Java
Monthly
Telemetry archive exposure in Yamcs mission control framework allows any authenticated user to dump the entire raw packet archive by exploiting a broken object-level authorization check in the exportPackets API. Versions prior to 5.12.8 (stable) and 5.13.2 (development) are affected. No public exploit or CISA KEV listing exists, but the attack requires only a valid session and a trivially crafted HTTP request, making it immediately actionable for any insider or compromised account.
Authentication bypass in VMware/Spring's Spring Authorization Server (versions 7.0.0-7.0.4, 1.5.0-1.5.6, 1.4.0-1.4.9, and 1.3.0-1.3.10) allows a low-privileged authenticated actor to circumvent authentication controls and access protected resources across a security boundary. The CVSS 9.6 (Critical) rating reflects a scope change with high confidentiality and integrity impact but no availability effect. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the near-maximum score in a widely deployed OAuth2/OIDC authorization component makes this a high-priority patch.
Remote authenticated code execution in DataEase before 2.10.23 lets a low-privileged user abuse the Excel/datasource upload workflow to run arbitrary Java. By uploading a crafted payload.zip via /datasource/upload and defining an H2 datasource that references the archive through the zip: protocol, an attacker forces CalciteProvider.jdbcFetchResultField to execute a query that triggers precompiled Java aliases embedded in test.mv.db. The vendor CVSS 4.0 vector scores this 7.1 (confidentiality-only), but the underlying primitive is full arbitrary code execution; no public exploit identified at time of analysis and it is not listed in CISA KEV.
jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6.
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6.
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6.
Denial of service in the Netty netty-codec-stomp module (versions 4.1.x up to 4.1.135.Final and 4.2.0.Alpha1 through 4.2.15.Final) allows a remote attacker to trigger an OutOfMemoryError and crash the JVM. The StompSubframeDecoder caps individual header line length via maxLineLength but never bounds the total header count or cumulative header size, so a single STOMP frame packed with thousands of short headers exhausts heap memory. Publicly available exploit code exists (a working client/server PoC is published in the GitHub Security Advisory), but there is no public evidence of active exploitation; EPSS/KEV signals are not present in the input.
Privilege elevation in Microsoft Azure Spring Apps allows an already-authenticated, low-privileged network attacker to gain higher privileges by abusing an improper authentication weakness (CWE-287) in the managed platform. Because the CVSS scope is marked as changed (S:C), a successful attack can reach resources beyond the attacker's originally authorized boundary, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has published an advisory and a patch is available server-side.
Deserialization logic in FasterXML jackson-databind 2.15.0 through 2.18.7, 2.21.3, and 3.1.3 allows unauthenticated remote callers to bypass @JsonIgnore annotations on Java Record types when a PropertyNamingStrategy is configured. The renamed JSON key - e.g., 'internal_role' produced by SnakeCaseStrategy from 'internalRole' - is not registered in the ignore list, so Jackson's constructor-parameter binding accepts the attacker-supplied value despite the developer's explicit exclusion directive. No public exploit tooling has been identified at time of analysis, but the upstream fix PR includes a runnable proof-of-concept test that fully demonstrates the bypass, lowering the bar for independent reproduction.
Unauthenticated arbitrary file write in Eclipse BaSyx Java Server SDK (2.0.0-milestone-05 through 2.0.0-milestone-12) lets remote attackers plant files anywhere the Java process can write when the server is deployed with the MongoDB file backend, potentially escalating to remote code execution. The AAS thumbnail API trusts a client-supplied fileName that is later reused as a filesystem path, so a traversal or absolute-path filename lands attacker-controlled bytes outside the intended directory. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-fixed release (2.0.0-milestone-13) is available.
Reflected cross-site scripting in SAP NetWeaver Application Server Java (specifically the Configuration Wizard component) lets an unauthenticated attacker embed malicious JavaScript in crafted URLs that executes in a victim's browser when the link is opened. Because the CVSS scope is changed (S:C) and confidentiality impact is high, a successful lure can expose sensitive session information and tamper with non-sensitive data rendered in the client. No public exploit identified at time of analysis, but the 8.2 CVSS and unauthenticated, network-reachable vector make it a meaningful phishing-driven risk for exposed SAP portals.
Server-side request forgery in codecentric Spring Boot Admin Server before 4.1.2 lets unauthenticated remote attackers register a monitored instance with attacker-controlled healthUrl and managementUrl values that are never validated against private IP ranges or cloud metadata endpoints. Because the server then fetches those URLs and exposes the response bodies through its actuator proxy, an attacker can pivot into internal networks and read back sensitive data such as cloud instance-metadata credentials. Publicly available exploit code exists and the flaw was reported by VulnCheck, though there is no public exploit identified as actively exploited (not in CISA KEV).
Incorrect equality comparison in CedarJava (cedar-java) versions before 4.9.0 causes EntityIdentifier.equals() to return true when comparing against null and false when comparing an object to itself, due to inverted null/self-reference branches. Cedar's actual authorization decisions are unaffected because they are computed in Rust from JSON, but integrators who call equals() on entity identifiers in their own Java logic may make incorrect trust or access decisions. No public exploit identified at time of analysis; the issue is fixed in 4.9.0.
Remote code execution in Mura CMS versions prior to 10.0.712 allows unauthenticated attackers to execute arbitrary CFML and instantiate malicious Java objects by abusing the unvalidated 'method' parameter in POST requests to the /index.cfm/_api/json/v1/default JSON API endpoint. Because the ColdFusion engine processes the attacker-controlled input without sanitisation, a single crafted request yields full compromise (VC:H/VI:H/VA:H). No public exploit identified at time of analysis, though CISA SSVC flags the flaw as automatable with total technical impact.
Remote code injection in pig-mesh Pig's pig-codegen module through version 3.9.2 allows low-privileged authenticated attackers to execute arbitrary code server-side via the GeneratorServiceImpl component, reachable over the network. A publicly available proof-of-concept exploit exists at GitHub (sombra0316/CVE-2026), elevating the urgency for defenders. No vendor patch has been released, and the vendor did not respond to responsible disclosure, leaving affected deployments without an official remediation path.
Code injection in SonicCloudOrg sonic-agent through version 2.7.2 allows remote unauthenticated attackers to inject and execute arbitrary code via the ExchangeController endpoint, which bypasses or is excluded from the JWT Authentication Filter. The vulnerability carries a public proof-of-concept exploit named 'Unauth_ExchangeSend', confirming the endpoint is reachable without authentication. Critically, the affected product is end-of-life with no vendor support, and the maintainer did not respond to disclosure - no patch is forthcoming.
OS command injection in SonicCloudOrg sonic-agent up to version 2.7.2 allows remote low-privileged attackers to execute arbitrary system commands via the evalIsFailed function in the Groovy Script Handler component. The public proof-of-concept - titled 'Unsandboxed_RCE' - confirms that Groovy scripts are executed without a security sandbox, enabling full host-level command execution. Critically, this is an end-of-life product with no vendor response and no patch, meaning no fix is forthcoming; no public exploit identified in CISA KEV at time of analysis, but a public POC exists.
OS command injection in SonicCloudOrg sonic-agent (all versions up to 2.7.2) enables remote code execution through the Android WebSocket Server component. An authenticated remote attacker can manipulate the `path` argument in AndroidWSServer.java to inject arbitrary OS commands on the host running the agent. Publicly available exploit code exists (GitHub PoC by xpp3901), no vendor patch will be issued as the product is end-of-life, and the vendor is unresponsive to disclosure - creating a permanent, unmitigable risk for any active deployment.
Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and instantiated via Class.forName().newInstance() with no allowlisting, enabling arbitrary class loading and likely remote code execution in the database server process. It affects all releases from 1.0.0 up to (but not including) 2.0.10 and is fixed in 2.0.10. No public exploit identified at time of analysis, and EPSS is low (0.25%, 17th percentile), though CISA SSVC rates the technical impact as total and considers exploitation automatable.
Path traversal in halo-dev/halo through version 2.24.2 allows authenticated administrators to write files outside the intended theme directory by supplying a crafted `metadata.name` value during theme installation. The flaw resides in the `ThemeUtils.unzipThemeTo()` function in `ThemeUtils.java`, which fails to sanitize the metadata name before constructing extraction paths. A public proof-of-concept exploit exists, but real-world impact is substantially constrained by the PR:H prerequisite - the attacker must already hold admin-level credentials - yielding a CVSS 4.0 score of only 2.0 and no CISA KEV listing.
Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run arbitrary Java on the server. When Metabase returns H2 result columns of type OTHER (JDBC JAVA_OBJECT), it deserializes the embedded Java object without validation, so a crafted native H2 query triggers CWE-502 unsafe deserialization and full server compromise. It affects any instance using an H2 connection, including the default bundled sample database. No public exploit is identified at time of analysis (SSVC exploitation: none; EPSS 0.45%), though the upstream fix commit and vendor advisory GHSA-w95f-x9v9-wv36 are public.
Remote code execution in Metabase (open-source BI/analytics platform) versions 1.55.0 through the fixed releases arises because one database-creation code path failed to validate unsafe H2 JDBC connection properties, letting an authenticated administrator register a crafted H2 datasource and run arbitrary Java on the server host. Because the CVSS scope is Changed (S:C), successful exploitation escapes the application context and yields full host compromise. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but the CVSS base score of 9.1 and RCE nature make it a high-priority patch for any exposed Metabase instance.
OS command injection in the Android WebView JavaScript bridge of openclaw-android (versions up to 0.4.0) permits a local, low-privileged attacker to execute arbitrary OS commands through the `JsBridge.kt` component. Exploitation is constrained to local device access, limiting real-world blast radius, but a publicly disclosed proof-of-concept exists per the CVSS 4.0 E:P supplemental metric. No patch has been released - a remediation pull request (#137) is pending acceptance, leaving all users on version 0.4.0 or earlier exposed.
Broken object-level authorization in the nl-portal-backend-libraries GraphQL API exposes sensitive personal data belonging to arbitrary users to any authenticated caller. Two resolvers - document content retrieval (all published versions of nl.nl-portal:documenten-api since 0.2.2.RELEASE, 2023) and the besluiten (decisions) module (nl.nl-portal:besluiten 1.5.0-3.0.0) - were declared without a CommonGroundAuthentication parameter, causing the Spring framework to never bind the authenticated principal into the call path and leaving ownership checks impossible at the resolver level. The two endpoints chain naturally: an attacker enumerates decision records and their attached document IDs via the besluit queries, then exfiltrates raw document content through the document endpoint; decisions frequently contain government benefit, permit, and objection rulings, giving the exposure high real-world sensitivity. No public exploit has been identified at time of analysis, and this was discovered during a structured penetration testing engagement in May 2026.
Path traversal via the COAR Notify / Linked Data Notifications (LDN) service in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated DSpace administrator to reference arbitrary filesystem paths as LDN inbound-pattern templates, causing those files to be read and interpreted as Apache Velocity templates. While no public exploit or active exploitation has been identified, the vulnerability was demonstrated as part of a proven attack chain in which an administrator stages a malicious Velocity payload in a predictable file location and triggers its execution, enabling either sensitive file disclosure or arbitrary Java code execution via Velocity template injection. No special conditions (KEV, public PoC) are confirmed at time of analysis.
Path traversal in DSpace's Curation Task reporter parameter exposes authenticated Collection, Community, and Site Administrators to file write operations at arbitrary server-side paths writable by the DSpace/Tomcat OS user. Affected are DSpace versions through 7.6.6, 8.0-8.3, and 9.0-9.2, where the attack surface widened when web UI access was granted to admin roles beyond CLI-only system administrators. No public exploit or CISA KEV listing exists; the vendor-assigned CVSS 3.1 score of 5.5 (PR:H, A:H) correctly reflects that high-privilege credentials are required but the availability impact from overwriting configuration or binary files can be severe.
Remote code execution in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated administrator to execute arbitrary Java via Velocity templates used to render COAR Notify/LDN messages, using reflection to escape the templating sandbox. Exploitation requires valid DSpace administrator credentials and is most impactful when chained with the related LDN path-traversal flaw (GHSA-9qm4-rh6w-pq5x). No public exploit identified at time of analysis, and CVSS is 8.0 (High).
Remote code execution in Apache Gravitino before 1.2.1 allows unauthenticated callers to abuse the testConnection API by submitting a crafted H2 JDBC URL whose INIT parameter runs arbitrary Java on the server. The flaw only manifests when Gravitino is backed by the H2 database - a configuration primarily used for testing and local development - and CISA SSVC rates technical impact as total and exploitation as automatable, though no public exploit has surfaced. Fixed in 1.2.1; because Gravitino is usually deployed on internal networks and H2 is not the production default, the vendor characterizes real-world severity as low despite the 9.1 CVSS score.
Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.
Sensitive information disclosure in OneBlog V2.3.9 lets remote unauthenticated attackers retrieve WeChat Official Account secrets - the access_token and jsapi_ticket - through unprotected REST endpoints backed by RestApiController.java, JsApiTicketComponent.java, and GetAccessTokenComponent.java. Because these credentials grant control over the linked WeChat public account, disclosure enables account takeover of the integration rather than just data leakage. Classified CWE-306 (Missing Authentication); a referenced public gist appears to contain proof-of-concept details, though EPSS is low (0.26%, 18th percentile) and it is not listed in CISA KEV.
Arbitrary file read in OpenRemote's KNXProtocol asset-import handler lets any authenticated user (PR:L, any realm) upload a malicious ETS project ZIP whose 0.xml is parsed via Saxon XSLT and XMLInputFactory without XXE hardening, resolving external entities to exfiltrate server files such as /etc/passwd, openmrs-runtime.properties, and cloud credential files, with SSRF against internal endpoints as a secondary impact. This is an incomplete-fix regression of CVE-2026-40882, which only hardened the parallel Velbus handler and left KNXProtocol's two XML parsing calls unprotected. A full working proof-of-concept reproducing both parsing stages is publicly available; the vulnerability is not listed in CISA KEV.
Cross-tenant information disclosure in OpenRemote Manager lets a realm admin of one tenant read the profile, realm roles, and client roles of any user in any other realm - including the privileged master realm - simply by supplying the target user's UUID in the REST API path. Three read endpoints in UserResourceImpl verify the caller's read:admin role but never confirm the target user belongs to the caller's realm, breaking multi-tenant isolation for user data. Publicly available exploit code exists (a working curl-based PoC with live-instance HTTP 200 responses is documented), though it is not listed in CISA KEV and no active exploitation is confirmed.
{realm}/asset/predicted/{assetId}/{attributeName}) incorrectly authorizes write operations by checking READ_ASSETS permission instead of WRITE_ASSETS, enabling any authenticated user with read:assets privileges to persist arbitrary predicted datapoint values to the database. This privilege escalation exposes IoT asset prediction data to tampering by low-privileged or compromised accounts. A working proof-of-concept is embedded in the public GitHub Security Advisory GHSA-xj53-j257-hxvg; no active exploitation has been identified in CISA KEV.
Untrusted Java deserialization in Apache OpenNLP's SvmDoccatModel (libsvm document categorization module, versions 3.0.0-M1 through before 3.0.0-M4) lets an attacker who supplies a crafted serialized stream to the public static SvmDoccatModel.deserialize(InputStream) trigger deserialization of an arbitrary object graph before the SvmDoccatModel cast occurs. Where a usable gadget chain exists on the consuming application's classpath, this yields remote code execution in the loading JVM; OpenNLP ships no gadget itself, so realistic risk falls on downstream apps that embed the module alongside vulnerable transitive dependencies. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the SSVC assessment marks it automatable with partial technical impact.
Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submitting a single query whose time span and aggregation interval are unbounded. Because the affected query interface enforces no reasonable limit on these parameters, a request combining a very large time range with a minimal interval forces the DataNode to materialize an enormous result set in memory, exhausting the Java heap. No public exploit has been identified at time of analysis and the issue is not in CISA KEV, but the fix is easy to reverse-engineer from the version bump to 2.0.8.
Authorization bypass in Apache Camel's camel-elasticsearch-rest-client component allows unauthenticated remote attackers to override Elasticsearch query operations by injecting HTTP headers. Because the component uses unprefixed header constants ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') that are not blocked by Camel's inbound HttpHeaderFilterStrategy - which filters only 'Camel'-prefixed names - any HTTP client reaching a Camel route that fronts an elasticsearch-rest-client producer can substitute their own query body, operation type, or target index. Practical outcomes include full index enumeration via match_all, targeted document deletion, and field-level data exfiltration. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the attack requires no credentials and is trivially reproducible from the description alone.
Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelcast cluster to run arbitrary code on every Camel node. The flaw exists because Camel-created Hazelcast instances apply no Java deserialization filter by default, so crafted serialized objects sent over the cluster protocol are deserialized (ObjectInputStream.readObject) before Camel processes them. It affects Camel 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x whenever a hazelcast consumer or repository uses Camel's own default configuration; there is no public exploit identified at time of analysis and EPSS is low (0.49%, 39th percentile).
Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a producer endpoint deserializes 5xx HTTP response bodies marked application/x-java-serialized-object through a raw java.io.ObjectInputStream with no class filtering. Exploitation is limited to non-default deployments where transferException=true or allowJavaSerializedObject=true is set and throwExceptionOnFailure remains true, letting an attacker who controls or intercepts the backend deliver a malicious serialized object and, given a gadget chain on the classpath, run code on the Camel host. This is a vendor-reported (Apache) issue with a publicly available advisory; there is no public exploit identified at time of analysis and EPSS is low at 0.39% (31st percentile).
Information disclosure in Apache Camel's camel-undertow HTTP server consumer (versions 4.0.0 through 4.21.0) exposes complete Java stack traces to unauthenticated HTTP clients whenever a route processing exception occurs, due to a misconfigured default and a code-level bypass. Unlike every other Camel HTTP server component (camel-http, camel-jetty, camel-servlet, camel-platform-http), all of which default muteException to true, camel-undertow defaulted this option to false - and for Rest DSL consumers the option was silently ignored entirely due to a hard-coded false in RestUndertowHttpBinding, meaning muteException=true gave false confidence without actual protection. No public exploit has been identified at time of analysis; however exploitation requires only the ability to send a malformed HTTP request to a reachable endpoint, making this trivially accessible to any network-level attacker.
Stack trace disclosure in Apache Camel's camel-netty-http component (versions 4.0.0-4.21.0 across three release streams) exposes full Java Throwable stack traces to unauthenticated HTTP clients whenever a route processing error occurs under the default configuration. The root cause is an insecure default: the muteException option backed by an uninitialized Java primitive boolean defaulted to false in camel-netty-http while all other Camel HTTP server components (camel-http, camel-jetty, camel-servlet, camel-platform-http) correctly default it to true. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low-effort triggering condition - any malformed request that causes a route exception - makes opportunistic enumeration straightforward against exposed endpoints.
Heap-based buffer overflow in radare2's Java binary parser (all versions up to 6.1.6) allows a local, low-privileged attacker to crash the tool by supplying a crafted Java class file with a malformed Line Number Table attribute. The vulnerable function `r_bin_java_inner_classes_attr_calc_size()` in `shlr/java/class.c` miscalculates buffer sizes, resulting in a heap write beyond allocated bounds and a denial-of-service outcome. A public proof-of-concept exists via GitHub issue #26043; no active exploitation has been confirmed by CISA KEV, and impact is confined to availability with no confidentiality or integrity effects.
State corruption in HdrHistogram up to version 2.2.2 allows a local, low-privileged attacker to manipulate the Count argument of the recordValueWithCount function in AbstractHistogram.java, resulting in low-integrity corruption of histogram state. The flaw affects the core metrics-recording logic of this Java library. A proof-of-concept exploit has been publicly disclosed; the project maintainer was notified via a GitHub issue but has not yet responded with a fix, leaving affected deployments without a vendor patch.
Uncontrolled memory allocation in HdrHistogram versions up to 2.2.2 allows a local low-privileged attacker to cause denial of service by passing a crafted byte buffer to the AbstractHistogram.decodeFromByteBuffer method with a malicious numberOfSignificantValueDigits value. The affected Java library fails to validate this argument before using it to drive heap allocation, allowing JVM memory exhaustion in any application that processes attacker-influenced histogram data. Publicly available exploit code exists; no patch has been released as the project maintainer has not responded to the coordinated disclosure.
Incorrect comparison in HdrHistogram's DoubleHistogram.recordValue() range check allows a local, low-privileged attacker to manipulate histogram integrity by recording out-of-range values that bypass the bounds check. Versions up to and including 2.2.2 are affected. No public exploit identified at time of analysis - publicly available exploit code exists, and the project maintainer has not responded to the responsible disclosure, leaving the vulnerability unpatched.
Uncontrolled memory allocation in HdrHistogram up to version 2.2.2 allows a local attacker with low-privilege access to crash a dependent Java application by supplying a crafted `lengthOfCompressedContents` value to the `decodeFromCompressedByteBuffer` function, exhausting JVM heap space and causing a denial-of-service. A public proof-of-concept exists (E:P per CVSS 4.0), though the vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.9 reflects the strictly local attack vector and limited impact scope - only availability at the vulnerable system level is affected.
Session data exposure in FederatedAI FATE's OSX Broker gRPC component allows an authenticated federated party to manipulate session routing arguments and access data belonging to a different federated session. Affected versions extend through FATE 2.2.0, specifically in the QueuePushReqStreamObserver.initEggroll method within the Java-based OSX Broker. No public exploit confirmed active exploitation (not in CISA KEV), though exploit code has been publicly disclosed via a GitHub issue, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and limited confidentiality impact.
Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.
TLS channel-binding downgrade in the ongres scram-client Java library (com.ongres.scram) lets a network man-in-the-middle silently strip SCRAM-SHA-256-PLUS down to plain SCRAM-SHA-256, defeating clients that explicitly require channel binding (e.g. channelBinding=require in pgJDBC). The flaw only bites when the server certificate uses a signature algorithm without a legacy 'WITH' name (Ed25519 or post-quantum), causing an internal NoSuchAlgorithmException to be swallowed and an empty channel-binding value to be treated as 'not offered' rather than a hard failure. Fixed in scram library 3.3; no public exploit identified at time of analysis and the issue is reported by the upstream maintainer via GitHub advisory GHSA-p9jg-fcr6-3mhf.
Denial of service in OpenTelemetry Java Instrumentation before 2.27.0 lets an attacker who can reach an RMI endpoint on an instrumented JVM send an oversized context-propagation payload that triggers excessive memory allocation. The RMI payload reader caps the number of context entries but never bounds the aggregate size of the strings it reads, so a single crafted request can exhaust heap and crash or stall the JVM. No public exploit is identified at time of analysis, EPSS is low (0.24%), and CISA SSVC records no observed exploitation, but the flaw is network-reachable and unauthenticated wherever RMI instrumentation is enabled and exposed.
OpenTelemetry Java Instrumentation prior to 2.28.0 leaks clear-text database passwords into distributed trace span attributes when JDBC auto-instrumentation encounters double-quoted passwords in SQL CONNECT statements, bypassing the sanitization logic. These poisoned spans are then exported to any configured observability backend - Jaeger, Zipkin, OTLP collectors, or third-party SaaS monitoring - making database credentials visible to all parties with telemetry read access. No public exploit or confirmed active exploitation exists at time of analysis, but the impact of credential exposure is high given downstream database access risk.
Insecure JNDI object instantiation in mchange-commons-java before 0.6.0 lets attackers who can influence deserialized data or JNDI Reference resolution coerce the library's JavaBeanObjectFactory into constructing arbitrary classes and setting their JavaBean properties, enabling JNDI injection and deserialization-gadget attacks. Because this library underpins mchange projects such as the c3p0 connection pool, any Java application that deserializes attacker-controlled objects or dereferences untrusted JNDI References through it is exposed; a demonstrated path abuses a Swing JEditorPane to force outbound HTTP requests from a trusted security domain. No public exploit identified at time of analysis and it is not in CISA KEV, so treat it as a patch-now supply-chain issue rather than an actively exploited one.
{table}/{digest}`) allows any authenticated user to read, write, or delete blobs across all blob tables, entirely circumventing the GRANT-based access control that the SQL path correctly enforces. Verified against CrateDB 6.2.7 and present since the blob HTTP handler was introduced, `io.crate.protocols.http.HttpBlobHandler` authenticates the connecting user but never invokes `AccessControl`, making blob operations permissible to any valid credential holder regardless of table-level privileges. A complete end-to-end Docker PoC is included in the report demonstrating both unauthorized read (HTTP 200) and unauthorized delete (HTTP 204) while the SQL path correctly returns a permission error for the same user; no KEV listing and no EPSS data are available at time of analysis.
Cookie tossing in AsyncHttpClient (AHC) library allows a malicious HTTP server to plant cookies scoped to an unrelated trusted domain, affecting versions 2.0.0-2.15.x and 3.0.0.Beta1-3.0.10. ThreadSafeCookieStore accepts and stores a cookie's Domain attribute value without verifying that the responding host is authorised to set cookies for that domain, so any server the client contacts can inject a cookie that AHC will automatically forward to the targeted domain on subsequent requests. Java applications sharing a single AHC instance - and therefore its default shared CookieStore - across calls to both attacker-influenced and trusted hosts are the primary attack surface; no public exploit has been identified at time of analysis, and vendor-released fixes are available in 2.16.0 and 3.0.11.
Arbitrary code execution in Amazon's AWS Advanced JDBC Wrapper (versions 3.3.0 through 4.0.0) arises from the RemoteQueryCachePlugin deserializing cached query results from Redis or Valkey via a raw ObjectInputStream with no class filtering. An actor able to write to the shared cache can poison entries with a crafted serialized Java object, triggering gadget-chain execution on every application server that later reads that cache entry. No public exploit identified at time of analysis; risk is elevated because a single poisoned cache key fans out to all consuming app servers.
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub classes in the shipped ogclient.jar that invoke ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, converting any unfiltered ObjectInputStream sink in the surrounding WebSphere Application Server into outbound IIOP server-side request forgery. When chained with the IBM ORB getUserException class-instantiation flaw (tracked as WAS-26), that SSRF escalates to code execution on the calling JVM. CVSS is 10.0 (scope-changed, full CIA impact); EPSS is 3.01% (86th percentile) and there is no public exploit identified at time of analysis.
Unauthenticated remote code execution in Orkes Conductor (conductor-oss) versions 3.21.21 through 3.30.1 lets remote attackers run arbitrary OS commands by POSTing inline workflow definitions to the workflow API before any authentication check. The flaw stems from GraalVM script evaluators left in an unsandboxed state (HostAccess.ALL / allowAllAccess(true)), allowing JavaScript or Python expressions in INLINE, LAMBDA, DO_WHILE, and SWITCH tasks to reach Java reflection and subprocess APIs. Reported by VulnCheck; no public exploit identified at time of analysis, though a detailed vendor/researcher advisory exists.
Certificate timestamp validation bypass in sigstore-java 2.0.0 allows an attacker who has already exfiltrated an ephemeral Sigstore signing key to reuse an expired Fulcio certificate, causing bundle verification to succeed when it should fail. PR #1008 erroneously removed the check that bounds a Rekor V1 log entry's `integratedTime` against the Fulcio certificate's validity window, a regression only present in the 2.0.0 release and fixed in 2.1.0. No public exploit identified at time of analysis beyond the vendor-provided proof-of-concept test bundle in sigstore-conformance; CVSS base score of 2.0 reflects the extremely narrow, high-privilege, local-only attack conditions required.
Arbitrary VS Code command execution in the Red Hat vscode-java extension allows a malicious Java source file to embed hidden commands inside JavaDoc hover Markdown, so that a developer who simply clicks a crafted link in a hover popup triggers attacker-chosen commands that can escalate to full system compromise in trusted workspaces. The flaw stems from the extension rendering JavaDoc hovers as fully-trusted Markdown, and it also affects Red Hat OpenShift Dev Spaces, which bundles the extension. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network reach combined with only a single click of user interaction makes it high-impact.
Path traversal in the ruoyi-vue-pro file upload endpoint exposes unauthenticated remote attackers to arbitrary file read and write operations via the `generateUploadPath` function in `FileServiceImpl.java`. All versions up to 2026.04-jdk8-SNAPSHOT are confirmed affected across both the YunaiV (GitHub) and zhijiantianya (Gitee) vendor distributions. Publicly available exploit code exists via GitHub issue #1146; no CISA KEV listing is present, but the unauthenticated network vector combined with a public proof-of-concept materially elevates operational risk above the CVSS 4.0 base score of 6.9 alone.
Path traversal in ANTLR4 up to 4.13.2 exposes arbitrary file read via the tokenVocab grammar option handler. The vulnerable function getImportedVocabFile in TokenVocabParser.java fails to sanitize user-controlled grammar option values, allowing an attacker to supply a crafted .g4 grammar file that causes the tool to read files outside the intended working directory. A publicly available proof-of-concept exploit exists (GitHub issue reference), and no vendor patch has been released - the vendor did not respond to disclosure. No active exploitation is confirmed in CISA KEV, but the CVSS 4.0 E:P flag confirms exploit code is public.
Time-of-check time-of-use (TOCTOU) race condition in antlr4-maven-plugin up to version 4.13.2 allows a local low-privileged attacker to manipulate grammar dependency state between validation and consumption in ObjectInputStream.readObject() within GrammarDependencies.java, yielding limited confidentiality, integrity, and availability impact on build artifacts. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists via a GitHub issue, though KEV listing is absent, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.1 reflects genuine low real-world risk due to local-only access, high attack complexity, and constrained impact scope.
Command injection in ANTLR4's Go code generation target (GoTarget.java) allows a local low-privilege attacker to execute arbitrary OS commands via unsanitized input passed to the gofmt invocation, affecting all versions up to 4.13.2. This vulnerability is scoped entirely to local environments such as developer workstations or CI/CD pipelines running ANTLR4 Go target code generation. A publicly available proof-of-concept exploit exists per the GitHub disclosure, but this is not confirmed as actively exploited (not in CISA KEV), and the CVSS 4.0 base score of 1.9 reflects its genuinely constrained real-world impact.
Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.
Arbitrary code execution in the OWASP ZAP ViewState add-on (versions before 4) lets a malicious or attacker-controlled proxied web server compromise the security tester's own ZAP instance. By embedding a crafted serialized Java object in the javax.faces.ViewState response parameter, an attacker triggers unsafe Java deserialization inside the ZAP JVM the moment the operator views the ViewState panel in the Desktop UI. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor has published an advisory and shipped a fix (viewstate-v4) that disables JSF support entirely.
Insecure default file permissions in Nextflow's `auth login` command expose Seqera Platform OIDC bearer tokens to any local user on shared POSIX systems running affected versions 25.09.2-edge through 26.04.1. The credential file `seqera-auth.config` is written via Java NIO without explicit permission bits, landing at mode 0644 under the typical umask 022, making it world-readable on HPC login nodes, shared workstations, and jump hosts - exactly the infrastructure where Nextflow is most commonly deployed. No public exploit has been identified at time of analysis and this vulnerability is not currently in the CISA KEV catalog, but the attack requires only a standard local account and trivial filesystem read, making it a practical lateral-movement primitive in multi-tenant research computing environments.
Unbounded resource consumption in the Rust opentelemetry_sdk's BaggagePropagator::extract_with_context allows unauthenticated remote attackers to cause elevated CPU and heap allocation overhead by sending oversized W3C baggage propagation headers to any service using versions 0.32.0 or earlier. The SDK parsed the full header content before applying storage limits, meaning attacker-supplied data was processed and then discarded - wasting resources on every malicious request. A parallel design-level gap affects the Java (GHSA-rcgg-9c38-7xpx) and Go (GHSA-mh2q-q3fh-2475) OpenTelemetry SDKs, suggesting a cross-ecosystem pattern; no public exploit or active exploitation (KEV) has been identified.
Unsafe Java deserialization (CWE-502) in OpenAM Community Edition through 16.0.6 lets attackers abuse the anonymous Push Notification SNS callback REST route to force the server to load an attacker-named class and construct it from attacker-controlled JSON via Jackson. A low-privileged user who starts Push Registration can plant a malicious CTS predicate blob, then drive anonymous callbacks that yield a reliable class-loading and Jackson-construction primitive with classpath-dependent impacts ranging from token-record corruption and DoS to potential process execution and file writes. No public exploit is identified at time of analysis and confirmed arbitrary command execution was not demonstrated on stock classpaths; the issue is fixed in 16.1.1.
Server-side request forgery and internal network enumeration in Appsmith (prior to 1.99) is enabled by the POST /api/v1/admin/send-test-email endpoint accepting attacker-controlled smtpHost and smtpPort values, which JavaMail uses to establish raw TCP connections without IP address validation - completely bypassing the application's existing WebClientUtils.IP_CHECK_FILTER. Verbatim MailException error messages are returned in API responses, enabling authenticated administrators (or attackers who have compromised admin credentials) to probe internal network topology, enumerate open ports, and harvest service banners. No public exploit identified at time of analysis; the vulnerability is fixed in version 1.99.
Authentication bypass in Apache Shiro affects deployments using the shiro-guice module in a web servlet context, where a specially crafted HTTP request can evade path-based access controls and reach protected resources without valid credentials. It mirrors the older shiro-spring flaw CVE-2020-1957 but targets the Guice integration instead, impacting all Shiro releases through 2.x and 3.0.0-alpha-1. No public exploit identified at time of analysis, though the CVSS 4.0 base score of 8.2 reflects high confidentiality impact and the close analogy to a previously exploited bug class.
Arbitrary code execution in QOS.CH logback-core versions up to and including 1.5.34 allows a local attacker with existing privilege to run code in the context of any Java application that loads Logback when the Janino library is on the classpath. The flaw circumvents prior hardening for CVE-2025-11226 via conditional configuration file processing, and is triggered either by writing to an existing logback configuration file or by injecting an environment variable that points the process at a malicious configuration. No public exploit identified at time of analysis, though the bypass nature of the issue makes weaponization of existing CVE-2025-11226 exploit code plausible.
Cross-tenant alarm destruction in OpenRemote Manager (versions before 1.25.0) allows any authenticated user with alarm-write permissions in their own realm to permanently delete alarm records belonging to other tenants by submitting arbitrary sequential alarm IDs to the bulk-delete endpoint. The flaw stems from missing per-record realm scoping in removeAlarms() and is rated CVSS 4.0 8.6 (high); no public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path, making weaponization straightforward.
Remote code execution in Spring Statemachine 3.2.0-3.2.4 and 4.0.0-4.0.1 allows authenticated attackers to execute arbitrary code inside the application JVM by injecting malicious serialized Java objects into the Kryo-based persistence backends (JPA, MongoDB, Redis, or ZooKeeper). The flaw stems from deserializing persisted state-machine contexts without enforcing a class allowlist, a classic CWE-502 pattern that has historically yielded reliable gadget-chain exploitation in Java applications. No public exploit identified at time of analysis, but the deserialization sink and Kryo gadget ecosystem make weaponization straightforward once an attacker can write to the persistence store.
Unauthenticated remote code execution in OpenDJ Community Edition through 5.1.0 occurs when the JMX RMI connector deserializes attacker-controlled Java objects before authentication is performed. Any deployment with the JMX Connection Handler enabled (commonly turned on for monitoring integrations) is exposed to pre-auth RCE over TCP, as demonstrated against OpenDJ 4.4.15 on JDK 11 with Jackson 2.12.6.1. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Spinnaker's Rosco and Orca services arises because YAML input is parsed with SnakeYAML's unsafe default Constructor rather than a SafeConstructor, letting authenticated users who trigger CloudFormation deployments or CloudFoundry baking load arbitrary Java classes. An attacker with pipeline access can supply a crafted YAML tag (e.g. !!javax.script.ScriptEngineManager) to instantiate dangerous classes and reach code execution on the affected service host. No public weaponized exploit is identified, though the vendor fix commit ships tests demonstrating the arbitrary-object-instantiation primitive, and the flaw is not listed in CISA KEV.
Stored XSS in allure-generator (versions <= 2.38.1) allows arbitrary JavaScript execution in the browser of anyone who views a generated Allure report containing crafted test result data. The vulnerable `ansi.js` Handlebars helper passes unsanitized `statusMessage` and `statusTrace` values - sourced from JUnit XML failure messages and equivalent fields in TRX, xUnit XML, xctest, and Allure 1/2 plugins - through `ansi-to-html` without HTML escaping, then wraps the output in `SafeString` to bypass Handlebars' auto-escape protection. A publicly available proof-of-concept demonstrates exploitation via a crafted JUnit XML file; the attack is particularly relevant to CI/CD environments (Jenkins, GitLab, GitHub Actions) where reports are served on shared infrastructure with active authenticated sessions.
Path traversal in Allure Report's built-in HTTP server (allure-commandline <= 2.38.1) allows any client that can reach the server port to read arbitrary files accessible to the Allure process. The vulnerability exists in Commands.setUpServer() where request URI paths are resolved against the report directory without normalization or containment checks, and Java's URI.getPath() additionally percent-decodes sequences like %2e%2e to .., bypassing client-side normalization. A proof-of-concept is publicly available via the GitHub Security Advisory GHSA-82cg-3hv7-74gc; no CISA KEV listing has been confirmed at time of analysis, though real-world risk is materially elevated in CI/CD environments where --host 0.0.0.0 is commonly used.
Authentication bypass in Quarkus Java framework allows remote unauthenticated attackers to circumvent HTTP path-based authorization policies by smuggling encoded semicolons (%3B) as matrix parameters or by using encoded slashes (%2F) and backslashes (%5C) to reach protected static resources. Affects all Quarkus versions prior to the 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 patch line. No public exploit identified at time of analysis, though the issue is a documented bypass of the prior CVE-2026-39852 fix.
Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers to alter authorization outcomes by smuggling Cedar expressions through unescaped string values. The flaw is in toCedarExpr() on Cedar Value types, which fails to escape quote and backslash characters when serializing user-controlled values into policy text. No public exploit identified at time of analysis, but the integrity impact is severe because injected fragments like '|| true' can neutralize permit/forbid logic in fine-grained authorization decisions.
Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate authorization decisions by injecting reserved JSON keys (`__entity` or `__extn`) into CedarMap objects built from attacker-controlled input. When an integrating service constructs a CedarMap from caller-supplied data such as headers, metadata, or resource tags, the Rust cedar-policy evaluator can be tricked into interpreting a record as an entity reference, undermining fine-grained authorization. No public exploit identified at time of analysis, but the CVSS 8.8 rating reflects high impact on confidentiality, integrity, and availability of authorization outcomes.
Unauthenticated callers can trigger server-side request forgery against NL Portal Backend Libraries (nl.nl-portal:form versions 1.1.0.RELEASE through 3.0.3) by invoking the public GraphQL resolvers `getFormDefinitionByObjectenApiUrl` or `getFormDefinitionById`, causing the backend to issue outbound HTTP requests bearing a privileged Objecten-API `Authorization: Token` header to a caller-influenced URL on the configured Objecten-API host. The SSRF is constrained to the same configured host by a host-equality guard, and arbitrary data disclosure is further limited by strict typed deserialization in Kotlin, which keeps practical real-world impact at Medium despite unauthenticated network access. A lab proof-of-concept was confirmed by the reporter against the real Spring WebFlux stack; no public exploit code has been independently identified and the vulnerability is not listed in CISA KEV.
Arbitrary file and environment variable reads on xDS client hosts are possible in Armeria versions 1.38.0 and 1.39.0 via the armeria-xds module's SDS (Secret Discovery Service) implementation. The DataSourceStream class resolves control-plane-supplied filename and environment_variable fields from SDS Secret resources without any path confinement or allow-listing, enabling a compromised or semi-trusted xDS control plane - or an attacker who can MITM unprotected SDS gRPC streams - to extract TLS private keys, Kubernetes service-account tokens, cloud credential files, and environment variables such as AWS_SECRET_ACCESS_KEY. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the confused-deputy pattern and Kubernetes deployment context make it a high-priority upgrade for affected users.
Sensitive actuator endpoints in Steeltoe.Management.Endpoint and Steeltoe.Management.EndpointCore expose heap dumps, environment variables, and thread dumps to low-trust Cloud Foundry roles (Space Auditors) due to incorrect default permission levels. Affected versions inherit the base class default of EndpointPermissions.Restricted - which maps to CF's read_basic_data scope - rather than overriding to EndpointPermissions.Full (read_sensitive_data), the permission level Spring Boot's equivalent integration correctly enforces. No public exploit code or KEV listing exists at time of analysis; however, the CVSS PR:L rating reflects that any valid CF credential with Space Auditor privileges is sufficient to reach the affected endpoints.
XianYuLauncher, a Minecraft Java Edition launcher, exposes Microsoft OAuth authentication tokens to local attackers in all versions prior to 1.5.5 due to an OAuth 2.0 Authorization Code flow implemented without PKCE or state parameter validation. A local attacker running a concurrent process on the same machine can race the launcher's fixed localhost redirect URI to intercept the authorization code, then exchange it for valid Microsoft and Minecraft access tokens without any special privileges. Compounding the exposure, ClientToken was stored on disk in plaintext and JWT/Bearer tokens could be leaked into log output. No public exploit has been identified and this vulnerability is not listed in CISA KEV.
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka registry containing service registrations with DataCenterInfo.name="Netflix" to permanently break the local service discovery cache. The client's DataCenterInfo.FromJson rejects any value other than "MyOwn" or "Amazon" with an ArgumentException that is silently swallowed by the periodic cache refresh task, leaving downstream .NET services unable to discover peers. No public exploit identified at time of analysis, but the trigger is trivially reachable in mixed Java/Spring-Cloud and Steeltoe environments.
XML External Entity injection in the HAPI FHIR core library (Maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities, versions <= 6.9.9) lets an attacker who controls or MITMs XML routed through XsltUtilities.saxonTransform(...) read local files and perform blind XXE/SSRF. The three saxonTransform overloads instantiate a bare net.sf.saxon.TransformerFactoryImpl that resolves external general and parameter entities, unlike the co-located transform() siblings that use the project's hardened XXE-protected factory. Publicly available exploit code exists (a full end-to-end PoC accompanies the GitHub advisory), though there is no public exploit identified as actively used in the wild.
Regular expression denial of service in HAPI FHIR's DSTU2 FHIRPathEngine allows unauthenticated remote attackers to exhaust server CPU by submitting FHIR resources or FHIRPath expressions containing catastrophically backtracking regexes against the matches() function. This is an incomplete-fix vulnerability stemming from CVE-2026-45367, where the DSTU2 module's matches() at FHIRPathEngine.java line 2462 was left calling raw String.matches() without the RegexTimeout wrapper applied to the other five FHIR version modules. No public exploit identified at time of analysis beyond the reporter's working PoC published in the GHSA advisory.
Arbitrary file read in jknack handlebars.java versions prior to 4.5.2 allows remote unauthenticated attackers to retrieve files outside the intended template directory when applications pass user-controlled input to Handlebars.compile() with a FileTemplateLoader or ClassPathTemplateLoader. The flaw stems from missing path canonicalization in the template loaders, enabling classic ../ traversal sequences to escape the configured template prefix. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-r4gv-qr8j-p3pg documents the issue and the fix is available in 4.5.2.
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.transfer() that allows a local app to trigger memory exhaustion of the system package installer. The flaw, addressed in the Android Security Bulletin for Android 17, can be triggered without user interaction and without elevated privileges, but its impact is confined to denial of service rather than code execution. No public exploit identified at time of analysis.
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.
Unbounded memory allocation in @opentelemetry/core affects the W3CBaggagePropagator.extract() method, which fails to enforce W3C Baggage specification size limits (8,192 bytes, 180 entries) on the inbound parsing path - only the outbound inject() path was protected. Unauthenticated remote attackers can exploit this to cause partial availability degradation by sending oversized baggage headers, with elevated risk in non-HTTP transport contexts (messaging systems, custom TextMapGetter implementations) where Node.js's native 16 KB header cap does not apply. No public exploit code or CISA KEV listing exists; the CVSS 5.3 Medium score reflects the real-world constraint imposed by Node.js defaults on the dominant HTTP deployment pattern.
Telemetry archive exposure in Yamcs mission control framework allows any authenticated user to dump the entire raw packet archive by exploiting a broken object-level authorization check in the exportPackets API. Versions prior to 5.12.8 (stable) and 5.13.2 (development) are affected. No public exploit or CISA KEV listing exists, but the attack requires only a valid session and a trivially crafted HTTP request, making it immediately actionable for any insider or compromised account.
Authentication bypass in VMware/Spring's Spring Authorization Server (versions 7.0.0-7.0.4, 1.5.0-1.5.6, 1.4.0-1.4.9, and 1.3.0-1.3.10) allows a low-privileged authenticated actor to circumvent authentication controls and access protected resources across a security boundary. The CVSS 9.6 (Critical) rating reflects a scope change with high confidentiality and integrity impact but no availability effect. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the near-maximum score in a widely deployed OAuth2/OIDC authorization component makes this a high-priority patch.
Remote authenticated code execution in DataEase before 2.10.23 lets a low-privileged user abuse the Excel/datasource upload workflow to run arbitrary Java. By uploading a crafted payload.zip via /datasource/upload and defining an H2 datasource that references the archive through the zip: protocol, an attacker forces CalciteProvider.jdbcFetchResultField to execute a query that triggers precompiled Java aliases embedded in test.mv.db. The vendor CVSS 4.0 vector scores this 7.1 (confidentiality-only), but the underlying primitive is full arbitrary code execution; no public exploit identified at time of analysis and it is not listed in CISA KEV.
jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6.
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6.
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6.
Denial of service in the Netty netty-codec-stomp module (versions 4.1.x up to 4.1.135.Final and 4.2.0.Alpha1 through 4.2.15.Final) allows a remote attacker to trigger an OutOfMemoryError and crash the JVM. The StompSubframeDecoder caps individual header line length via maxLineLength but never bounds the total header count or cumulative header size, so a single STOMP frame packed with thousands of short headers exhausts heap memory. Publicly available exploit code exists (a working client/server PoC is published in the GitHub Security Advisory), but there is no public evidence of active exploitation; EPSS/KEV signals are not present in the input.
Privilege elevation in Microsoft Azure Spring Apps allows an already-authenticated, low-privileged network attacker to gain higher privileges by abusing an improper authentication weakness (CWE-287) in the managed platform. Because the CVSS scope is marked as changed (S:C), a successful attack can reach resources beyond the attacker's originally authorized boundary, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has published an advisory and a patch is available server-side.
Deserialization logic in FasterXML jackson-databind 2.15.0 through 2.18.7, 2.21.3, and 3.1.3 allows unauthenticated remote callers to bypass @JsonIgnore annotations on Java Record types when a PropertyNamingStrategy is configured. The renamed JSON key - e.g., 'internal_role' produced by SnakeCaseStrategy from 'internalRole' - is not registered in the ignore list, so Jackson's constructor-parameter binding accepts the attacker-supplied value despite the developer's explicit exclusion directive. No public exploit tooling has been identified at time of analysis, but the upstream fix PR includes a runnable proof-of-concept test that fully demonstrates the bypass, lowering the bar for independent reproduction.
Unauthenticated arbitrary file write in Eclipse BaSyx Java Server SDK (2.0.0-milestone-05 through 2.0.0-milestone-12) lets remote attackers plant files anywhere the Java process can write when the server is deployed with the MongoDB file backend, potentially escalating to remote code execution. The AAS thumbnail API trusts a client-supplied fileName that is later reused as a filesystem path, so a traversal or absolute-path filename lands attacker-controlled bytes outside the intended directory. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-fixed release (2.0.0-milestone-13) is available.
Reflected cross-site scripting in SAP NetWeaver Application Server Java (specifically the Configuration Wizard component) lets an unauthenticated attacker embed malicious JavaScript in crafted URLs that executes in a victim's browser when the link is opened. Because the CVSS scope is changed (S:C) and confidentiality impact is high, a successful lure can expose sensitive session information and tamper with non-sensitive data rendered in the client. No public exploit identified at time of analysis, but the 8.2 CVSS and unauthenticated, network-reachable vector make it a meaningful phishing-driven risk for exposed SAP portals.
Server-side request forgery in codecentric Spring Boot Admin Server before 4.1.2 lets unauthenticated remote attackers register a monitored instance with attacker-controlled healthUrl and managementUrl values that are never validated against private IP ranges or cloud metadata endpoints. Because the server then fetches those URLs and exposes the response bodies through its actuator proxy, an attacker can pivot into internal networks and read back sensitive data such as cloud instance-metadata credentials. Publicly available exploit code exists and the flaw was reported by VulnCheck, though there is no public exploit identified as actively exploited (not in CISA KEV).
Incorrect equality comparison in CedarJava (cedar-java) versions before 4.9.0 causes EntityIdentifier.equals() to return true when comparing against null and false when comparing an object to itself, due to inverted null/self-reference branches. Cedar's actual authorization decisions are unaffected because they are computed in Rust from JSON, but integrators who call equals() on entity identifiers in their own Java logic may make incorrect trust or access decisions. No public exploit identified at time of analysis; the issue is fixed in 4.9.0.
Remote code execution in Mura CMS versions prior to 10.0.712 allows unauthenticated attackers to execute arbitrary CFML and instantiate malicious Java objects by abusing the unvalidated 'method' parameter in POST requests to the /index.cfm/_api/json/v1/default JSON API endpoint. Because the ColdFusion engine processes the attacker-controlled input without sanitisation, a single crafted request yields full compromise (VC:H/VI:H/VA:H). No public exploit identified at time of analysis, though CISA SSVC flags the flaw as automatable with total technical impact.
Remote code injection in pig-mesh Pig's pig-codegen module through version 3.9.2 allows low-privileged authenticated attackers to execute arbitrary code server-side via the GeneratorServiceImpl component, reachable over the network. A publicly available proof-of-concept exploit exists at GitHub (sombra0316/CVE-2026), elevating the urgency for defenders. No vendor patch has been released, and the vendor did not respond to responsible disclosure, leaving affected deployments without an official remediation path.
Code injection in SonicCloudOrg sonic-agent through version 2.7.2 allows remote unauthenticated attackers to inject and execute arbitrary code via the ExchangeController endpoint, which bypasses or is excluded from the JWT Authentication Filter. The vulnerability carries a public proof-of-concept exploit named 'Unauth_ExchangeSend', confirming the endpoint is reachable without authentication. Critically, the affected product is end-of-life with no vendor support, and the maintainer did not respond to disclosure - no patch is forthcoming.
OS command injection in SonicCloudOrg sonic-agent up to version 2.7.2 allows remote low-privileged attackers to execute arbitrary system commands via the evalIsFailed function in the Groovy Script Handler component. The public proof-of-concept - titled 'Unsandboxed_RCE' - confirms that Groovy scripts are executed without a security sandbox, enabling full host-level command execution. Critically, this is an end-of-life product with no vendor response and no patch, meaning no fix is forthcoming; no public exploit identified in CISA KEV at time of analysis, but a public POC exists.
OS command injection in SonicCloudOrg sonic-agent (all versions up to 2.7.2) enables remote code execution through the Android WebSocket Server component. An authenticated remote attacker can manipulate the `path` argument in AndroidWSServer.java to inject arbitrary OS commands on the host running the agent. Publicly available exploit code exists (GitHub PoC by xpp3901), no vendor patch will be issued as the product is end-of-life, and the vendor is unresponsive to disclosure - creating a permanent, unmitigable risk for any active deployment.
Unsafe reflection in Apache IoTDB's pipe processor lets a user-supplied fully qualified Java class name be loaded and instantiated via Class.forName().newInstance() with no allowlisting, enabling arbitrary class loading and likely remote code execution in the database server process. It affects all releases from 1.0.0 up to (but not including) 2.0.10 and is fixed in 2.0.10. No public exploit identified at time of analysis, and EPSS is low (0.25%, 17th percentile), though CISA SSVC rates the technical impact as total and considers exploitation automatable.
Path traversal in halo-dev/halo through version 2.24.2 allows authenticated administrators to write files outside the intended theme directory by supplying a crafted `metadata.name` value during theme installation. The flaw resides in the `ThemeUtils.unzipThemeTo()` function in `ThemeUtils.java`, which fails to sanitize the metadata name before constructing extraction paths. A public proof-of-concept exploit exists, but real-world impact is substantially constrained by the PR:H prerequisite - the attacker must already hold admin-level credentials - yielding a CVSS 4.0 score of only 2.0 and no CISA KEV listing.
Remote code execution in Metabase's H2 database driver allows an authenticated user with native-query privileges to run arbitrary Java on the server. When Metabase returns H2 result columns of type OTHER (JDBC JAVA_OBJECT), it deserializes the embedded Java object without validation, so a crafted native H2 query triggers CWE-502 unsafe deserialization and full server compromise. It affects any instance using an H2 connection, including the default bundled sample database. No public exploit is identified at time of analysis (SSVC exploitation: none; EPSS 0.45%), though the upstream fix commit and vendor advisory GHSA-w95f-x9v9-wv36 are public.
Remote code execution in Metabase (open-source BI/analytics platform) versions 1.55.0 through the fixed releases arises because one database-creation code path failed to validate unsafe H2 JDBC connection properties, letting an authenticated administrator register a crafted H2 datasource and run arbitrary Java on the server host. Because the CVSS scope is Changed (S:C), successful exploitation escapes the application context and yields full host compromise. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but the CVSS base score of 9.1 and RCE nature make it a high-priority patch for any exposed Metabase instance.
OS command injection in the Android WebView JavaScript bridge of openclaw-android (versions up to 0.4.0) permits a local, low-privileged attacker to execute arbitrary OS commands through the `JsBridge.kt` component. Exploitation is constrained to local device access, limiting real-world blast radius, but a publicly disclosed proof-of-concept exists per the CVSS 4.0 E:P supplemental metric. No patch has been released - a remediation pull request (#137) is pending acceptance, leaving all users on version 0.4.0 or earlier exposed.
Broken object-level authorization in the nl-portal-backend-libraries GraphQL API exposes sensitive personal data belonging to arbitrary users to any authenticated caller. Two resolvers - document content retrieval (all published versions of nl.nl-portal:documenten-api since 0.2.2.RELEASE, 2023) and the besluiten (decisions) module (nl.nl-portal:besluiten 1.5.0-3.0.0) - were declared without a CommonGroundAuthentication parameter, causing the Spring framework to never bind the authenticated principal into the call path and leaving ownership checks impossible at the resolver level. The two endpoints chain naturally: an attacker enumerates decision records and their attached document IDs via the besluit queries, then exfiltrates raw document content through the document endpoint; decisions frequently contain government benefit, permit, and objection rulings, giving the exposure high real-world sensitivity. No public exploit has been identified at time of analysis, and this was discovered during a structured penetration testing engagement in May 2026.
Path traversal via the COAR Notify / Linked Data Notifications (LDN) service in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated DSpace administrator to reference arbitrary filesystem paths as LDN inbound-pattern templates, causing those files to be read and interpreted as Apache Velocity templates. While no public exploit or active exploitation has been identified, the vulnerability was demonstrated as part of a proven attack chain in which an administrator stages a malicious Velocity payload in a predictable file location and triggers its execution, enabling either sensitive file disclosure or arbitrary Java code execution via Velocity template injection. No special conditions (KEV, public PoC) are confirmed at time of analysis.
Path traversal in DSpace's Curation Task reporter parameter exposes authenticated Collection, Community, and Site Administrators to file write operations at arbitrary server-side paths writable by the DSpace/Tomcat OS user. Affected are DSpace versions through 7.6.6, 8.0-8.3, and 9.0-9.2, where the attack surface widened when web UI access was granted to admin roles beyond CLI-only system administrators. No public exploit or CISA KEV listing exists; the vendor-assigned CVSS 3.1 score of 5.5 (PR:H, A:H) correctly reflects that high-privilege credentials are required but the availability impact from overwriting configuration or binary files can be severe.
Remote code execution in DSpace 8.0-8.3 and 9.0-9.2 allows an authenticated administrator to execute arbitrary Java via Velocity templates used to render COAR Notify/LDN messages, using reflection to escape the templating sandbox. Exploitation requires valid DSpace administrator credentials and is most impactful when chained with the related LDN path-traversal flaw (GHSA-9qm4-rh6w-pq5x). No public exploit identified at time of analysis, and CVSS is 8.0 (High).
Remote code execution in Apache Gravitino before 1.2.1 allows unauthenticated callers to abuse the testConnection API by submitting a crafted H2 JDBC URL whose INIT parameter runs arbitrary Java on the server. The flaw only manifests when Gravitino is backed by the H2 database - a configuration primarily used for testing and local development - and CISA SSVC rates technical impact as total and exploitation as automatable, though no public exploit has surfaced. Fixed in 1.2.1; because Gravitino is usually deployed on internal networks and H2 is not the production default, the vendor characterizes real-world severity as low despite the 9.1 CVSS score.
Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.
Sensitive information disclosure in OneBlog V2.3.9 lets remote unauthenticated attackers retrieve WeChat Official Account secrets - the access_token and jsapi_ticket - through unprotected REST endpoints backed by RestApiController.java, JsApiTicketComponent.java, and GetAccessTokenComponent.java. Because these credentials grant control over the linked WeChat public account, disclosure enables account takeover of the integration rather than just data leakage. Classified CWE-306 (Missing Authentication); a referenced public gist appears to contain proof-of-concept details, though EPSS is low (0.26%, 18th percentile) and it is not listed in CISA KEV.
Arbitrary file read in OpenRemote's KNXProtocol asset-import handler lets any authenticated user (PR:L, any realm) upload a malicious ETS project ZIP whose 0.xml is parsed via Saxon XSLT and XMLInputFactory without XXE hardening, resolving external entities to exfiltrate server files such as /etc/passwd, openmrs-runtime.properties, and cloud credential files, with SSRF against internal endpoints as a secondary impact. This is an incomplete-fix regression of CVE-2026-40882, which only hardened the parallel Velbus handler and left KNXProtocol's two XML parsing calls unprotected. A full working proof-of-concept reproducing both parsing stages is publicly available; the vulnerability is not listed in CISA KEV.
Cross-tenant information disclosure in OpenRemote Manager lets a realm admin of one tenant read the profile, realm roles, and client roles of any user in any other realm - including the privileged master realm - simply by supplying the target user's UUID in the REST API path. Three read endpoints in UserResourceImpl verify the caller's read:admin role but never confirm the target user belongs to the caller's realm, breaking multi-tenant isolation for user data. Publicly available exploit code exists (a working curl-based PoC with live-instance HTTP 200 responses is documented), though it is not listed in CISA KEV and no active exploitation is confirmed.
{realm}/asset/predicted/{assetId}/{attributeName}) incorrectly authorizes write operations by checking READ_ASSETS permission instead of WRITE_ASSETS, enabling any authenticated user with read:assets privileges to persist arbitrary predicted datapoint values to the database. This privilege escalation exposes IoT asset prediction data to tampering by low-privileged or compromised accounts. A working proof-of-concept is embedded in the public GitHub Security Advisory GHSA-xj53-j257-hxvg; no active exploitation has been identified in CISA KEV.
Untrusted Java deserialization in Apache OpenNLP's SvmDoccatModel (libsvm document categorization module, versions 3.0.0-M1 through before 3.0.0-M4) lets an attacker who supplies a crafted serialized stream to the public static SvmDoccatModel.deserialize(InputStream) trigger deserialization of an arbitrary object graph before the SvmDoccatModel cast occurs. Where a usable gadget chain exists on the consuming application's classpath, this yields remote code execution in the loading JVM; OpenNLP ships no gadget itself, so realistic risk falls on downstream apps that embed the module alongside vulnerable transitive dependencies. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the SSVC assessment marks it automatable with partial technical impact.
Denial of service in Apache IoTDB versions 1.3.3 through 2.0.7 lets remote attackers crash the DataNode process by submitting a single query whose time span and aggregation interval are unbounded. Because the affected query interface enforces no reasonable limit on these parameters, a request combining a very large time range with a minimal interval forces the DataNode to materialize an enormous result set in memory, exhausting the Java heap. No public exploit has been identified at time of analysis and the issue is not in CISA KEV, but the fix is easy to reverse-engineer from the version bump to 2.0.8.
Authorization bypass in Apache Camel's camel-elasticsearch-rest-client component allows unauthenticated remote attackers to override Elasticsearch query operations by injecting HTTP headers. Because the component uses unprefixed header constants ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') that are not blocked by Camel's inbound HttpHeaderFilterStrategy - which filters only 'Camel'-prefixed names - any HTTP client reaching a Camel route that fronts an elasticsearch-rest-client producer can substitute their own query body, operation type, or target index. Practical outcomes include full index enumeration via match_all, targeted document deletion, and field-level data exfiltration. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the attack requires no credentials and is trivially reproducible from the description alone.
Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelcast cluster to run arbitrary code on every Camel node. The flaw exists because Camel-created Hazelcast instances apply no Java deserialization filter by default, so crafted serialized objects sent over the cluster protocol are deserialized (ObjectInputStream.readObject) before Camel processes them. It affects Camel 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x whenever a hazelcast consumer or repository uses Camel's own default configuration; there is no public exploit identified at time of analysis and EPSS is low (0.49%, 39th percentile).
Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a producer endpoint deserializes 5xx HTTP response bodies marked application/x-java-serialized-object through a raw java.io.ObjectInputStream with no class filtering. Exploitation is limited to non-default deployments where transferException=true or allowJavaSerializedObject=true is set and throwExceptionOnFailure remains true, letting an attacker who controls or intercepts the backend deliver a malicious serialized object and, given a gadget chain on the classpath, run code on the Camel host. This is a vendor-reported (Apache) issue with a publicly available advisory; there is no public exploit identified at time of analysis and EPSS is low at 0.39% (31st percentile).
Information disclosure in Apache Camel's camel-undertow HTTP server consumer (versions 4.0.0 through 4.21.0) exposes complete Java stack traces to unauthenticated HTTP clients whenever a route processing exception occurs, due to a misconfigured default and a code-level bypass. Unlike every other Camel HTTP server component (camel-http, camel-jetty, camel-servlet, camel-platform-http), all of which default muteException to true, camel-undertow defaulted this option to false - and for Rest DSL consumers the option was silently ignored entirely due to a hard-coded false in RestUndertowHttpBinding, meaning muteException=true gave false confidence without actual protection. No public exploit has been identified at time of analysis; however exploitation requires only the ability to send a malformed HTTP request to a reachable endpoint, making this trivially accessible to any network-level attacker.
Stack trace disclosure in Apache Camel's camel-netty-http component (versions 4.0.0-4.21.0 across three release streams) exposes full Java Throwable stack traces to unauthenticated HTTP clients whenever a route processing error occurs under the default configuration. The root cause is an insecure default: the muteException option backed by an uninitialized Java primitive boolean defaulted to false in camel-netty-http while all other Camel HTTP server components (camel-http, camel-jetty, camel-servlet, camel-platform-http) correctly default it to true. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low-effort triggering condition - any malformed request that causes a route exception - makes opportunistic enumeration straightforward against exposed endpoints.
Heap-based buffer overflow in radare2's Java binary parser (all versions up to 6.1.6) allows a local, low-privileged attacker to crash the tool by supplying a crafted Java class file with a malformed Line Number Table attribute. The vulnerable function `r_bin_java_inner_classes_attr_calc_size()` in `shlr/java/class.c` miscalculates buffer sizes, resulting in a heap write beyond allocated bounds and a denial-of-service outcome. A public proof-of-concept exists via GitHub issue #26043; no active exploitation has been confirmed by CISA KEV, and impact is confined to availability with no confidentiality or integrity effects.
State corruption in HdrHistogram up to version 2.2.2 allows a local, low-privileged attacker to manipulate the Count argument of the recordValueWithCount function in AbstractHistogram.java, resulting in low-integrity corruption of histogram state. The flaw affects the core metrics-recording logic of this Java library. A proof-of-concept exploit has been publicly disclosed; the project maintainer was notified via a GitHub issue but has not yet responded with a fix, leaving affected deployments without a vendor patch.
Uncontrolled memory allocation in HdrHistogram versions up to 2.2.2 allows a local low-privileged attacker to cause denial of service by passing a crafted byte buffer to the AbstractHistogram.decodeFromByteBuffer method with a malicious numberOfSignificantValueDigits value. The affected Java library fails to validate this argument before using it to drive heap allocation, allowing JVM memory exhaustion in any application that processes attacker-influenced histogram data. Publicly available exploit code exists; no patch has been released as the project maintainer has not responded to the coordinated disclosure.
Incorrect comparison in HdrHistogram's DoubleHistogram.recordValue() range check allows a local, low-privileged attacker to manipulate histogram integrity by recording out-of-range values that bypass the bounds check. Versions up to and including 2.2.2 are affected. No public exploit identified at time of analysis - publicly available exploit code exists, and the project maintainer has not responded to the responsible disclosure, leaving the vulnerability unpatched.
Uncontrolled memory allocation in HdrHistogram up to version 2.2.2 allows a local attacker with low-privilege access to crash a dependent Java application by supplying a crafted `lengthOfCompressedContents` value to the `decodeFromCompressedByteBuffer` function, exhausting JVM heap space and causing a denial-of-service. A public proof-of-concept exists (E:P per CVSS 4.0), though the vulnerability is not listed in CISA KEV, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.9 reflects the strictly local attack vector and limited impact scope - only availability at the vulnerable system level is affected.
Session data exposure in FederatedAI FATE's OSX Broker gRPC component allows an authenticated federated party to manipulate session routing arguments and access data belonging to a different federated session. Affected versions extend through FATE 2.2.0, specifically in the QueuePushReqStreamObserver.initEggroll method within the Java-based OSX Broker. No public exploit confirmed active exploitation (not in CISA KEV), though exploit code has been publicly disclosed via a GitHub issue, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and limited confidentiality impact.
Arbitrary file read in GravitLauncher LaunchServer ≤ 5.7.11 lets an unauthenticated remote attacker retrieve any file readable by the server process via a path-traversal in the default-enabled HTTP file server on port 9274. Because the exposed files include the ECDSA key that signs access JWTs (.keys/ecdsa_id), the refresh-token salt, and database credentials, the flaw escalates from information disclosure to a full authentication bypass allowing forged admin tokens. Publicly available exploit code exists (a raw-socket PoC in the advisory); the issue is not listed in CISA KEV and no active exploitation is confirmed.
TLS channel-binding downgrade in the ongres scram-client Java library (com.ongres.scram) lets a network man-in-the-middle silently strip SCRAM-SHA-256-PLUS down to plain SCRAM-SHA-256, defeating clients that explicitly require channel binding (e.g. channelBinding=require in pgJDBC). The flaw only bites when the server certificate uses a signature algorithm without a legacy 'WITH' name (Ed25519 or post-quantum), causing an internal NoSuchAlgorithmException to be swallowed and an empty channel-binding value to be treated as 'not offered' rather than a hard failure. Fixed in scram library 3.3; no public exploit identified at time of analysis and the issue is reported by the upstream maintainer via GitHub advisory GHSA-p9jg-fcr6-3mhf.
Denial of service in OpenTelemetry Java Instrumentation before 2.27.0 lets an attacker who can reach an RMI endpoint on an instrumented JVM send an oversized context-propagation payload that triggers excessive memory allocation. The RMI payload reader caps the number of context entries but never bounds the aggregate size of the strings it reads, so a single crafted request can exhaust heap and crash or stall the JVM. No public exploit is identified at time of analysis, EPSS is low (0.24%), and CISA SSVC records no observed exploitation, but the flaw is network-reachable and unauthenticated wherever RMI instrumentation is enabled and exposed.
OpenTelemetry Java Instrumentation prior to 2.28.0 leaks clear-text database passwords into distributed trace span attributes when JDBC auto-instrumentation encounters double-quoted passwords in SQL CONNECT statements, bypassing the sanitization logic. These poisoned spans are then exported to any configured observability backend - Jaeger, Zipkin, OTLP collectors, or third-party SaaS monitoring - making database credentials visible to all parties with telemetry read access. No public exploit or confirmed active exploitation exists at time of analysis, but the impact of credential exposure is high given downstream database access risk.
Insecure JNDI object instantiation in mchange-commons-java before 0.6.0 lets attackers who can influence deserialized data or JNDI Reference resolution coerce the library's JavaBeanObjectFactory into constructing arbitrary classes and setting their JavaBean properties, enabling JNDI injection and deserialization-gadget attacks. Because this library underpins mchange projects such as the c3p0 connection pool, any Java application that deserializes attacker-controlled objects or dereferences untrusted JNDI References through it is exposed; a demonstrated path abuses a Swing JEditorPane to force outbound HTTP requests from a trusted security domain. No public exploit identified at time of analysis and it is not in CISA KEV, so treat it as a patch-now supply-chain issue rather than an actively exploited one.
{table}/{digest}`) allows any authenticated user to read, write, or delete blobs across all blob tables, entirely circumventing the GRANT-based access control that the SQL path correctly enforces. Verified against CrateDB 6.2.7 and present since the blob HTTP handler was introduced, `io.crate.protocols.http.HttpBlobHandler` authenticates the connecting user but never invokes `AccessControl`, making blob operations permissible to any valid credential holder regardless of table-level privileges. A complete end-to-end Docker PoC is included in the report demonstrating both unauthorized read (HTTP 200) and unauthorized delete (HTTP 204) while the SQL path correctly returns a permission error for the same user; no KEV listing and no EPSS data are available at time of analysis.
Cookie tossing in AsyncHttpClient (AHC) library allows a malicious HTTP server to plant cookies scoped to an unrelated trusted domain, affecting versions 2.0.0-2.15.x and 3.0.0.Beta1-3.0.10. ThreadSafeCookieStore accepts and stores a cookie's Domain attribute value without verifying that the responding host is authorised to set cookies for that domain, so any server the client contacts can inject a cookie that AHC will automatically forward to the targeted domain on subsequent requests. Java applications sharing a single AHC instance - and therefore its default shared CookieStore - across calls to both attacker-influenced and trusted hosts are the primary attack surface; no public exploit has been identified at time of analysis, and vendor-released fixes are available in 2.16.0 and 3.0.11.
Arbitrary code execution in Amazon's AWS Advanced JDBC Wrapper (versions 3.3.0 through 4.0.0) arises from the RemoteQueryCachePlugin deserializing cached query results from Redis or Valkey via a raw ObjectInputStream with no class filtering. An actor able to write to the shared cache can poison entries with a crafted serialized Java object, triggering gadget-chain execution on every application server that later reads that cache entry. No public exploit identified at time of analysis; risk is elevated because a single poisoned cache key fans out to all consuming app servers.
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub classes in the shipped ogclient.jar that invoke ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, converting any unfiltered ObjectInputStream sink in the surrounding WebSphere Application Server into outbound IIOP server-side request forgery. When chained with the IBM ORB getUserException class-instantiation flaw (tracked as WAS-26), that SSRF escalates to code execution on the calling JVM. CVSS is 10.0 (scope-changed, full CIA impact); EPSS is 3.01% (86th percentile) and there is no public exploit identified at time of analysis.
Unauthenticated remote code execution in Orkes Conductor (conductor-oss) versions 3.21.21 through 3.30.1 lets remote attackers run arbitrary OS commands by POSTing inline workflow definitions to the workflow API before any authentication check. The flaw stems from GraalVM script evaluators left in an unsandboxed state (HostAccess.ALL / allowAllAccess(true)), allowing JavaScript or Python expressions in INLINE, LAMBDA, DO_WHILE, and SWITCH tasks to reach Java reflection and subprocess APIs. Reported by VulnCheck; no public exploit identified at time of analysis, though a detailed vendor/researcher advisory exists.
Certificate timestamp validation bypass in sigstore-java 2.0.0 allows an attacker who has already exfiltrated an ephemeral Sigstore signing key to reuse an expired Fulcio certificate, causing bundle verification to succeed when it should fail. PR #1008 erroneously removed the check that bounds a Rekor V1 log entry's `integratedTime` against the Fulcio certificate's validity window, a regression only present in the 2.0.0 release and fixed in 2.1.0. No public exploit identified at time of analysis beyond the vendor-provided proof-of-concept test bundle in sigstore-conformance; CVSS base score of 2.0 reflects the extremely narrow, high-privilege, local-only attack conditions required.
Arbitrary VS Code command execution in the Red Hat vscode-java extension allows a malicious Java source file to embed hidden commands inside JavaDoc hover Markdown, so that a developer who simply clicks a crafted link in a hover popup triggers attacker-chosen commands that can escalate to full system compromise in trusted workspaces. The flaw stems from the extension rendering JavaDoc hovers as fully-trusted Markdown, and it also affects Red Hat OpenShift Dev Spaces, which bundles the extension. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network reach combined with only a single click of user interaction makes it high-impact.
Path traversal in the ruoyi-vue-pro file upload endpoint exposes unauthenticated remote attackers to arbitrary file read and write operations via the `generateUploadPath` function in `FileServiceImpl.java`. All versions up to 2026.04-jdk8-SNAPSHOT are confirmed affected across both the YunaiV (GitHub) and zhijiantianya (Gitee) vendor distributions. Publicly available exploit code exists via GitHub issue #1146; no CISA KEV listing is present, but the unauthenticated network vector combined with a public proof-of-concept materially elevates operational risk above the CVSS 4.0 base score of 6.9 alone.
Path traversal in ANTLR4 up to 4.13.2 exposes arbitrary file read via the tokenVocab grammar option handler. The vulnerable function getImportedVocabFile in TokenVocabParser.java fails to sanitize user-controlled grammar option values, allowing an attacker to supply a crafted .g4 grammar file that causes the tool to read files outside the intended working directory. A publicly available proof-of-concept exploit exists (GitHub issue reference), and no vendor patch has been released - the vendor did not respond to disclosure. No active exploitation is confirmed in CISA KEV, but the CVSS 4.0 E:P flag confirms exploit code is public.
Time-of-check time-of-use (TOCTOU) race condition in antlr4-maven-plugin up to version 4.13.2 allows a local low-privileged attacker to manipulate grammar dependency state between validation and consumption in ObjectInputStream.readObject() within GrammarDependencies.java, yielding limited confidentiality, integrity, and availability impact on build artifacts. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists via a GitHub issue, though KEV listing is absent, indicating no confirmed widespread active exploitation. The CVSS 4.0 score of 1.1 reflects genuine low real-world risk due to local-only access, high attack complexity, and constrained impact scope.
Command injection in ANTLR4's Go code generation target (GoTarget.java) allows a local low-privilege attacker to execute arbitrary OS commands via unsanitized input passed to the gofmt invocation, affecting all versions up to 4.13.2. This vulnerability is scoped entirely to local environments such as developer workstations or CI/CD pipelines running ANTLR4 Go target code generation. A publicly available proof-of-concept exploit exists per the GitHub disclosure, but this is not confirmed as actively exploited (not in CISA KEV), and the CVSS 4.0 base score of 1.9 reflects its genuinely constrained real-world impact.
Code injection in ANTLR4's Grammar Action Block Handler allows remote attackers to execute arbitrary code by supplying a crafted grammar file processed by the tool. All versions up to and including 4.13.2 are affected via the OutputFile.java code generation pathway. A public proof-of-concept exploit exists on GitHub (no KEV listing), though the vendor has not acknowledged or patched the issue, leaving users without an official fix.
Arbitrary code execution in the OWASP ZAP ViewState add-on (versions before 4) lets a malicious or attacker-controlled proxied web server compromise the security tester's own ZAP instance. By embedding a crafted serialized Java object in the javax.faces.ViewState response parameter, an attacker triggers unsafe Java deserialization inside the ZAP JVM the moment the operator views the ViewState panel in the Desktop UI. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor has published an advisory and shipped a fix (viewstate-v4) that disables JSF support entirely.
Insecure default file permissions in Nextflow's `auth login` command expose Seqera Platform OIDC bearer tokens to any local user on shared POSIX systems running affected versions 25.09.2-edge through 26.04.1. The credential file `seqera-auth.config` is written via Java NIO without explicit permission bits, landing at mode 0644 under the typical umask 022, making it world-readable on HPC login nodes, shared workstations, and jump hosts - exactly the infrastructure where Nextflow is most commonly deployed. No public exploit has been identified at time of analysis and this vulnerability is not currently in the CISA KEV catalog, but the attack requires only a standard local account and trivial filesystem read, making it a practical lateral-movement primitive in multi-tenant research computing environments.
Unbounded resource consumption in the Rust opentelemetry_sdk's BaggagePropagator::extract_with_context allows unauthenticated remote attackers to cause elevated CPU and heap allocation overhead by sending oversized W3C baggage propagation headers to any service using versions 0.32.0 or earlier. The SDK parsed the full header content before applying storage limits, meaning attacker-supplied data was processed and then discarded - wasting resources on every malicious request. A parallel design-level gap affects the Java (GHSA-rcgg-9c38-7xpx) and Go (GHSA-mh2q-q3fh-2475) OpenTelemetry SDKs, suggesting a cross-ecosystem pattern; no public exploit or active exploitation (KEV) has been identified.
Unsafe Java deserialization (CWE-502) in OpenAM Community Edition through 16.0.6 lets attackers abuse the anonymous Push Notification SNS callback REST route to force the server to load an attacker-named class and construct it from attacker-controlled JSON via Jackson. A low-privileged user who starts Push Registration can plant a malicious CTS predicate blob, then drive anonymous callbacks that yield a reliable class-loading and Jackson-construction primitive with classpath-dependent impacts ranging from token-record corruption and DoS to potential process execution and file writes. No public exploit is identified at time of analysis and confirmed arbitrary command execution was not demonstrated on stock classpaths; the issue is fixed in 16.1.1.
Server-side request forgery and internal network enumeration in Appsmith (prior to 1.99) is enabled by the POST /api/v1/admin/send-test-email endpoint accepting attacker-controlled smtpHost and smtpPort values, which JavaMail uses to establish raw TCP connections without IP address validation - completely bypassing the application's existing WebClientUtils.IP_CHECK_FILTER. Verbatim MailException error messages are returned in API responses, enabling authenticated administrators (or attackers who have compromised admin credentials) to probe internal network topology, enumerate open ports, and harvest service banners. No public exploit identified at time of analysis; the vulnerability is fixed in version 1.99.
Authentication bypass in Apache Shiro affects deployments using the shiro-guice module in a web servlet context, where a specially crafted HTTP request can evade path-based access controls and reach protected resources without valid credentials. It mirrors the older shiro-spring flaw CVE-2020-1957 but targets the Guice integration instead, impacting all Shiro releases through 2.x and 3.0.0-alpha-1. No public exploit identified at time of analysis, though the CVSS 4.0 base score of 8.2 reflects high confidentiality impact and the close analogy to a previously exploited bug class.
Arbitrary code execution in QOS.CH logback-core versions up to and including 1.5.34 allows a local attacker with existing privilege to run code in the context of any Java application that loads Logback when the Janino library is on the classpath. The flaw circumvents prior hardening for CVE-2025-11226 via conditional configuration file processing, and is triggered either by writing to an existing logback configuration file or by injecting an environment variable that points the process at a malicious configuration. No public exploit identified at time of analysis, though the bypass nature of the issue makes weaponization of existing CVE-2025-11226 exploit code plausible.
Cross-tenant alarm destruction in OpenRemote Manager (versions before 1.25.0) allows any authenticated user with alarm-write permissions in their own realm to permanently delete alarm records belonging to other tenants by submitting arbitrary sequential alarm IDs to the bulk-delete endpoint. The flaw stems from missing per-record realm scoping in removeAlarms() and is rated CVSS 4.0 8.6 (high); no public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path, making weaponization straightforward.
Remote code execution in Spring Statemachine 3.2.0-3.2.4 and 4.0.0-4.0.1 allows authenticated attackers to execute arbitrary code inside the application JVM by injecting malicious serialized Java objects into the Kryo-based persistence backends (JPA, MongoDB, Redis, or ZooKeeper). The flaw stems from deserializing persisted state-machine contexts without enforcing a class allowlist, a classic CWE-502 pattern that has historically yielded reliable gadget-chain exploitation in Java applications. No public exploit identified at time of analysis, but the deserialization sink and Kryo gadget ecosystem make weaponization straightforward once an attacker can write to the persistence store.
Unauthenticated remote code execution in OpenDJ Community Edition through 5.1.0 occurs when the JMX RMI connector deserializes attacker-controlled Java objects before authentication is performed. Any deployment with the JMX Connection Handler enabled (commonly turned on for monitoring integrations) is exposed to pre-auth RCE over TCP, as demonstrated against OpenDJ 4.4.15 on JDK 11 with Jackson 2.12.6.1. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Spinnaker's Rosco and Orca services arises because YAML input is parsed with SnakeYAML's unsafe default Constructor rather than a SafeConstructor, letting authenticated users who trigger CloudFormation deployments or CloudFoundry baking load arbitrary Java classes. An attacker with pipeline access can supply a crafted YAML tag (e.g. !!javax.script.ScriptEngineManager) to instantiate dangerous classes and reach code execution on the affected service host. No public weaponized exploit is identified, though the vendor fix commit ships tests demonstrating the arbitrary-object-instantiation primitive, and the flaw is not listed in CISA KEV.
Stored XSS in allure-generator (versions <= 2.38.1) allows arbitrary JavaScript execution in the browser of anyone who views a generated Allure report containing crafted test result data. The vulnerable `ansi.js` Handlebars helper passes unsanitized `statusMessage` and `statusTrace` values - sourced from JUnit XML failure messages and equivalent fields in TRX, xUnit XML, xctest, and Allure 1/2 plugins - through `ansi-to-html` without HTML escaping, then wraps the output in `SafeString` to bypass Handlebars' auto-escape protection. A publicly available proof-of-concept demonstrates exploitation via a crafted JUnit XML file; the attack is particularly relevant to CI/CD environments (Jenkins, GitLab, GitHub Actions) where reports are served on shared infrastructure with active authenticated sessions.
Path traversal in Allure Report's built-in HTTP server (allure-commandline <= 2.38.1) allows any client that can reach the server port to read arbitrary files accessible to the Allure process. The vulnerability exists in Commands.setUpServer() where request URI paths are resolved against the report directory without normalization or containment checks, and Java's URI.getPath() additionally percent-decodes sequences like %2e%2e to .., bypassing client-side normalization. A proof-of-concept is publicly available via the GitHub Security Advisory GHSA-82cg-3hv7-74gc; no CISA KEV listing has been confirmed at time of analysis, though real-world risk is materially elevated in CI/CD environments where --host 0.0.0.0 is commonly used.
Authentication bypass in Quarkus Java framework allows remote unauthenticated attackers to circumvent HTTP path-based authorization policies by smuggling encoded semicolons (%3B) as matrix parameters or by using encoded slashes (%2F) and backslashes (%5C) to reach protected static resources. Affects all Quarkus versions prior to the 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 patch line. No public exploit identified at time of analysis, though the issue is a documented bypass of the prior CVE-2026-39852 fix.
Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers to alter authorization outcomes by smuggling Cedar expressions through unescaped string values. The flaw is in toCedarExpr() on Cedar Value types, which fails to escape quote and backslash characters when serializing user-controlled values into policy text. No public exploit identified at time of analysis, but the integrity impact is severe because injected fragments like '|| true' can neutralize permit/forbid logic in fine-grained authorization decisions.
Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate authorization decisions by injecting reserved JSON keys (`__entity` or `__extn`) into CedarMap objects built from attacker-controlled input. When an integrating service constructs a CedarMap from caller-supplied data such as headers, metadata, or resource tags, the Rust cedar-policy evaluator can be tricked into interpreting a record as an entity reference, undermining fine-grained authorization. No public exploit identified at time of analysis, but the CVSS 8.8 rating reflects high impact on confidentiality, integrity, and availability of authorization outcomes.
Unauthenticated callers can trigger server-side request forgery against NL Portal Backend Libraries (nl.nl-portal:form versions 1.1.0.RELEASE through 3.0.3) by invoking the public GraphQL resolvers `getFormDefinitionByObjectenApiUrl` or `getFormDefinitionById`, causing the backend to issue outbound HTTP requests bearing a privileged Objecten-API `Authorization: Token` header to a caller-influenced URL on the configured Objecten-API host. The SSRF is constrained to the same configured host by a host-equality guard, and arbitrary data disclosure is further limited by strict typed deserialization in Kotlin, which keeps practical real-world impact at Medium despite unauthenticated network access. A lab proof-of-concept was confirmed by the reporter against the real Spring WebFlux stack; no public exploit code has been independently identified and the vulnerability is not listed in CISA KEV.
Arbitrary file and environment variable reads on xDS client hosts are possible in Armeria versions 1.38.0 and 1.39.0 via the armeria-xds module's SDS (Secret Discovery Service) implementation. The DataSourceStream class resolves control-plane-supplied filename and environment_variable fields from SDS Secret resources without any path confinement or allow-listing, enabling a compromised or semi-trusted xDS control plane - or an attacker who can MITM unprotected SDS gRPC streams - to extract TLS private keys, Kubernetes service-account tokens, cloud credential files, and environment variables such as AWS_SECRET_ACCESS_KEY. No public exploit has been identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the confused-deputy pattern and Kubernetes deployment context make it a high-priority upgrade for affected users.
Sensitive actuator endpoints in Steeltoe.Management.Endpoint and Steeltoe.Management.EndpointCore expose heap dumps, environment variables, and thread dumps to low-trust Cloud Foundry roles (Space Auditors) due to incorrect default permission levels. Affected versions inherit the base class default of EndpointPermissions.Restricted - which maps to CF's read_basic_data scope - rather than overriding to EndpointPermissions.Full (read_sensitive_data), the permission level Spring Boot's equivalent integration correctly enforces. No public exploit code or KEV listing exists at time of analysis; however, the CVSS PR:L rating reflects that any valid CF credential with Space Auditor privileges is sufficient to reach the affected endpoints.
XianYuLauncher, a Minecraft Java Edition launcher, exposes Microsoft OAuth authentication tokens to local attackers in all versions prior to 1.5.5 due to an OAuth 2.0 Authorization Code flow implemented without PKCE or state parameter validation. A local attacker running a concurrent process on the same machine can race the launcher's fixed localhost redirect URI to intercept the authorization code, then exchange it for valid Microsoft and Minecraft access tokens without any special privileges. Compounding the exposure, ClientToken was stored on disk in plaintext and JWT/Bearer tokens could be leaked into log output. No public exploit has been identified and this vulnerability is not listed in CISA KEV.
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka registry containing service registrations with DataCenterInfo.name="Netflix" to permanently break the local service discovery cache. The client's DataCenterInfo.FromJson rejects any value other than "MyOwn" or "Amazon" with an ArgumentException that is silently swallowed by the periodic cache refresh task, leaving downstream .NET services unable to discover peers. No public exploit identified at time of analysis, but the trigger is trivially reachable in mixed Java/Spring-Cloud and Steeltoe environments.
XML External Entity injection in the HAPI FHIR core library (Maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities, versions <= 6.9.9) lets an attacker who controls or MITMs XML routed through XsltUtilities.saxonTransform(...) read local files and perform blind XXE/SSRF. The three saxonTransform overloads instantiate a bare net.sf.saxon.TransformerFactoryImpl that resolves external general and parameter entities, unlike the co-located transform() siblings that use the project's hardened XXE-protected factory. Publicly available exploit code exists (a full end-to-end PoC accompanies the GitHub advisory), though there is no public exploit identified as actively used in the wild.
Regular expression denial of service in HAPI FHIR's DSTU2 FHIRPathEngine allows unauthenticated remote attackers to exhaust server CPU by submitting FHIR resources or FHIRPath expressions containing catastrophically backtracking regexes against the matches() function. This is an incomplete-fix vulnerability stemming from CVE-2026-45367, where the DSTU2 module's matches() at FHIRPathEngine.java line 2462 was left calling raw String.matches() without the RegexTimeout wrapper applied to the other five FHIR version modules. No public exploit identified at time of analysis beyond the reporter's working PoC published in the GHSA advisory.
Arbitrary file read in jknack handlebars.java versions prior to 4.5.2 allows remote unauthenticated attackers to retrieve files outside the intended template directory when applications pass user-controlled input to Handlebars.compile() with a FileTemplateLoader or ClassPathTemplateLoader. The flaw stems from missing path canonicalization in the template loaders, enabling classic ../ traversal sequences to escape the configured template prefix. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-r4gv-qr8j-p3pg documents the issue and the fix is available in 4.5.2.
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.transfer() that allows a local app to trigger memory exhaustion of the system package installer. The flaw, addressed in the Android Security Bulletin for Android 17, can be triggered without user interaction and without elevated privileges, but its impact is confined to denial of service rather than code execution. No public exploit identified at time of analysis.
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.
Unbounded memory allocation in @opentelemetry/core affects the W3CBaggagePropagator.extract() method, which fails to enforce W3C Baggage specification size limits (8,192 bytes, 180 entries) on the inbound parsing path - only the outbound inject() path was protected. Unauthenticated remote attackers can exploit this to cause partial availability degradation by sending oversized baggage headers, with elevated risk in non-HTTP transport contexts (messaging systems, custom TextMapGetter implementations) where Node.js's native 16 KB header cap does not apply. No public exploit code or CISA KEV listing exists; the CVSS 5.3 Medium score reflects the real-world constraint imposed by Node.js defaults on the dominant HTTP deployment pattern.