{"id":"CVE-2026-46718","summary":"Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution","details":"Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite.\n\nThis issue affects Apache Calcite: from 1.5.0 before 1.42.\n\nUsers are recommended to upgrade to version 1.42, which fixes the issue.","aliases":["GHSA-c2rv-hwqm-wjpg"],"modified":"2026-07-09T21:41:39.592519789Z","published":"2026-06-02T09:17:51.193Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"1.5.0"},{"fixed":"1.42"}],"source":"AFFECTED_FIELD"},{"source":"DESCRIPTION","extracted_events":[{"introduced":"1.5.0"},{"fixed":"1.42"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46718.json","cna_assigner":"apache","cwe_ids":["CWE-470"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/06/01/7"},{"type":"WEB","url":"https://repo.maven.apache.org/maven2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46718.json"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/9s37svo343w5ck1ovh478lkzcqk4949v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46718"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/calcite","events":[{"introduced":"ba6e43c6983ca92d8ce32a693776dbe73f19e0dc"},{"fixed":"c01f6b5519d4a906cf41bbe7843f5929662cf5fd"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"1.5.0"},{"fixed":"1.42.0"}],"cpe":"cpe:2.3:a:apache:calcite:*:*:*:*:*:*:*:*"}}],"versions":["calcite-1.41.0-rc0","calcite-1.41.0","calcite-1.40.0-rc1","calcite-1.40.0","calcite-1.39.0-rc1","calcite-1.39.0","calcite-1.38.0-rc1","calcite-1.38.0","calcite-1.37.0","calcite-1.36.0-rc0","calcite-1.36.0","calcite-1.35.0-rc3","calcite-1.35.0","calcite-1.34.0-rc0","calcite-1.34.0","calcite-1.32.0-rc0","calcite-1.32.0","calcite-1.31.0-rc3","calcite-1.31.0","calcite-1.30.0-rc3","calcite-1.30.0","calcite-1.29.0-rc0","calcite-1.29.0","calcite-1.28.0-rc0","calcite-1.28.0","calcite-1.27.0-rc0","calcite-1.27.0","calcite-1.26.0-rc0","calcite-1.26.0","calcite-1.25.0-rc0","calcite-1.25.0","calcite-1.24.0-rc0","calcite-1.24.0","calcite-1.23.0-rc1","calcite-1.23.0","v1.23.0-rc1","calcite-1.22.0","calcite-1.21.0","calcite-1.20.0","calcite-1.19.0","calcite-1.18.0","calcite-1.17.0","calcite-1.16.0","calcite-1.15.0","calcite-1.14.0","calcite-1.13.0","calcite-1.12.0","calcite-1.11.0","rel/calcite-avatica-1.9.0","calcite-avatica-1.9.0-rc1","calcite-avatica-1.9.0","calcite-1.10.0","calcite-1.9.0","calcite-1.8.0","calcite-1.7.0","rel/calcite-avatica-1.7.1","calcite-avatica-1.7.1","rel/calcite-avatica-1.7.0","calcite-avatica-1.7.0","rel/calcite-1.6.0","calcite-1.6.0","rel/calcite-1.5.0","calcite-1.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46718.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}