specific routes:\n\n- `/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings`\n- `/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview`\n\nThis one addresses some additional endpoints that were not covered in the https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5.\n\nThe patched vulnerability used a malicious `AttributeTypecastBehavior` with a wildcard event listener (`\"on *\": \"self::beforeSave\"`) and `__construct()` syntax to trigger RCE via the `typecastBeforeSave` callback. The fix was implemented in commits:\n- [6e608a1](https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef)\n- [27f5588](https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7)\n- [ec43c49](https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593)\n\nThis vulnerability follows the same attack pattern (behavior injection via `\"as \u003cbehavior\u003e\"` syntax) but affects a **different code path** (`assembleLayoutFromPost()` in `Fields.php`) that was **not patched** in those commits. The attack vector uses `typecastAfterValidate` instead of `typecastBeforeSave` and does not require the wildcard event listener syntax, demonstrating that multiple entry points exist for this type of vulnerability.\n\n---\n\n## Executive Summary\n\nA Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` fails to sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an **unpatched variant** of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.\n\n---\n\n## Vulnerability Details\n\n### Attack Prerequisites\n\n- **Authentication:** Admin-level access required\n- **Network Access:** Access to admin panel (`/admin`)\n\n---\n\n\n### Location\n\n- **File:** `src/services/Fields.php`\n- **Function:** `assembleLayoutFromPost()` (lines 1125-1143)\n- **Root Cause:** Missing `cleanseConfig()` call on user-supplied `fieldLayout` POST parameter\n\n### Vulnerable Code Path\n\n```php\n// src/services/Fields.php:1125-1133\npublic function assembleLayoutFromPost(?string $namespace = null): FieldLayout\n{\n $paramPrefix = $namespace ? rtrim($namespace, \u0027.\u0027) . \u0027.\u0027 : \u0027\u0027;\n $request = Craft::$app-\u003egetRequest();\n $config = JsonHelper::decode($request-\u003egetBodyParam(\"{$paramPrefix}fieldLayout\"));\n // ... additional config values added ...\n $layout = $this-\u003ecreateLayout($config); // \u003c-- No cleanseConfig() call!\n // ...\n}\n\n// src/services/Fields.php:1089-1093\npublic function createLayout(array $config): FieldLayout\n{\n $config[\u0027class\u0027] = FieldLayout::class;\n return Craft::createObject($config); // \u003c-- Untrusted data passed directly\n}\n```\n---\n\n## Attack Chain\n\nThe exploitation leverages Yii2\u0027s object configuration system and behavior attachment mechanism:\n\n1. **Behavior Injection:** Attacker includes `\u0027as rce\u0027` key in the `fieldLayout` JSON POST parameter\n2. **Object Creation:** `Craft::createObject()` processes the config through Yii2\u0027s `BaseYii::configure()`\n3. **Behavior Attachment:** Yii2\u0027s `Component::__set()` detects the `\u0027as \u0027` prefix and attaches the behavior\n4. **RCE Trigger:** When `validate()` is called on the model, `EVENT_AFTER_VALIDATE` fires\n5. **Command Execution:** `AttributeTypecastBehavior` calls the configured typecast function (`ConsoleProcessus::execute`) with the `uid` attribute value as the command\n\n### RCE Gadget Chain\n\n```\nFieldLayout POST parameter\n \u2192 Craft::createObject()\n \u2192 Yii2 Component::__set() with \u0027as rce\u0027 key\n \u2192 AttributeTypecastBehavior attached\n \u2192 Model::validate() called\n \u2192 EVENT_AFTER_VALIDATE triggered\n \u2192 typecastAfterValidate \u2192 typecastAttributes()\n \u2192 call_user_func([\u0027Psy\\Readline\\Hoa\\ConsoleProcessus\u0027, \u0027execute\u0027], $command)\n \u2192 Shell command execution\n```\n\n---\n\n## Affected Controllers\n\nThe `assembleLayoutFromPost()` function is called by multiple admin controllers:\n\n| Controller | Action | Permission Required |\n|------------|--------|---------------------|\n| `TagsController` | `actionSaveTagGroup()` | Admin |\n| `CategoriesController` | `actionSaveGroup()` | Admin |\n| `EntryTypesController` | `actionSave()` | Admin |\n| `GlobalsController` | `actionSaveSet()` | Admin |\n| `VolumesController` | `actionSave()` | Admin |\n| `UsersController` | `actionSaveUserFieldLayout()` | Admin |\n| `AddressesController` | `actionSaveAddressFieldLayout()` | Admin |\n\n---\n## References\n\n- https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748\n- [GHSA-255j-qw47-wjh5](https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5) - Previously patched RCE vulnerability via behavior injection (affecting different endpoints)\n- [CVE-2024-4990](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4990) - Related vulnerability that inspired the behavior injection attack pattern\n- [Yii2 GHSA-gcmh-9pjj-7fp4](https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4) - Original Yii framework report (framework team declined to fix at framework level)\n\n---",
"id": "GHSA-7jx7-3846-m7w7",
"modified": "2026-02-09T22:39:16Z",
"published": "2026-02-09T20:36:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25498"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/releases/tag/4.16.18"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior"
}
GHSA-7RMP-3G9F-CVQ8
Vulnerability from github – Published: 2025-04-04 14:06 – Updated: 2025-04-04 14:06Summary
CWE-470 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') when having Javers selected as Entity Audit Framework
Details
In the following two occurences, user input directly leads to class loading without checking against e.g. a whitelist of allowed classes. This is also known as CWE-470 https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/package/web/rest/JaversEntityAuditResource.java.ejs#L88 https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/package/web/rest/JaversEntityAuditResource.java.ejs#L124
So, if an attacker manages to place some malicious classes into the classpath and also has access to these REST interface for calling the mentioned REST endpoints, using these lines of code can lead to unintended remote code execution.
PoC
- Place an arbitrary class with the right package name (starting with JHIpster applications path name) and make it available in class path
- Gain access to view entity's audit changelogs (Role: ADMIN)
- pass in the malicious class name part as
entityType(first mentioned part) //qualifiedName(second mentioned occurence) - class gets loaded and static code blocks in there get executed
--> Should be limited to the already existing whitelist of classes (see first method in that mentioned class)
Impact
Remote Code execution. You need to have some access to place malicious classes into the class path and you need to have a user with ADMIN role on the system.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "generator-jhipster-entity-audit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-31119"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-04T14:06:35Z",
"nvd_published_at": "2025-04-03T20:15:25Z",
"severity": "HIGH"
},
"details": "### Summary\nCWE-470 (Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) when having Javers selected as Entity Audit Framework\n\n### Details\nIn the following two occurences, user input directly leads to class loading without checking against e.g. a whitelist of allowed classes. This is also known as CWE-470\nhttps://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L88\nhttps://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L124\n\nSo, if an attacker manages to place some malicious classes into the classpath and also has access to these REST interface for calling the mentioned REST endpoints, using these lines of code can lead to unintended remote code execution.\n\n### PoC\n\n1. Place an arbitrary class with the right package name (starting with JHIpster applications path name) and make it available in class path\n2. Gain access to view entity\u0027s audit changelogs (Role: ADMIN)\n3. pass in the malicious class name part as `entityType` (first mentioned part) // `qualifiedName` (second mentioned occurence)\n4. class gets loaded and static code blocks in there get executed\n\n--\u003e Should be limited to the already existing whitelist of classes (see first method in that mentioned class)\n\n### Impact\nRemote Code execution. You need to have some access to place malicious classes into the class path and you need to have a user with ADMIN role on the system.",
"id": "GHSA-7rmp-3g9f-cvq8",
"modified": "2025-04-04T14:06:35Z",
"published": "2025-04-04T14:06:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jhipster/generator-jhipster-entity-audit/security/advisories/GHSA-7rmp-3g9f-cvq8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31119"
},
{
"type": "PACKAGE",
"url": "https://github.com/jhipster/generator-jhipster-entity-audit"
},
{
"type": "WEB",
"url": "https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L88"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "generator-jhipster-entity-audit vulnerable to Unsafe Reflection when having Javers selected as Entity Audit Framework"
}
GHSA-7WQ2-32H4-9HC9
Vulnerability from github – Published: 2025-11-13 22:22 – Updated: 2026-05-06 23:24Description of Vulnerability:
An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.
We recommend customers upgrade to the following versions: AWS Go Wrapper to 2025-10-17
Source of Vulnerability Report:
Allistair Ishmael Hakim allistair.hakim@gmail.com
Affected products & versions:
AWS Go Wrapper < 2025-10-17
Platforms:
MacOS/Windows/Linux
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/awssql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/auth-helpers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/aws-secrets-manager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/federated-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/iam"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/mysql-driver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/okta"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/otlp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/pgx-driver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/aws/aws-advanced-go-wrapper/xray"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-13T22:22:34Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Description of Vulnerability: \nAn issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.\n\nWe recommend customers upgrade to the following versions: AWS Go Wrapper to 2025-10-17\n\n\n### Source of Vulnerability Report: \nAllistair Ishmael Hakim [allistair.hakim@gmail.com](mailto:allistair.hakim@gmail.com)\n\n\n### Affected products \u0026 versions: \nAWS Go Wrapper \u003c 2025-10-17\n\n\n### Platforms:\n MacOS/Windows/Linux",
"id": "GHSA-7wq2-32h4-9hc9",
"modified": "2026-05-06T23:24:24Z",
"published": "2025-11-13T22:22:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-advanced-go-wrapper/security/advisories/GHSA-7wq2-32h4-9hc9"
},
{
"type": "WEB",
"url": "https://github.com/aws/aws-advanced-go-wrapper/pull/270"
},
{
"type": "WEB",
"url": "https://github.com/aws/aws-advanced-go-wrapper/commit/7b405f95fe71db644cd8336ba5fa28b41e89d03e"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/aws-advanced-go-wrapper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "AWS Advanced Go Wrapper: Privilege Escalation in Aurora PostgreSQL Instance"
}
GHSA-7XW4-G7MM-R4HH
Vulnerability from github – Published: 2025-11-13 22:22 – Updated: 2025-11-13 22:22Description of Vulnerability:
An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.
AWS recommends for customers to upgrade to the following versions: AWS JDBC Wrapper to v2.6.5 or greater.
Source of Vulnerability Report:
Allistair Ishmael Hakim allistair.hakim@gmail.com
Affected products & versions:
AWS JDBC Wrapper < 2.6.5
Platforms:
MacOS/Windows/Linux
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.6.4"
},
"package": {
"ecosystem": "Maven",
"name": "software.amazon.jdbc:aws-advanced-jdbc-wrapper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-13T22:22:28Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Description of Vulnerability:\nAn issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.\n\nAWS recommends for customers to upgrade to the following versions: AWS JDBC Wrapper to v2.6.5 or greater.\n\n\n### Source of Vulnerability Report: \nAllistair Ishmael Hakim [allistair.hakim@gmail.com](mailto:allistair.hakim@gmail.com)\n\n\n### Affected products \u0026 versions: \nAWS JDBC Wrapper \u003c 2.6.5\n\n### Platforms: \nMacOS/Windows/Linux",
"id": "GHSA-7xw4-g7mm-r4hh",
"modified": "2025-11-13T22:22:28Z",
"published": "2025-11-13T22:22:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-advanced-jdbc-wrapper/security/advisories/GHSA-7xw4-g7mm-r4hh"
},
{
"type": "WEB",
"url": "https://github.com/aws/aws-advanced-jdbc-wrapper/commit/b62183b851fa46f891f9fe9c861e9ac2fb7d8b62"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/aws-advanced-jdbc-wrapper"
},
{
"type": "WEB",
"url": "https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/2.6.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance"
}
GHSA-86H2-2G4G-29QX
Vulnerability from github – Published: 2023-06-06 16:46 – Updated: 2024-06-25 16:56Summary
The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record.
Details
After reviewing the polymorphic field implementation and performing some black box approaches, we identified a potential security issue related to the use of safe_constantize / constantize. This Rails functionality is capable of searching for classes within the Rails context and returning the class for further use. Because Avo does not validate user input when updating or creating a new polymorphic resource, it is possible to create database entries with completely different or invalid class names than the preselected ones. Avo assumes that the class specified by the user request is a valid one and attempts to work with it, which may result in dangerous behavior and code execution.
PoC
In the test scenario we choose the demo app and the review resource which has a polymorphic reviewable field.
Intercepting the request and switching the review[reviewable_type] from “Fish” to “File” which is a real class inside Rails
Corrupting the database with unusable classes will cause a crash at the application while viewing the new record or the index view (partial DoS)
Manual delete the corrupted resource in order to recover the applications functionality
Of course it is possible to use other class names or namespaces. The local development environment displays the backend error message when visiting a corrupted record. Avo is trying to apply a scope to this class that does not exist.
Specifying an invalid class name in the parameter will cause the application to crash again while trying constanize the provided string
Impact
The final exploitation of this vulnerability requires more time than is provided in this assessment, but initial testing of the post request shows the potential critical risk. The classes could be instantiated at any point in the code and this could also lead to code execution.
Recommendation
Avo should be configured to never trust user-supplied input, especially when defining classes for records. In this particular case, Avo can evaluate the options list given for the polymorphic field and only allow strings from that list. With this white-list approach, an attacker cannot supply unintended classes.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.33.2"
},
"package": {
"ecosystem": "RubyGems",
"name": "avo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.33.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "avo"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0.pre1"
},
{
"last_affected": "3.0.0.pre12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-34102"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-06T16:46:57Z",
"nvd_published_at": "2023-06-05T23:15:12Z",
"severity": "HIGH"
},
"details": "### Summary\nThe polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. \n\n### Details\nAfter reviewing the polymorphic field implementation and performing some black box approaches, we identified a potential security issue related to the use of safe_constantize / constantize. This Rails functionality is capable of searching for classes within the Rails context and returning the class for further use. Because Avo does not validate user input when updating or creating a new polymorphic resource, it is possible to create database entries with completely different or invalid class names than the preselected ones. Avo assumes that the class specified by the user request is a valid one and attempts to work with it, which may result in dangerous behavior and code execution.\n\n### PoC\n\n_In the test scenario we choose the demo app and the review resource which has a polymorphic reviewable field._\n\n\n_Intercepting the request and switching the review[reviewable_type] from \u201cFish\u201d to \u201cFile\u201d which is a real class inside Rails_\n\n\n_Corrupting the database with unusable classes will cause a crash at the application while viewing the new record or the index view (partial DoS)_\n\n\n_Manual delete the corrupted resource in order to recover the applications functionality_\n\n\n_Of course it is possible to use other class names or namespaces. The local development environment displays the backend error message when visiting a corrupted record. Avo is trying to apply a scope to this class that does not exist._\n\n\n_Specifying an invalid class name in the parameter will cause the application to crash again while trying constanize the provided string_\n\n### Impact\nThe final exploitation of this vulnerability requires more time than is provided in this assessment, but initial testing of the post request shows the potential critical risk. The classes could be instantiated at any point in the code and this could also lead to code execution.\n\n### Recommendation\nAvo should be configured to never trust user-supplied input, especially when defining classes for records. In this particular case, Avo can evaluate the options list given for the polymorphic field and only allow strings from that list. With this white-list approach, an attacker cannot supply unintended classes.\n",
"id": "GHSA-86h2-2g4g-29qx",
"modified": "2024-06-25T16:56:30Z",
"published": "2023-06-06T16:46:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34102"
},
{
"type": "WEB",
"url": "https://github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17"
},
{
"type": "PACKAGE",
"url": "https://github.com/avo-hq/avo"
},
{
"type": "WEB",
"url": "https://github.com/avo-hq/avo/releases/tag/v2.33.3"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2023-34102.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "avo possible unsafe reflection / partial DoS vulnerability"
}
Mitigation
Refactor your code to avoid using reflection.
Mitigation
Do not use user-controlled inputs to select and load classes or code.
Mitigation
Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.
CAPEC-138: Reflection Injection
An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.