CWE-470: Unsafe Reflection — known CVE vulnerabilities
CVEs classified under CWE-470 (Unsafe Reflection), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-42027 — CVSS 9.8 (critical): Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 1.9.5, before 2.5.9, before…
CVE-2025-34393 — CVSS 9.8 (critical): Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not correctly verify the name of an…
CVE-2025-53693 — CVSS 9.8 (critical): Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager…
CVE-2023-6943 — CVSS 9.8 (critical): Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Mitsubishi Electric Corporation…
CVE-2021-31522 — CVSS 9.8 (critical): Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior…
CVE-2019-1003041 — CVSS 9.8 (critical): A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in…
CVE-2019-1003040 — CVSS 9.8 (critical): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in…
CVE-2018-1000613 — CVSS 9.8 (critical): Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of…
CVE-2025-63690 — CVSS 9.1 (critical): In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management…
CVE-2024-4990 — CVSS 9.1 (critical): In yiisoft/yii2 version 2.0.48, the base Component class contains a vulnerability where the `__set()` magic method does not validate that…
CVE-2024-8015 — CVSS 9.1 (critical): In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object…
CVE-2023-32217 — CVSS 9.0 (critical): IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p6, IdentityIQ 8.1 and all 8.1…
CVE-2024-8014 — CVSS 8.8 (high): In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an…
CVE-2024-6096 — CVSS 8.8 (high): In Progress® Telerik® Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an…
CVE-2024-28121 — CVSS 8.8 (high): stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to…
CVE-2023-33652 — CVSS 8.8 (high): Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the…
CVE-2019-10174 — CVSS 8.8 (high): A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application…
CVE-2025-2794: An unsafe reflection vulnerability in Kentico Xperience allows an unauthenticated attacker to kill the current process, leading to a…
CVE-2026-44339 — CVSS 8.6 (high): PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves…
CVE-2023-34102 — CVSS 8.3 (high): Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when…
CVE-2024-53850 — CVSS 8.2 (high): The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with…
CVE-2026-8178 — CVSS 8.1 (high): An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute…
CVE-2026-41175 — CVSS 8.1 (high): Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters…
CVE-2025-12967 — CVSS 8.0 (high): An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege…
CVE-2024-7059 — CVSS 8.0 (high): A high-severity vulnerability that can lead to arbitrary code execution on the system hosting the Web SDK role was found in the Genetec…
CVE-2022-41853 — CVSS 8.0 (high): Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to…
CVE-2022-30287 — CVSS 8.0 (high): Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver…
CVE-2021-32647 — CVSS 8.0 (high): Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication Remote Code…
CVE-2026-24246 — CVSS 7.8 (high): NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of dynamically managed code…
CVE-2024-8048 — CVSS 7.8 (high): In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via…
CVE-2022-26469 — CVSS 7.8 (high): In MtkEmail, there is a possible escalation of privilege due to fragment injection. This could lead to local escalation of privilege with…
CVE-2025-31119 — CVSS 7.6 (high): generator-jhipster-entity-audit is a JHipster module to enable entity audit and audit log page. Prior to 5.9.1, generator-jhipster-entity-au…
CVE-2026-13772 — CVSS 7.5 (high): IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via…
CVE-2026-48517 — CVSS 7.5 (high): MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's typeless deserialization includes…
CVE-2025-3600 — CVSS 7.5 (high): In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an…
CVE-2026-49287 — CVSS 7.4 (high): Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was…
CVE-2019-3834 — CVSS 7.3 (high): It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate…
CVE-2026-33157 — CVSS 7.2 (high): Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability…
CVE-2026-32264 — CVSS 7.2 (high): Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before…
CVE-2026-32263 — CVSS 7.2 (high): Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php…
CVE-2026-25498 — CVSS 7.2 (high): Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code…
CVE-2025-68455 — CVSS 7.2 (high): Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to…
CVE-2024-0200 — CVSS 7.2 (high): An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability…
CVE-2018-5511 — CVSS 7.2 (high): On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface…
CVE-2026-55153 — CVSS 7.1 (high): mchange-commons-java is a Java library of shared utility classes used by mchange projects like the c3p0 connection pool. Prior to version…
CVE-2017-7536 — CVSS 7.0 (high): In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions…
CVE-2026-23923: An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on…
CVE-2021-21327 — CVSS 6.8 (medium): GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software…
CVE-2024-1574 — CVSS 6.7 (medium): Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in the licensing feature of Mitsubishi…
CVE-2026-34216 — CVSS 6.6 (medium): CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a…