What is the CVSS score of CVE-2026-25747?

CVE-2026-25747 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Java are affected by CVE-2026-25747?

A critical deserialization vulnerability in Apache Camel's LevelDB component could allow attackers to execute arbitrary code on systems using this component, potentially compromising data integrity…. A patch is available.

Is there a public PoC exploit available for CVE-2026-25747?

Yes, a public proof-of-concept exploit is available for CVE-2026-25747. Prioritise patching immediately. EPSS: 0.1%.

Java CVE-2026-25747

HIGH

Deserialization of Untrusted Data (CWE-502)

2026-02-23 security@apache.org

GHSA-429q-mrc4-38fr

Apache Java Deserialization Red Hat Camel

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 26, 2026 - 22:20 vuln.today

Public exploit code

CVE Published

Feb 23, 2026 - 09:17 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

19 maven packages depend on org.apache.camel:camel-leveldb (3 direct, 16 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionNVD

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component.

The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0.

Users are recommended to upgrade to version 4.18.0, which fixes the issue. For the 4.10.x LTS releases, users are recommended to upgrade to 4.10.9, while for 4.14.x LTS releases, users are recommended to upgrade to 4.14.5

AnalysisAI

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. …

RemediationAI

Within 24 hours: Identify all systems running Apache Camel with LevelDB component enabled and assess exposure in your environment. Within 7 days: Implement network segmentation to restrict untrusted data access to affected systems, disable LevelDB aggregation repository if operationally feasible, and apply input validation controls. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory