Skip to main content

Helix

4 CVEs product

Monthly

CVE-2026-57111 HIGH This Week

Cross-origin information disclosure in the Apache Helix REST service (helix-rest) through 2.0.0 lets a remote attacker who lures an authenticated operator to a malicious web page read responses from and send requests to administrative REST endpoints. The CORSFilter unconditionally returns Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true and reflects arbitrary preflight method/header values, defeating the browser same-origin policy. There is no public exploit identified at time of analysis and EPSS risk is low (0.17%, 7th percentile), and it is not on the CISA KEV list.

Apache Information Disclosure Helix
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-22281 Maven HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Helix
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-38647 Maven CRITICAL PATCH Act Now

An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Helix
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-47500 Maven MEDIUM PATCH This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.8.0 to 1.0.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Open Redirect Helix
NVD
CVSS 3.1
6.1
EPSS
1.1%
EPSS 0% CVSS 7.5
HIGH This Week

Cross-origin information disclosure in the Apache Helix REST service (helix-rest) through 2.0.0 lets a remote attacker who lures an authenticated operator to a malicious web page read responses from and send requests to administrative REST endpoints. The CORSFilter unconditionally returns Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true and reflects arbitrary preflight method/header values, defeating the browser same-origin policy. There is no public exploit identified at time of analysis and EPSS risk is low (0.17%, 7th percentile), and it is not on the CISA KEV list.

Apache Information Disclosure Helix
NVD
EPSS 1% CVSS 7.5
HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Helix
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Helix
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Software Foundation Apache Helix UI component.8.0 to 1.0.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Open Redirect Helix
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy