Skip to main content

Ranger CVE-2025-59059

CRITICAL
Code Injection (CWE-94)
2026-03-03 security@apache.org GHSA-c87w-642h-m97h
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
CVE Published
Mar 03, 2026 - 11:16 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 83 maven packages depend on org.apache.ranger:ranger-plugins-common (49 direct, 34 indirect)

Ecosystem-wide dependent count for version 2.8.0.

DescriptionCVE.org

Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue.

AnalysisAI

RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%.

Technical ContextAI

CWE-94 code execution through Nashorn JavaScript engine.

RemediationAI

Update to Ranger > 2.7.0.

More in Ranger

View all
CVE-2015-0266 HIGH POC
7.1 Apr 11

The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrict

CVE-2015-0265 MEDIUM POC
6.1 Apr 11

Cross-site scripting (XSS) vulnerability in the Policy Admin Tool in Apache Ranger before 0.5.0 allows remote attackers

CVE-2016-0733 CRITICAL
9.8 Apr 12

The Admin UI in Apache Ranger before 0.5.1 does not properly handle authentication requests that lack a password, which

CVE-2017-7676 CRITICAL
9.8 Jun 14

Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, te

CVE-2024-55532 CRITICAL
9.8 Mar 03

Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Rat

CVE-2016-0735 HIGH
8.8 Apr 11

Apache Ranger 0.5.x before 0.5.2 allows remote authenticated users to bypass intended parent resource-level access restr

CVE-2018-11778 HIGH
8.8 Oct 05

UnixAuthenticationService in Apache Ranger 1.2.0 was updated to correctly handle user input to avoid Stack-based buffer

CVE-2016-2174 HIGH
7.2 Jun 13

SQL injection vulnerability in the policy admin tool in Apache Ranger before 0.5.3 allows remote authenticated administr

CVE-2016-6815 MEDIUM
6.5 Oct 13

In Apache Ranger before 0.6.2, users with "keyadmin" role should not be allowed to change password for users with "admin

CVE-2015-5167 MEDIUM
6.5 Apr 12

The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrict

CVE-2019-12397 MEDIUM
6.1 Aug 08

Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Rated medium

CVE-2016-8746 MEDIUM
5.9 Jun 14

Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wi

Share

CVE-2025-59059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy