Skip to main content

Central Dogma

7 CVEs product

Monthly

CVE-2026-11748 MEDIUM This Month

LDAP injection in Central Dogma's Apache Shiro-based authentication module exposes unauthenticated remote attackers to authentication confusion and Active Directory enumeration. The SearchFirstActiveDirectoryRealm component in centraldogma-server-auth-shiro versions prior to 0.84.0 inserts the login username directly into an LDAP search filter without escaping metacharacters, allowing filter logic manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required beyond reaching the login endpoint. No public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Central Dogma LDAP Code Injection
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-11746 CRITICAL Act Now

Cluster-wide remote code execution in LY Corporation's centraldogma-server prior to 0.84.0 occurs when ZooKeeper replication is enabled without explicitly configuring replication.secret, causing the embedded ZooKeeper ensemble to authenticate using a hard-coded, publicly known fallback credential. An adjacent attacker with network reachability to the replication ports can read the entire replication log or join the quorum to issue arbitrary replicated commands. No public exploit identified at time of analysis, but the issue is a default-credential failure that is trivial to weaponize once discovered.

Central Dogma Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-11745 HIGH This Week

Man-in-the-middle attacks against LY Corporation's Central Dogma server can compromise mirrored Git repositories in versions of the centraldogma-server-mirror-git module prior to 0.84.0, because the embedded SSH client accepts any host key presented over git+ssh:// connections. An on-path attacker between Central Dogma and the upstream Git server can impersonate that server, inject malicious commits, and silently poison every downstream consumer that reads from the mirror. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Central Dogma
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-11222 Maven MEDIUM PATCH This Month

Central Dogma versions before 0.78.0 contain an Open Redirect vulnerability that allows attackers to redirect users to untrusted sites via specially crafted URLs, potentially facilitating phishing attacks and credential theft.

Open Redirect Central Dogma
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-1143 Maven MEDIUM PATCH This Month

Central Dogma versions prior to 0.64.1 is vulnerable to Cross-Site Scripting (XSS), which could allow for the leakage of user sessions and subsequent authentication bypass. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass XSS Central Dogma
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2021-38388 HIGH PATCH This Week

Central Dogma allows privilege escalation with mirroring to the internal dogma repository that has a file managing the authorization of the project. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Privilege Escalation Authentication Bypass Central Dogma
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2019-6002 MEDIUM This Month

Cross-site scripting vulnerability in Central Dogma 0.17.0 to 0.40.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Central Dogma
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
EPSS 0% CVSS 6.9
MEDIUM This Month

LDAP injection in Central Dogma's Apache Shiro-based authentication module exposes unauthenticated remote attackers to authentication confusion and Active Directory enumeration. The SearchFirstActiveDirectoryRealm component in centraldogma-server-auth-shiro versions prior to 0.84.0 inserts the login username directly into an LDAP search filter without escaping metacharacters, allowing filter logic manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or preconditions are required beyond reaching the login endpoint. No public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Central Dogma LDAP +1
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Cluster-wide remote code execution in LY Corporation's centraldogma-server prior to 0.84.0 occurs when ZooKeeper replication is enabled without explicitly configuring replication.secret, causing the embedded ZooKeeper ensemble to authenticate using a hard-coded, publicly known fallback credential. An adjacent attacker with network reachability to the replication ports can read the entire replication log or join the quorum to issue arbitrary replicated commands. No public exploit identified at time of analysis, but the issue is a default-credential failure that is trivial to weaponize once discovered.

Central Dogma Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Man-in-the-middle attacks against LY Corporation's Central Dogma server can compromise mirrored Git repositories in versions of the centraldogma-server-mirror-git module prior to 0.84.0, because the embedded SSH client accepts any host key presented over git+ssh:// connections. An on-path attacker between Central Dogma and the upstream Git server can impersonate that server, inject malicious commits, and silently poison every downstream consumer that reads from the mirror. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Central Dogma
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Central Dogma versions before 0.78.0 contain an Open Redirect vulnerability that allows attackers to redirect users to untrusted sites via specially crafted URLs, potentially facilitating phishing attacks and credential theft.

Open Redirect Central Dogma
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Central Dogma versions prior to 0.64.1 is vulnerable to Cross-Site Scripting (XSS), which could allow for the leakage of user sessions and subsequent authentication bypass. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass XSS Central Dogma
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Central Dogma allows privilege escalation with mirroring to the internal dogma repository that has a file managing the authorization of the project. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Privilege Escalation Authentication Bypass Central Dogma
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Central Dogma 0.17.0 to 0.40.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Central Dogma
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy