Skip to main content

Fuse

19 CVEs product

Monthly

CVE-2025-12543 Maven CRITICAL PATCH Act Now

Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal network scanning, and session hijacking. Affects a widely-used Java application server component.

Java Information Disclosure Process Automation Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform +5
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-9784 Maven HIGH PATCH GHSA This Week

Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.

Denial Of Service Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform Fuse Single Sign On +4
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2024-1635 Maven HIGH PATCH This Week

A vulnerability was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Active Iq Unified Manager Oncommand Workflow Automation Fuse Integration Camel For Spring Boot +5
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2023-1108 Maven HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Decision Manager Fuse Integration Camel K +12
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2020-25689 Maven MEDIUM POC PATCH This Month

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wildfly Fuse Jboss Data Grid Jboss Enterprise Application Platform +6
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2020-10719 Maven MEDIUM PATCH This Month

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Undertow Oncommand Insight Fuse +5
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2019-10174 Maven HIGH PATCH This Week

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Infinispan Fuse Jboss Data Grid Jboss Enterprise Application Platform +3
NVD
CVSS 3.1
8.8
EPSS
3.1%
CVE-2019-14860 MEDIUM This Month

It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cors Misconfiguration Fuse Syndesis
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2019-10219 Maven MEDIUM POC PATCH This Month

A vulnerability was found in Hibernate-Validator. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hibernate Validator Fuse Jboss Data Grid Jboss Enterprise Application Platform +184
NVD GitHub
CVSS 3.1
6.1
EPSS
2.2%
CVE-2019-0201 Maven MEDIUM PATCH This Month

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Apache Activemq Drill Zookeeper +7
NVD
CVSS 3.1
5.9
EPSS
9.6%
CVE-2019-0204 Maven HIGH PATCH This Week

A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Docker Apache Mesos Fuse
NVD
CVSS 3.1
7.8
EPSS
2.7%
CVE-2018-10906 HIGH POC PATCH This Week

In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Authentication Bypass Denial Of Service Debian Linux Fuse Enterprise Linux Desktop +2
NVD Exploit-DB
CVSS 3.0
7.8
EPSS
1.4%
CVE-2018-1258 Maven HIGH PATCH This Week

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Java Authentication Bypass Spring Security Spring Framework Agile Plm +39
NVD
CVSS 3.1
8.8
EPSS
2.4%
CVE-2018-1270 Maven CRITICAL POC PATCH THREAT Act Now

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Java Code Injection RCE Spring Framework Application Testing Suite +26
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
77.2%
CVE-2018-1199 Maven MEDIUM PATCH This Month

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Authentication Bypass Spring Framework Spring Security Fuse +2
NVD
CVSS 3.1
5.3
EPSS
2.9%
CVE-2017-7957 Maven HIGH PATCH This Week

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Fuse Jboss Middleware Xstream Debian Linux
NVD
CVSS 3.1
7.5
EPSS
4.9%
CVE-2017-5645 Maven CRITICAL POC PATCH THREAT Act Now

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.0%.

Deserialization Apache RCE Log4J Oncommand Api Services +77
NVD
CVSS 3.1
9.8
EPSS
94.0%
Threat
6.3
CVE-2016-1233 HIGH This Week

An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Debian Privilege Escalation Fuse
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2015-3202 LOW POC Monitor

fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted. Rated low severity (CVSS 3.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Debian Linux Fuse
NVD GitHub Exploit-DB
CVSS 2.0
3.6
EPSS
0.3%
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal network scanning, and session hijacking. Affects a widely-used Java application server component.

Java Information Disclosure Process Automation +7
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.

Denial Of Service Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform +6
NVD GitHub
EPSS 5% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Active Iq Unified Manager Oncommand Workflow Automation +7
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Decision Manager +14
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wildfly Fuse +8
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Undertow +7
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Infinispan Fuse +5
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Cors Misconfiguration Fuse +1
NVD
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

A vulnerability was found in Hibernate-Validator. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hibernate Validator Fuse +186
NVD GitHub
EPSS 10% CVSS 5.9
MEDIUM PATCH This Month

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Apache Activemq +9
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Docker Apache +2
NVD
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is vulnerable to a restriction bypass when SELinux is active. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Authentication Bypass Denial Of Service Debian Linux +4
NVD Exploit-DB
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Java Authentication Bypass Spring Security +41
NVD
EPSS 77% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Java Code Injection RCE +28
NVD Exploit-DB
EPSS 3% CVSS 5.3
MEDIUM PATCH This Month

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Authentication Bypass Spring Framework +4
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Fuse Jboss Middleware +2
NVD
EPSS 94% 6.3 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.0%.

Deserialization Apache RCE +79
NVD
EPSS 0% CVSS 7.8
HIGH This Week

An unspecified udev rule in the Debian fuse package in jessie before 2.9.3-15+deb8u2, in stretch before 2.9.5-1, and in sid before 2.9.5-1 sets world-writable permissions for the /dev/cuse character. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Debian Privilege Escalation Fuse
NVD
EPSS 0% CVSS 3.6
LOW POC Monitor

fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted. Rated low severity (CVSS 3.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Debian Linux Fuse
NVD GitHub Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy