CVE Watchtower


← Back to CVE List

CVE-2026-40008NVD

Vulnerability Summary

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB.
The pipe processor reads a fully
qualified Java class name and
instantiates it using Class.forName().newInstance() without any
validation or allowlisting.


This issue affects Apache IoTDB: from 1.0.0 before 2.0.10.

Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Severity Level
CRITICAL(9.8)
Published Date
Jul 10, 2026
Last Modified
Jul 10, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
0.25%Probability
Root Weakness (CWE)
Refer to the official MITRE database for detailed architectural specifications regarding this weakness.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh