CWE-470 · Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)
37 CVEs classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-42027 | Critical | 9.8 | 2026-05-04 | Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: Th… |
CVE-2025-53693 | Critical | 9.8 | 2025-09-03 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experie… |
CVE-2023-6943 | Critical | 9.8 | 2024-01-30 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 to 5… |
CVE-2024-8015 | Critical | 9.1 | 2024-10-09 | In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure… |
CVE-2023-32217 | Critical | 9.0 | 2023-05-31 | IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1 patch levels prior t… |
CVE-2024-8014 | High | 8.8 | 2024-10-09 | In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolu… |
CVE-2024-6096 | High | 8.8 | 2024-07-24 | In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vul… |
CVE-2024-28121 | High | 8.8 | 2024-03-12 | stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time we… |
CVE-2026-44339 | High | 8.6 | 2026-05-08 | PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names a… |
CVE-2024-53850 | High | 8.2 | 2024-12-26 | The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3… |
CVE-2026-8178 | High | 8.1 | 2026-05-08 | An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when proc… |
CVE-2026-41175 | High | 8.1 | 2026-04-22 | Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and… |
CVE-2024-4990 | High | 8.1 | 2025-03-20 | In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that the value passed is a… |
CVE-2025-12967 | High | 8.0 | 2025-11-10 | An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a… |
CVE-2024-7059 | High | 8.0 | 2024-11-05 | A high-severity vulnerability that can lead to arbitrary code execution on the system hosting the Web SDK role was found in the Genetec Security Center product… |
CVE-2022-41853 | High | 8.0 | 2022-10-06 | Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execut… |
CVE-2024-8048 | High | 7.8 | 2024-10-09 | In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evalu… |
CVE-2025-31119 | High | 7.7 | 2025-04-03 | generator-jhipster-entity-audit is a JHipster module to enable entity audit and audit log page. Prior to 5.9.1, generator-jhipster-entity-audit allows unsafe r… |
CVE-2020-7857 | High | 7.5 | 2021-04-20 | A vulnerability of XPlatform could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient validation of… |
CVE-2019-10174 | High | 7.5 | 2019-11-25 | A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke priva… |