CWE-470
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Monthly
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious checkpoint file to execute arbitrary code. The flaw lives in the _load_state routine, which imports and calls the module path named in a checkpoint's _instantiator hyperparameter, letting a crafted .ckpt bypass torch's weights_only=True safeguard when LightningModule.load_from_checkpoint is invoked. Reported by VulnCheck, it is fixed in commit d710d68 (PR #21832) via an instantiator allowlist, and publicly available exploit code exists though it is not listed in CISA KEV.
Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and instantiated via Class.forName().newInstance() with no allowlisting, enabling arbitrary class loading and likely remote code execution in the database server process. It affects all releases from 1.0.0 up to (but not including) 2.0.10 and is fixed in 2.0.10. No public exploit identified at time of analysis, and EPSS is low (0.25%, 17th percentile), though CISA SSVC rates the technical impact as total and considers exploitation automatable.
Arbitrary code execution in NVIDIA Megatron Bridge on Linux arises from unsafe reflection (CWE-470), where externally-controlled input selects which classes or code resources are dynamically loaded. A local attacker who convinces a user to load a crafted artifact (e.g., a malicious model, checkpoint, or configuration) can trigger code execution, privilege escalation, data tampering, and information disclosure. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. There is no public exploit identified at time of analysis and EPSS is low (0.27%), but the CVSS 9.9 scope-changing impact makes this a high-priority patch for exposed grid deployments.
Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.
Typeless deserialization in MessagePack-CSharp allows blocked types to be instantiated by wrapping them inside arrays or generic type constructs, bypassing the ThrowIfDeserializingTypeIsDisallowed safety check. Applications using typeless deserialization on MessagePack-CSharp prior to versions 2.5.301 (2.x branch) and 3.1.7 (3.x branch) are exposed. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects high attack complexity and the prerequisite that typeless deserialization must be enabled and attacker-controlled input must reach the deserializer.
Remote code execution in Spinnaker's Rosco and Orca services arises because YAML input is parsed with SnakeYAML's unsafe default Constructor rather than a SafeConstructor, letting authenticated users who trigger CloudFormation deployments or CloudFoundry baking load arbitrary Java classes. An attacker with pipeline access can supply a crafted YAML tag (e.g. !!javax.script.ScriptEngineManager) to instantiate dangerous classes and reach code execution on the affected service host. No public weaponized exploit is identified, though the vendor fix commit ships tests demonstrating the arbitrary-object-instantiation primitive, and the flaw is not listed in CISA KEV.
Integrity and availability loss in Statamic CMS versions prior to 5.73.23 and 6.20.0 allows remote attackers to destroy content and assets by manipulating sort parameters that flow into in-memory collection sorting. This is an incomplete-fix follow-up to CVE-2026-41175 (CWE-470, unsafe reflection / method invocation), where the original patch covered the query builder but not the in-memory sort path. No public exploit identified at time of analysis and not in CISA KEV; exploitation requires a non-default template configuration that pipes visitor input into a tag's sort parameter.
Starlette's HTTPEndpoint dispatcher allows remote unauthenticated attackers to invoke arbitrary internal Python instance methods as HTTP handlers by sending non-standard HTTP method names that resolve to endpoint attributes via getattr, effectively circumventing authorization logic guarding intended public handlers. Applications built on Starlette - including FastAPI - are affected when HTTPEndpoint subclasses are registered via Route(...) without an explicit methods= argument and those subclasses expose internal methods whose lowercased names match non-standard HTTP token shapes. No public exploit or active exploitation has been identified at time of analysis; a vendor-released patch is available in starlette 1.1.0.
Unsafe reflection in Apache Calcite 1.5.0 through 1.41 allows unauthenticated remote attackers to supply externally-controlled input that influences class or code selection at runtime, resulting in partial confidentiality and integrity impact (CVSS C:L/I:L). The vulnerability stems from CWE-470, where user-supplied input is used unsanitized to drive Java reflection operations. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (7th percentile) indicates low community-assessed exploitation probability at time of analysis.
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious checkpoint file to execute arbitrary code. The flaw lives in the _load_state routine, which imports and calls the module path named in a checkpoint's _instantiator hyperparameter, letting a crafted .ckpt bypass torch's weights_only=True safeguard when LightningModule.load_from_checkpoint is invoked. Reported by VulnCheck, it is fixed in commit d710d68 (PR #21832) via an instantiator allowlist, and publicly available exploit code exists though it is not listed in CISA KEV.
Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and instantiated via Class.forName().newInstance() with no allowlisting, enabling arbitrary class loading and likely remote code execution in the database server process. It affects all releases from 1.0.0 up to (but not including) 2.0.10 and is fixed in 2.0.10. No public exploit identified at time of analysis, and EPSS is low (0.25%, 17th percentile), though CISA SSVC rates the technical impact as total and considers exploitation automatable.
Arbitrary code execution in NVIDIA Megatron Bridge on Linux arises from unsafe reflection (CWE-470), where externally-controlled input selects which classes or code resources are dynamically loaded. A local attacker who convinces a user to load a crafted artifact (e.g., a malicious model, checkpoint, or configuration) can trigger code execution, privilege escalation, data tampering, and information disclosure. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. There is no public exploit identified at time of analysis and EPSS is low (0.27%), but the CVSS 9.9 scope-changing impact makes this a high-priority patch for exposed grid deployments.
Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.
Typeless deserialization in MessagePack-CSharp allows blocked types to be instantiated by wrapping them inside arrays or generic type constructs, bypassing the ThrowIfDeserializingTypeIsDisallowed safety check. Applications using typeless deserialization on MessagePack-CSharp prior to versions 2.5.301 (2.x branch) and 3.1.7 (3.x branch) are exposed. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects high attack complexity and the prerequisite that typeless deserialization must be enabled and attacker-controlled input must reach the deserializer.
Remote code execution in Spinnaker's Rosco and Orca services arises because YAML input is parsed with SnakeYAML's unsafe default Constructor rather than a SafeConstructor, letting authenticated users who trigger CloudFormation deployments or CloudFoundry baking load arbitrary Java classes. An attacker with pipeline access can supply a crafted YAML tag (e.g. !!javax.script.ScriptEngineManager) to instantiate dangerous classes and reach code execution on the affected service host. No public weaponized exploit is identified, though the vendor fix commit ships tests demonstrating the arbitrary-object-instantiation primitive, and the flaw is not listed in CISA KEV.
Integrity and availability loss in Statamic CMS versions prior to 5.73.23 and 6.20.0 allows remote attackers to destroy content and assets by manipulating sort parameters that flow into in-memory collection sorting. This is an incomplete-fix follow-up to CVE-2026-41175 (CWE-470, unsafe reflection / method invocation), where the original patch covered the query builder but not the in-memory sort path. No public exploit identified at time of analysis and not in CISA KEV; exploitation requires a non-default template configuration that pipes visitor input into a tag's sort parameter.
Starlette's HTTPEndpoint dispatcher allows remote unauthenticated attackers to invoke arbitrary internal Python instance methods as HTTP handlers by sending non-standard HTTP method names that resolve to endpoint attributes via getattr, effectively circumventing authorization logic guarding intended public handlers. Applications built on Starlette - including FastAPI - are affected when HTTPEndpoint subclasses are registered via Route(...) without an explicit methods= argument and those subclasses expose internal methods whose lowercased names match non-standard HTTP token shapes. No public exploit or active exploitation has been identified at time of analysis; a vendor-released patch is available in starlette 1.1.0.
Unsafe reflection in Apache Calcite 1.5.0 through 1.41 allows unauthenticated remote attackers to supply externally-controlled input that influences class or code selection at runtime, resulting in partial confidentiality and integrity impact (CVSS C:L/I:L). The vulnerability stems from CWE-470, where user-supplied input is used unsanitized to drive Java reflection operations. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (7th percentile) indicates low community-assessed exploitation probability at time of analysis.