Skip to main content
CVE-2026-33453 CRITICAL POC PATCH GHSA Act Now

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy.   Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration.                                                                                                                                                                         Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.

RCE Microsoft Command Injection Apache Apache Camel
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-41462 CRITICAL POC Act Now

ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.

Information Disclosure SQLi Projeqtor
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-40453 CRITICAL PATCH GHSA Act Now

The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Microsoft RCE Google Canonical Apache +1
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-40860 CRITICAL PATCH Act Now

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

RCE Deserialization Apache Camel
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-30352 CRITICAL Act Now

A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter.

Command Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-31255 CRITICAL Act Now

Remote unauthenticated command injection in Tenda AC18 router firmware V15.03.05.05_multi allows complete device compromise via the SetSambaCfg interface. Attackers can execute arbitrary system commands by manipulating the guestuser parameter in HTTP requests to /goform/SetSambaCfg. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.06% (19th percentile) suggests low observed exploitation despite extreme technical severity. Publicly documented exploit proof-of-concept exists on GitHub.

Tenda Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-41409 CRITICAL PATCH GHSA Act Now

Remote unauthenticated attackers can execute arbitrary code in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 through unsafe deserialization in AbstractIoBuffer.getObject(). This is an incomplete fix bypass for CVE-2024-52046 where the classname allowlist validation occurs after static initializers execute, enabling attackers to trigger malicious code execution before security controls engage. Apache confirmed the flaw affects applications calling IoBuffer.getObject() and released patches in versions 2.0.28, 2.1.11, and 2.2.6. CVSS 9.8 critical score reflects network-accessible unauthenticated exploitation with complete system compromise potential.

Deserialization Apache Red Hat
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-41635 CRITICAL PATCH GHSA Act Now

Remote code execution in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 allows unauthenticated network attackers to execute arbitrary code by exploiting unsafe deserialization in AbstractIoBuffer.resolveClass(). The vulnerability bypasses classname allowlist protections due to incomplete validation of static classes and primitive types. CVSS 9.8 critical severity reflects trivial network-based exploitation requiring no authentication or user interaction. Applications using IoBuffer.getObject() are affected. Vendor-released patches available in versions 2.0.28, 2.1.11, and 2.2.6.

RCE Deserialization Apache Red Hat
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-22337 CRITICAL PATCH Act Now

Remote unauthenticated attackers can escalate privileges to administrator level in Directorist Social Login WordPress plugin versions prior to 2.1.4 through incorrect privilege assignment during social authentication flows. Exploitation requires no authentication or user interaction, enabling complete site takeover via social login mechanisms. CVSS 9.8 (Critical) reflects network-based attack vector with no complexity barriers. No public exploit code or CISA KEV listing identified at time of analysis, but Patchstack reporting suggests vulnerability may be under researcher scrutiny.

Privilege Escalation Directorist Social Login
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-35903 CRITICAL Act Now

Authentication bypass in MERCURY MIPC252W IP camera 1.0.5 allows remote unauthenticated attackers to hijack authenticated RTSP sessions and execute unauthorized camera control commands. After an initial valid Digest authentication in a DESCRIBE request, the device fails to validate subsequent RTSP request credentials (SETUP, PLAY, TEARDOWN), accepting empty or invalid Authorization headers as long as session parameters match. This enables complete camera takeover including video stream access, configuration changes, and service disruption without credential brute-forcing. EPSS score of 0.01% suggests minimal observed exploitation activity, though the attack complexity is low (AV:N/AC:L/PR:N) and public PoC exists on GitHub.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-33454 CRITICAL PATCH GHSA Act Now

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.

Microsoft Deserialization Apache Apache Camel
NVD VulDB
CVSS 3.1
9.4
EPSS
0.0%
CVE-2024-46636 CRITICAL Act Now

NASA Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 was discovered to contain a SQL injection vulnerability in the category parameter. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD GitHub VulDB
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-22336 CRITICAL PATCH Act Now

Unauthenticated SQL injection in Directorist Booking WordPress plugin allows remote attackers to extract sensitive database contents and cause limited denial of service. The vulnerability affects all versions prior to 3.0.2 and can be exploited remotely with low complexity and no authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). Patchstack has published details confirming the vulnerability exists in version 2.4.1 and earlier, with a vendor-released patch available in version 3.0.2. No CISA KEV listing or public exploit code identified at time of analysis.

SQLi Directorist Booking
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy