CVE-2026-40008
EUVD-2026-4283610.07.2026, 08:16
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache IoTDB.
The pipe processor reads a fully
qualified Java class name and
instantiates it using Class.forName().newInstance() without any
validation or allowlisting.
This issue affects Apache IoTDB: from 1.0.0 before 2.0.10.
Users are recommended to upgrade to version 2.0.10, which fixes the issue.Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| apache | iotdb | 1.0.0 ≤ 𝑥 < 2.0.10 | CNA |