Skip to main content

Gradle

24 CVEs product

Monthly

CVE-2026-22865 HIGH PATCH This Week

Gradle versions before 9.3.0 fail to properly handle certain exceptions during dependency resolution, allowing attackers who control a repository to serve malicious artifacts by disrupting legitimate repository services. When transient errors occur, Gradle incorrectly continues to the next configured repository instead of disabling the failing source, enabling attackers to intercept and redirect dependency resolution to attacker-controlled repositories. This vulnerability affects Java builds using vulnerable Gradle versions and requires network-level control over a repository to exploit.

Java Gradle Suse
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-22816 HIGH PATCH This Week

Gradle before version 9.3.0 fails to treat certain dependency resolution exceptions as fatal errors, allowing builds to continue using alternate repositories when encountering unresolvable hostnames. An attacker could exploit this by registering a domain matching a typo or lapsed registration to intercept and supply malicious dependencies to affected builds. This affects Java projects using vulnerable Gradle versions with multiple configured repositories.

Java Gradle Suse
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2023-42445 MEDIUM This Month

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2023-44387 MEDIUM PATCH This Month

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure Gradle
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2023-39152 Maven MEDIUM PATCH This Month

Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Gradle
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-35947 HIGH PATCH This Week

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Gradle
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2023-35946 MEDIUM PATCH This Month

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Gradle
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2023-26053 CRITICAL PATCH Act Now

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Gradle
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-31156 MEDIUM This Month

Gradle is a build tool. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Gradle
NVD GitHub
CVSS 3.1
4.4
EPSS
0.5%
CVE-2022-30586 HIGH This Week

Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Information Disclosure Gradle
NVD
CVSS 3.1
7.2
EPSS
1.2%
CVE-2021-41588 HIGH This Week

In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Java Gradle
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2021-41587 HIGH This Week

In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Gradle
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-41586 HIGH This Week

In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Gradle
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2021-41584 HIGH This Week

Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Gradle
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-32751 HIGH POC This Week

Gradle is a build tool with a focus on build automation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE Command Injection Java Gradle
NVD GitHub
CVSS 3.1
7.5
EPSS
2.7%
CVE-2021-29428 HIGH POC PATCH This Week

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Apple Microsoft Privilege Escalation Java Gradle +1
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2021-29427 HIGH POC This Week

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Gradle Quarkus
NVD GitHub
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-29429 MEDIUM POC This Month

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Java Gradle Quarkus
NVD GitHub
CVSS 3.1
5.5
EPSS
0.5%
CVE-2020-11979 Maven HIGH PATCH This Week

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Code Injection Ant Gradle Fedora +34
NVD GitHub
CVSS 3.1
7.5
EPSS
8.2%
CVE-2019-16370 Maven MEDIUM POC PATCH This Month

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Gradle
NVD GitHub
CVSS 3.1
5.9
EPSS
1.0%
CVE-2019-15052 CRITICAL POC PATCH Act Now

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Gradle
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2019-9843 Maven HIGH PATCH This Week

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle Maven
NVD GitHub
CVSS 3.0
7.5
EPSS
1.5%
CVE-2019-11065 Maven MEDIUM PATCH This Month

Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Gradle Fedora
NVD GitHub
CVSS 3.1
5.9
EPSS
1.4%
CVE-2016-6199 CRITICAL POC Act Now

ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Java RCE Gradle
NVD
CVSS 3.0
9.8
EPSS
2.3%
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Gradle versions before 9.3.0 fail to properly handle certain exceptions during dependency resolution, allowing attackers who control a repository to serve malicious artifacts by disrupting legitimate repository services. When transient errors occur, Gradle incorrectly continues to the next configured repository instead of disabling the failing source, enabling attackers to intercept and redirect dependency resolution to attacker-controlled repositories. This vulnerability affects Java builds using vulnerable Gradle versions and requires network-level control over a repository to exploit.

Java Gradle Suse
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Gradle before version 9.3.0 fails to treat certain dependency resolution exceptions as fatal errors, allowing builds to continue using alternate repositories when encountering unresolvable hostnames. An attacker could exploit this by registering a domain matching a typo or lapsed registration to intercept and supply malicious dependencies to affected builds. This affects Java projects using vulnerable Gradle versions with multiple configured repositories.

Java Gradle Suse
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure Gradle
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Jenkins Information Disclosure Gradle
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Gradle
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Gradle
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Gradle is a build tool with a focus on build automation and support for multi-language development. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Gradle
NVD GitHub
EPSS 1% CVSS 4.4
MEDIUM This Month

Gradle is a build tool. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Gradle
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Information Disclosure Gradle
NVD
EPSS 1% CVSS 8.1
HIGH This Week

In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Java Gradle
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Gradle
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Gradle
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Gradle
NVD
EPSS 3% CVSS 7.5
HIGH POC This Week

Gradle is a build tool with a focus on build automation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE Command Injection Java +1
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Apple Microsoft Privilege Escalation +3
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Gradle Quarkus
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Java Gradle +1
NVD GitHub
EPSS 8% CVSS 7.5
HIGH PATCH This Week

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Code Injection Ant +36
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Gradle
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Gradle
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XXE Gradle Maven
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Gradle Fedora
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Java RCE +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy