To access material, start machines and answer questions login.
Alf.io (opens in new tab) is an open-source, Java/Spring Boot event management platform used by conference organizers, sports clubs, and ticketing services worldwide. It ships with an extension system that lets administrators run custom JavaScript scripts in response to platform events, like ticket assignments and invoice generation.
To isolate those scripts from the underlying JVM, Alf.io uses a JavaScript backed by Mozilla Rhino. Scripts are validated against a blocklist before execution, where patterns like java.lang.Runtime and reflection keywords are rejected. The assumption: a script that can't name a dangerous class can't reach one.
CVE-2026-35482 breaks that assumption. It was discovered autonomously by NoScope. NoScope conducted a full automated pentest against the target, identified the unusual returnClass binding, confirmed it was exploitable end-to-end, and generated a validated finding, all without ever looking at the code. No static analysis or pentesting tool had caught it before.
Alf.io injects a variable called returnClass into every script's scope, a raw Java Class<T> object intended as a convenience for scripts that need to declare their return type. Because Class<T> exposes Class.forName(), an attacker can load any JVM class by passing its name as a string argument, which the blocklist never inspects. From there, Java reflection gives full access to Runtime.exec() and arbitrary OS command execution.
NoScope responsibly disclosed the vulnerability to the Alf.io maintainers and coordinated the CVE assignment before publishing.
Learning Objectives
- Configure NoScope and run a full automated pentest against a live target
- Confirm the target is running a vulnerable version of Alf.io
- Understand how NoScope autonomously identified and validated CVE-2026-35482 (opens in new tab)
- Craft a sandbox-escape payload using the
returnClassbinding - Register and trigger the payload through the Extensions
- Upgrade to a reverse shell
Prerequisites
- Basic familiarity with JavaScript
NoScope runs on frontier models and no customer data is used to train our . Learn more.
I am ready to start!
Ready to learn Cyber Security?
The NoScope: Finding RCE room is only available for Premium or Max subscribers. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in

