Skip to main content

mchange-commons-java CVE-2026-27727

HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-02-25 security-advisories@github.com GHSA-m2cm-222f-qw44
8.9
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.0 HIGH

Network-reachable but requires provoking the app to resolve attacker-controlled references plus elevated data/config control (AC:H, PR:H); remote class loading yields full RCE with scope change (S:C, C/I/A:H).

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.3 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

11
Analysis Updated
Jun 30, 2026 - 05:22 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:21 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:20 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:18 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:23 NVD
CRITICAL HIGH
CVSS changed
Jun 30, 2026 - 03:23 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
PoC Detected
Mar 11, 2026 - 23:30 vuln.today
Public exploit code
Patch released
Mar 11, 2026 - 23:30 nvd
Patch available
CVE Published
Feb 25, 2026 - 17:25 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 118 maven packages depend on com.mchange:mchange-commons-java (8 direct, 110 indirect)

Ecosystem-wide dependent count for version 0.4.0.

DescriptionCVE.org

mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote factoryClassLocation values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted jaxax.naming.Reference or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to false, com.sun.jndi.ldap.object.trustURLCodebase. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.

AnalysisAI

Remote code execution in mchange-commons-java prior to 0.4.0 allows an attacker to download and run arbitrary Java code by forcing an application to dereference a malicious javax.naming.Reference or serialized object that specifies a remote factoryClassLocation. The library ships its own legacy JNDI dereferencing implementation, so applications using it (notably the c3p0 connection pool) remain exploitable even on JDKs hardened with com.sun.jndi.ldap.object.trustURLCodebase=false. Publicly available exploit code exists (Mogwai Labs c3p0 research), though EPSS is low (0.10%, 27th percentile) and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability lives in mchange-commons-java, a general-purpose Java utility library widely pulled in transitively by c3p0 (a JDBC connection pool). It reproduces the classic JNDI injection pattern (CWE-74, Injection) in which a Naming Reference can carry a remote codebase URL via factoryClassLocation; when the reference is resolved, the named ObjectFactory class is fetched from that URL and instantiated, leading to code execution. Oracle mitigated this in the JDK by gating remote codebase loading behind the com.sun.jndi.ldap.object.trustURLCodebase System property (default false), but because mchange-commons-java carries an independent dereferencing implementation, that JDK hardening does not apply. The affected component is cpe:2.3:a:mchange:mchange_commons_java for all versions before 0.4.0, which now gates this functionality behind configuration parameters that default to restrictive values.

RemediationAI

Vendor-released patch: upgrade mchange-commons-java to version 0.4.0 or later, which gates the JNDI dereferencing functionality behind configuration parameters that default to restrictive values; bump any transitive dependency (for example via c3p0) so that versions prior to 0.4.0 are not present on application CLASSPATHs. Apply the corresponding distribution updates where relevant: Red Hat RHSA-2026:3890 / RHSA-2026:4285 (and related errata) and SUSE SUSE-SU-2026:0855 / SUSE-SU-2026:1035, per https://access.redhat.com/errata/RHSA-2026:3890 and https://www.suse.com/support/update/SUSE-SU-2026:0855/. The upstream advisory GHSA-m2cm-222f-qw44 states no known workarounds are available, so upgrading is the only reliable fix; as compensating controls until patched, ensure no attacker-controllable input reaches JNDI lookups or Java deserialization paths (do not let untrusted parties influence c3p0 JNDI/JDBC configuration or supply serialized objects), and apply network egress filtering to block outbound LDAP/RMI/HTTP from application servers to untrusted hosts so a remote factoryClassLocation cannot be fetched - noting that egress restrictions can break legitimate outbound integrations and must be scoped carefully.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
Container suse/manager/4.3/proxy-httpd:4.3.17.9.76.1 Affected
Container suse/manager/5.0/x86_64/server-attestation:latest Container suse/manager/5.0/x86_64/server:latest Image server-attestation-image Image server-image Affected
SUSE Manager Proxy LTS 4.3 Fixed
SUSE Manager Retail Branch Server LTS 4.3 Fixed
SUSE Manager Server LTS 4.3 Fixed

Share

CVE-2026-27727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy