THREATOPS
THREAT OPSThreat News › CVE-2026-40008: Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC

CVE-2026-40008: Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC

lowoss_secPublished 2026-07-10

<p>Posted by Haonan Hou on Jul 10</p>Severity: important <br /> <br /> Affected versions:<br /> <br /> - Apache IoTDB 1.0.0 before 2.0.10<br /> <br /> Description:<br /> <br /> Use of Externally-Controlled Input to Select Classes or Code (&apos;Unsafe Reflection&apos;) vulnerability in Apache IoTDB.<br /> The pipe processor reads a fully<br /> qualified Java class name and<br /> instantiates it us

Indicators of compromise

Original source: https://seclists.org/oss-sec/2026/q3/115