CVE-2026-40008
Description
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB.
The pipe processor reads a fully
qualified Java class name and
instantiates it using Class.forName().newInstance() without any
validation or allowlisting.
This issue affects Apache IoTDB: from 1.0.0 before 2.0.10.
Users are recommended to upgrade to version 2.0.10, which fixes the issue.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Apache Software Foundation | Apache IoTDB | — | 1.0.0 < 2.0.10 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-470 | cna | CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |