Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-470

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Parent: CWE-913 - Improper Control of Dynamically-Managed Code Resources

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

61 vulnerabilities with CWE-470

CVE-2026-48517 HIGH

MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays or generic arguments

CVE-2026-48502 HIGH

MessagePack-CSharp ReadDateTime - Stack Overflow Denial of Service

CVE-2026-49287 HIGH

Statamic CMS vulnerable to unsafe method invocation via collection sorting allows data destruction

CVE-2026-48817 MEDIUM

Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`

CVE-2026-46718 MEDIUM

Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution

CVE-2026-34216 MEDIUM

CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in SettingsController.php

CVE-2026-8178 HIGH

Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver

CVE-2026-44339 HIGH

PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute

CVE-2026-42027 CRITICAL

Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader

CVE-2026-41175 HIGH

Statamic: Unsafe method invocation via query value resolution allows data destruction

CVE-2026-23923 MEDIUM

Unauthenticated arbitrary PHP class instantiation

CVE-2026-33157 HIGH

Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior

CVE-2026-32264 HIGH

Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController

CVE-2026-32263 HIGH

Craft CMS vulnerable to behavior injection RCE via EntryTypesController

CVE-2026-25498 HIGH

Craft CMS 4.0.0-4.16.17 and 5.0.0-RC1-5.8.21 - Authenticated Remote Code Execution via Behavior Configuration Injection

CVE-2025-68455 HIGH

Craft CMS 4.0.0.1-4.16.16 and 5.0.0-RC1-5.8.20 - Authenticated Remote Code Execution via Malicious Attached Behavior

CVE-2025-34393 CRITICAL

Barracuda RMM < 2025.1.1 - Remote Code Execution via Insecure WSDL Reflection

CVE-2025-12967 HIGH

AWS Wrappers for Amazon Aurora PostgreSQL - Privilege Escalation

CVE-2025-63690 CRITICAL

pig-mesh Pig <= 3.8.2 Quartz - Reflection Remote Command Execution

CVE-2025-61925 MEDIUM

Astro < 5.14.2 - Unsafe Reflection via X-Forwarded-Host Header

CVE-2025-53693 CRITICAL

Sitecore XM/X <10.5 - Cache Poisoning

CVE-2025-3600 HIGH

Progress Telerik UI for ASP.NET AJAX 2011.2.712-2025.1.218 - Denial of Service via Unsafe Reflection

CVE-2025-31119 HIGH

generator-jhipster-entity-audit < 5.9.1 - Unsafe Reflection via Javers Entity Audit Framework

CVE-2025-2794 HIGH

Kentico Xperience <= 13.0.180 - Unauthenticated Denial of Service via Unsafe Reflection

CVE-2024-4990 CRITICAL

yiisoft/yii2 2.0.48 - Code Injection

Page 1 of 3 Next

Details

Vulnerabilities 61

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy