Java

Unrestricted file upload in crmeb_java Admin Upload component (versions up to 1.3.4) allows high-privileged remote attackers to upload arbitrary files by manipulating the model argument in UploadServiceImpl.java, resulting in potential code execution or system compromise. Publicly available exploit code exists and the vendor has not responded to disclosure attempts.

SQL injection in youlai-boot up to version 2.21.1 via argument order manipulation in the getUserList endpoint allows authenticated remote attackers to execute arbitrary SQL queries with limited data access impact. The vulnerability affects the Users Endpoint component, has publicly available exploit code, and the vendor has not responded to disclosure attempts despite early notification.

Server-side request forgery in JeecgBoot up to 3.9.1 allows authenticated remote attackers to manipulate the CommonController.uploadImgByHttp endpoint and trigger arbitrary HTTP requests from the server, with publicly available exploit code and vendor confirmation of the issue. The vulnerability affects the image upload functionality through HttpFileToMultipartFileUtil.httpFileToMultipartFile and downloadImageData methods, enabling attackers with valid credentials to abuse the application as a proxy for outbound requests.

Server-side request forgery in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the originUrl parameter in OpenApiController.add and OpenApiController.call methods, enabling arbitrary HTTP requests from the affected server. The vulnerability requires low-level authentication privileges and carries minimal direct impact (CVSS 2.1), but public exploit code exists and vendors confirmed the issue with a fix planned for an upcoming release.

Remote code execution in Hyperledger fabric-sdk-java (all versions 1.0.0 through 2.2.26) allows unauthenticated attackers to execute arbitrary commands via malicious serialized Java objects. The deprecated SDK's Channel.java class deserializes untrusted byte arrays without input filtering in readObject() and deSerializeChannel() methods, enabling classic Java gadget chain exploitation. Publicly available exploit code exists (ysoserial toolkit), and exploitation requires only that an application accept Channel serialization data from attacker-controlled sources such as compromised files, external APIs, or injected parameters. EPSS data unavailable; not listed in CISA KEV. Vendor has published GHSA advisory but provides no patch-remediation requires migration to the replacement fabric-gateway SDK.

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is serving static resources from the file system * the application is running on a Windows platform When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.

A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.

Improper authorization in o2oa up to version 10.0 allows remote attackers to bypass authentication via the syncFile function in NodeAgent.java, leading to unauthorized access to file operations. The vulnerability requires high attack complexity and has publicly available exploit code, though no active exploitation in the wild has been confirmed at this time.

Server-side request forgery (SSRF) in o2oa up to version 10.0 allows authenticated remote attackers to manipulate the fileUrl parameter in the FileAction component to trigger arbitrary HTTP requests from the server. The vulnerability requires authenticated access (PR:L) but can facilitate attacks against internal services, exfiltrate sensitive data, or pivot to backend systems. Publicly available exploit code exists, and the vendor has not yet responded to early notification.

SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to execute arbitrary SQL commands through the loadDict endpoint by manipulating the keyword parameter in the SqlInjectionUtil function. The vulnerability has a CVSS score of 6.3 with network-accessible attack vector, and publicly available exploit code exists; patch availability is confirmed via GitHub commit a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b.

Spring gRPC versions 1.0.0 through 1.0.2 leak sensitive authentication failure details in gRPC status descriptions to unauthenticated remote callers, enabling reconnaissance for follow-up attacks. The vulnerability exposes raw server-side AuthenticationException messages without sanitization, providing attackers with information about authentication mechanisms and potential weaknesses. This low-severity information disclosure (CVSS 3.7) requires high attack complexity but affects default configurations.

Spring gRPC 1.0.0 through 1.0.2 inherits authenticated user identity on gRPC worker threads after access denial, allowing a subsequent unauthenticated request on the same thread to gain escalated permissions. The vulnerability requires an authenticated attacker with prior knowledge of thread reuse patterns and affects only configurations where both authenticated and unauthenticated requests share gRPC worker threads. A patch is available in version 1.0.3.

Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4 are vulnerable to denial of service through uncontrolled resource consumption when processing maliciously crafted PDF files via the ForkPDFLayoutTextStripper component. Authenticated remote attackers can exhaust server memory and crash affected applications by uploading or processing specially designed PDFs. Vendor-released patches address the issue in versions 1.0.6 and 1.1.5.

Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4 expose ONNX machine learning models to unauthorized disclosure when the application runs in shared hosting environments, allowing local users with limited system access to read sensitive model files and potentially reverse-engineer proprietary ML logic. The vulnerability stems from insecure temporary file handling (CWE-377) that fails to restrict file permissions on extracted model artifacts. Authentication requirements are minimal-only local system access is needed-making this a significant risk in multi-tenant cloud platforms and shared servers.

SQL injection in Spring AI's CosmosDBVectorStore component (versions 1.0.0-1.0.5 and 1.1.0-1.1.4) enables authenticated remote attackers to execute arbitrary SQL queries through malicious document IDs, potentially achieving full database compromise including data exfiltration, modification, and denial of service. VMware has released patches in versions 1.0.6 and 1.1.5. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires low-privilege authenticated access to the vector store API.

Spring AI fails to properly isolate conversation contexts when user-supplied input is passed directly as conversationId to VectorStoreChatMemoryAdvisor, allowing remote unauthenticated attackers to inject filter logic that exfiltrates sensitive data from other users' chat histories, including secrets and credentials. Exploitation requires moderately complex attack construction (AC:H) but no user interaction, affecting only applications with the specific vulnerable configuration pattern.

Filter expression injection in Spring AI 1.0.0-1.0.5 and 1.1.0-1.1.4 allows remote unauthenticated attackers to manipulate vector store queries through unescaped keys and values in FilterExpressionConverter implementations. The vulnerability enables query language injection across multiple vector database backends, potentially exposing sensitive data (CVSS:C:H) and modifying query results (CVSS:I:L). VMware has released patches in versions 1.0.6 and 1.1.5. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack vector (AV:N/AC:L/PR:N) and code injection classification (CWE-94) indicate significant risk for applications processing untrusted filter expressions.

Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash server processes via specially crafted uint32 values. Affects all Thrift versions prior to 0.23.0 with EPSS score of 0.02% (low exploitation probability). This is one of six related vulnerabilities disclosed simultaneously affecting different Thrift language bindings (Go, Swift, Java, c_glib), indicating coordinated security audit findings. Vendor patch available in version 0.23.0 released April 2026.

Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.

Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigger denial of service and disclose limited memory contents via malformed skip() operations during protocol deserialization. Affects all versions prior to 0.23.0, with publicly disclosed exploit details on oss-security mailing list. EPSS exploitation probability remains low (5th percentile) despite network-accessible attack vector, suggesting limited real-world targeting to date. Vendor patch released in version 0.23.0 addresses all six concurrently disclosed Thrift vulnerabilities (CVE-2026-41602 through CVE-2026-41607).

Spring Boot applications configured with ApplicationPidFileWriter are vulnerable to local file corruption when a high-privilege user can write to the PID file directory. An attacker with high privileges and write access to the PID file location can corrupt arbitrary files each time the application restarts, achieving denial of service or data integrity violations. Exploitation requires local access and elevated privileges, limiting real-world impact to co-resident or insider threat scenarios. No active exploitation has been publicly reported.

Authentication bypass in Spring Boot 4.0.0-4.0.5 allows remote unauthenticated attackers to access all application endpoints, bypassing default web security filters entirely. Affects servlet-based applications using spring-boot-actuator-autoconfigure without custom Spring Security configuration and without spring-boot-health dependency. Vendor patch released (upgrade to 4.0.6+). No public exploit code identified at time of analysis, but CVSS 9.1 with network attack vector (AV:N/AC:L/PR:N) indicates trivial exploitation once configuration prerequisites are met.

{random.value} for secrets generation produce cryptographically weak values unsuitable for authentication, encryption keys, or other sensitive purposes. Affected versions 2.7.0 through 4.0.5 generate predictable random values when relying on the random value property source; attackers can enumerate or predict these values to compromise confidentiality and integrity of secrets. The vulnerability does not affect ${random.uuid}, which uses a cryptographically secure implementation. Patches are available for all supported and unsupported versions.

Spring Boot's Cassandra auto-configuration fails to verify hostnames during SSL/TLS connection establishment to Cassandra servers, enabling man-in-the-middle attackers on the local network to intercept credentials and data by presenting a valid certificate for any domain. Affects Spring Boot 2.7.0-4.0.5; vendor-released patches available for all supported versions (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33). No public exploit code identified at time of analysis.

Local privilege escalation and session hijacking in Spring Boot allows attackers with local access to hijack authenticated sessions or execute arbitrary code by taking control of the ApplicationTemp directory. The vulnerability affects Spring Boot versions 2.7.0 through 4.0.5 when server.servlet.session.persistent is enabled, requiring attack persistence across application restarts. VMware has released patches for all supported branches (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33), though unsupported versions remain vulnerable. No active exploitation confirmed at time of analysis.

Timing attack against Spring Boot DevTools remote secret comparison allows adjacent network attackers to recover the shared secret and achieve remote code execution by uploading malicious classes. Affects Spring Boot 2.7.x through 4.0.x when DevTools remote feature is enabled. Attacker must be on same network segment (AV:A) and overcome high attack complexity (timing-based cryptographic weakness), but requires no authentication or user interaction. CVSS 7.5 severity reflects adjacent vector limitation; real-world risk depends heavily on whether DevTools remote restart is enabled in production (not recommended practice) and network segmentation. No confirmed active exploitation (not in CISA KEV). Vendor-released patches available across all affected branches.

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.0-4.0.5 (fix 4.0.6), 3.5.0-3.5.13 (fix 3.5.14) per vendor advisory.

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0-4.0.5; upgrade to 4.0.6 or later per vendor advisory.

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1.

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23322 refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application - for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack - can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.

SQL injection in Yu Picture's PageRequest handler allows remote unauthenticated attackers to manipulate database queries via the sortField parameter in PictureServiceImpl.java. The vulnerability exists in MyBatis-Plus integration code at commit a053632c41340152bf75b66b3c543d129123d8ec. Publicly available exploit code exists (GitHub issue #4) with EPSS not yet calculated. Vendor patch available via pull request #3 but remains unmerged, leaving deployed instances vulnerable. CVSS 7.3 reflects network-accessible, low-complexity exploitation with no authentication required, enabling partial confidentiality, integrity, and availability compromise.

SpEL expression injection in baomidou dynamic-datasource 2.5.0 allows authenticated remote attackers to execute arbitrary code via the DsSpelExpressionProcessor component. The vulnerability stems from unsafe evaluation of Spring Expression Language (SpEL) in datasource routing logic, enabling attackers with application access to inject malicious expressions that execute with application privileges. No public exploit code or active exploitation has been identified at time of analysis, though upstream fix is available.

Path traversal in rawchen sims DeleteFileServlet endpoint allows authenticated remote attackers to manipulate the filename parameter and access arbitrary files on the system, potentially leading to information disclosure or file modification. The vulnerability affects all versions up to commit 004f783b1db5ecdfad81c8fdc3b34171211112de, with publicly available exploit code and no vendor response to early disclosure notification.

Datavane Datavines up to commit 13607645e14a4982468cfdbcf75c85cde63bae71 uses a hard-coded cryptographic key in the JWT Token Handler component, allowing remote attackers to manipulate the tokenSecret parameter and bypass authentication or forge tokens. The vulnerability requires high attack complexity but has publicly available exploit code; the vendor has been informed via pull request but has not yet merged the fix.

OpenTelemetry eBPF Instrumentation versions 0.4.0 through 0.7.x allow local attackers controlling a Java workload to overwrite arbitrary host files via path traversal when Java injection is enabled and the agent runs with elevated privileges. The vulnerability exploits unsafe file creation in the Java agent injection path, where the injector trusts the target process's TMPDIR environment variable and lacks boundary checks, enabling symlink-based file clobbering and filesystem escape. Vendor-released patch available in version 0.8.0. No public exploit identified at time of analysis, but CVSS 8.4 reflects high integrity and availability impact with scope change from container to host.

Authentication bypass in Traefik's StripPrefixRegex middleware allows unauthenticated remote attackers to access protected resources when combined with ForwardAuth, BasicAuth, or DigestAuth. By inserting a percent-encoded dot (%2e) in the URL prefix, attackers exploit a length mismatch between decoded path matching and encoded path slicing, causing ForwardAuth to receive a dot-segment path (/./admin/secret) that bypasses protection rules while backend servers normalize it to the protected path (/admin/secret). Confirmed with working proof-of-concept against Traefik v3.6.11. Patches released for v2.11.43, v3.6.14, and v3.7.0-rc.2. No CVSS score assigned yet, but meets criteria for high severity given complete authentication bypass with network attack vector requiring no privileges or user interaction.

Unbounded memory allocation in Eclipse zserio serialization framework allows remote attackers to trigger system crashes via crafted payloads as small as 4-5 bytes, forcing allocations up to 16 GB and causing out-of-memory errors. Affects both C++ and Java runtimes used in Navigation Data Standard (NDS) implementations deployed across millions of vehicles from Toyota, BMW, Volkswagen, Mercedes-Benz, and 39 other automotive manufacturers. Vendor-released patch available in zserio v2.18.1, addressing unchecked length parameters in Array.h, BitStreamReader.h, and Java runtime equivalents. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation without authentication.

Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure.

Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Spring XML contexts that execute arbitrary code on the broker's JVM. Attackers exploit improper broker name validation to embed xbean bindings, then trigger VM transport creation via DestinationView mbean to load remote Spring XML files containing malicious bean factory methods like Runtime.exec(). EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability despite CVSS 8.8, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patches available: versions 5.19.6 and 6.2.5 address the vulnerability.

Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath.

OpenRemote Manager allows privilege escalation to Keycloak master realm administrator through improper authorization in the Manager API. Users with write:admin permission in any non-master realm can manipulate realm role assignments in other realms, including master, by exploiting missing authorization checks in the updateUserRealmRoles endpoint. An attacker controlling any user in the master realm can grant themselves admin privileges, achieving full Keycloak administrator access. Vendor-released patch version 1.22.1 addresses this vulnerability. No public exploit code identified at time of analysis, though a detailed proof-of-concept is documented in the advisory.

Authorization bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to circumvent access controls when applications use servlet-path-based intercept-url configurations. The framework fails to include the servlet path when computing pattern matches for authorization rules, causing protected endpoints to become accessible without proper authorization checks. No public exploit code identified at time of analysis, but the straightforward bypass condition (misconfigured servlet-path directives) and network attack vector (CVSS AV:N/AC:L/PR:N) make this readily exploitable in affected deployments.

Path matching bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to evade authentication, authorization, and other security controls when applications use securityMatchers(String) with a PathPatternRequestMatcher.Builder bean to prepend servlet paths. Improper matcher configuration causes filter chains to silently fail, leaving protected endpoints exposed without intended security controls. No active exploitation confirmed, but CVSS 7.5 with network attack vector (AV:N/AC:L/PR:N) indicates readily exploitable if applications use the specific configuration pattern. VMware-reported vulnerability requires immediate patching for affected Spring Security 7.x deployments.

JWT token validation bypass in Spring Security allows authenticated attackers to forge or manipulate JWT tokens when NimbusJwtDecoder or NimbusReactiveJwtDecoder is used without explicit OAuth2TokenValidator configuration, enabling unauthorized access to protected resources. The vulnerability affects Spring Security versions 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.9, and 7.0.0-7.0.4. CVSS 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N) reflects network-accessible exploitation requiring low-privilege authentication and high attack complexity.

Spring Security 7.0.0 through 7.0.4 mishandles malformed X.509 certificate CN values in the SubjectX500PrincipalExtractor, allowing authenticated attackers to craft certificates that extract incorrect username values and impersonate other users. The vulnerability requires network access and authenticated privileges but does not require user interaction; it affects certificate-based authentication flows where X.509 principal extraction is used.

Spring Security's DaoAuthenticationProvider can leak timing information about user account status when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked attributes for user validation. This allows remote attackers to enumerate disabled, expired, or locked accounts through timing analysis of authentication responses across affected versions 5.7.0-5.7.22, 5.8.0-5.8.24, 6.3.0-6.3.15, 6.5.0-6.5.9, and 7.0.0-7.0.4. No public exploit code or active exploitation has been identified at this time.

A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function ZipSecureFile.setMinflateRatio of the file common/src/main/java/com/publiccms/common/tools/DocToHtmlUtils.java. Such manipulation leads to resource consumption. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

Vulnerability in Oracle Java SE (component: Libraries). The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).

A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext storage in a file or on disk. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Time-of-check Time-of-use (TOCTOU) race condition in Spring Security's JdbcOneTimeTokenService allows unauthenticated remote attackers to bypass one-time token validation and gain unauthorized access. Affected versions include 6.4.0-6.4.15, 6.5.0-6.5.9, and 7.0.0-7.0.4. The vulnerability requires explicit configuration of One-Time Token login and involves high attack complexity, limiting real-world exploitation despite network accessibility.

Remote code execution in Spinnaker's Echo service (all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2) allows authenticated attackers with low privileges to execute arbitrary system commands and access files through unrestricted Spring Expression Language (SPeL) injection in artifact processing. Unlike Spinnaker's Orca service which implemented SPeL sandbox restrictions, Echo permits full JVM class access, enabling attackers to invoke arbitrary Java classes for deep system compromise. The CVSS 9.9 score reflects network attack vector with low complexity, scope change to impact other components, and complete CIA triad compromise. EPSS and KEV data not available - exploitation status unknown but patches are available from Spinnaker project.

Path traversal in Junrar library versions prior to 7.5.10 allows remote attackers to write arbitrary files into sibling directories by extracting a crafted RAR archive, enabling unauthorized file creation and potential code injection. The vulnerability requires high attack complexity (AC:H) but no authentication or user interaction, affecting any Java application using vulnerable Junrar versions to process untrusted RAR files. Vendor-released patch: version 7.5.10.

Server-side request forgery (SSRF) in Mogu Blog v2 up to version 5.2 allows unauthenticated remote attackers to initiate arbitrary HTTP requests from the affected server through the picture upload functionality. The vulnerability exists in the LocalFileServiceImpl.uploadPictureByUrl method within the Picture Storage Service component, enabling attackers to access internal services, scan internal networks, or exfiltrate sensitive data. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

Remote authenticated path traversal in SonicCloudOrg sonic-server up to version 2.0.0 allows attackers with low-level privileges to manipulate the Type parameter in the File Upload Endpoint (FileTool.java) to traverse the filesystem and read or write arbitrary files. The vulnerability has publicly available exploit code and affects all versions up to 2.0.0; the vendor has not responded to early disclosure attempts, leaving no patch available.

AsyncHttpClient (AHC) library prior to versions 3.0.9 and 2.14.5 leaks Authorization, Proxy-Authorization headers, and plaintext Realm credentials to arbitrary redirect targets when followRedirect(true) is enabled, affecting all Java applications using vulnerable versions. This occurs across domain, scheme, and port changes including HTTPS-to-HTTP downgrades. An attacker controlling a redirect destination via open redirect, DNS rebinding, or MITM can capture Bearer tokens, Basic auth credentials, or any Authorization header value. No public exploit code or active exploitation has been confirmed at analysis time, though the vulnerability is exploitable with high-confidence conditions when redirect following is enabled (CVSS 6.8, network vector, no authentication required).

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.

{ return executorService.submit(() -> { Document xmlDoc; try { String xmlStr = new String(fileData, StandardCharsets.UTF_8); LOG.info("Parsing VELBUS project file"); xmlDoc = DocumentBuilderFactory .newInstance() .newDocumentBuilder() .parse(new InputSource(new StringReader(xmlStr))); ``` Expanded `Caption` content is propagated into created asset names: ```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java String name = module.getElementsByTagName("Caption").item(0).getTextContent(); name = isNullOrEmpty(name) ? deviceType.toString() : name; // TODO: Use device specific asset types Asset<?> device = new ThingAsset(name); ``` 1. Log in to a realm with a user that can call Velbus asset import. 2. Create/select a Velbus TCP Agent in that same realm. 3. Send `POST /api/{realm}/agent/assetImport/{agentId}` with a Velbus project XML payload and compare behavior against a baseline import file. 3. Save the below code as a `xxe.xml` and upload to `Setup` under `https://localhost/manager/?realm=<YOUR_REALM>#/assets/false/<ASSET_ID>`. Chnage the `file:///etc/passwd` to another file if your `passwd` is longer than 1023 characters. ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE velbus [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <Project> <Module type="VMB1RY" address="01" build="00" serial="LAB"> <Caption>&xxe;</Caption> </Module> </Project> ``` As long as the file content is under 1023 characters, the exploit will succeed. <img width="1200" height="662" alt="image" src="https://github.com/user-attachments/assets/213f063d-98b6-4717-b98c-f4255952026b" /> If the file content reaches the limit, an error is thrown. <img width="1200" height="630" alt="image" src="https://github.com/user-attachments/assets/ee177a6b-2cb2-48ae-94df-c994ecb41429" /> - **Type:** XML External Entity (XXE) - **Affected:** Deployments exposing Velbus import to authenticated users with import access - **Risk:** limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.

Pre-authentication resource exhaustion in Bouncy Castle BC-JAVA PGP modules (bcpg) allows remote attackers to trigger denial-of-service by exploiting unbounded AEAD chunk sizes, affecting all versions before 1.84. The maximum CVSS 4.0 score of 10.0 reflects complete compromise potential across confidentiality, integrity, and availability with no attack complexity, no authentication requirements, and network-based exploitation. No public exploit identified at time of analysis, though the attack s

Signature verification bypass in Bouncy Castle BC-JAVA (bcpkix module versions 1.49-1.83) allows remote unauthenticated attackers to forge cryptographic signatures by submitting empty signature sequences that are incorrectly accepted as valid by the draft CompositeVerifier implementation. This critical flaw (CVSS 4.0: 10.0) enables complete subversion of digital signature trust chains, potentially allowing authentication bypass, code signing forgery, and man-in-the-middle attacks against Java ap

Non-constant time comparison operations in the Legion of the Bouncy Castle BC-JAVA cryptographic library (core modules, versions 2.17.3 through 1.83) expose FrodoKEM private keys to timing side-channel attacks, enabling remote unauthenticated attackers to extract cryptographic secrets through statistical analysis of operation timing variations. CVSS 4.0 score of 10.0 reflects maximum confidentiality and integrity impact across system and subsequent contexts. EPSS probability is low (0.04%, 14th percentile) and no active exploitation is confirmed, but SSVC framework rates this as automatable with total technical impact. Vendor patch available in BC-JAVA 1.84.

LDAP injection in Bouncy Castle BC-JAVA bcprov module (versions 1.49 through 1.83) allows remote unauthenticated attackers to manipulate LDAP queries via specially crafted input to LDAPStoreHelper.java, enabling complete compromise of confidentiality, integrity, and availability across security boundaries. This critical vulnerability (CVSS 10.0) affects a widely deployed cryptographic library used throughout the Java ecosystem. No active exploitation confirmed (not in CISA KEV), but the attack r

GOST CTR block cipher in Bouncy Castle BC-JAVA processes only the first 255 blocks correctly, causing silent data corruption in encryption/decryption operations for longer messages. Affects BC-JAVA versions 1.59 through 1.83, with fix available in version 1.84. Local attack vector (CVSS AV:L) with critical CVSS 9.4 score reflects potential for both confidentiality and integrity compromise when applications process GOST-encrypted data streams exceeding 255 blocks (~4KB). No KEV listing or public

Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c

Cross-site scripting via code injection in SAP NetWeaver Application Server Java Web Dynpro allows unauthenticated remote attackers to inject arbitrary client-side code through crafted input, compromising user sessions and application data integrity when victims interact with the affected functionality. CVSS 6.1 (medium) reflects the requirement for user interaction and limited scope, but exploitation is straightforward with no authentication needed and low attack complexity.

A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Shell command injection in NSA Emissary's Executrix.getCommand() allows authenticated users with place configuration authorship to achieve arbitrary OS command execution when any payload is processed. The framework constructs /bin/sh -c commands by directly substituting IN_FILE_ENDING and OUT_FILE_ENDING configuration values into temporary file paths without escaping or validation, despite implementing input sanitization for similar parameters (placeName). Vendor-released patch available (commit 1faf33f). CVSS 8.8 (high) reflects local attack vector requiring low privileges, but scope change to C indicates container/JVM breakout potential. No CISA KEV listing or public exploit identified at time of analysis, though detailed proof-of-concept exists in advisory including Docker-based reproduction and unit test.

Deserialization of untrusted data in Samsung Open Source Escargot JavaScript engine prior to commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 allows local attackers without privileges to trigger a denial of service condition via process abort. The vulnerability exploits unsafe deserialization of Java objects, resulting in application termination rather than code execution. No public exploit code or active exploitation has been identified at the time of analysis.

Improper authorization in perfree go-fastdfs-web up to version 1.3.7 allows remote unauthenticated attackers to access the doInstall interface in InstallController.java, potentially disclosing sensitive information or manipulating system configuration. The vulnerability has been publicly disclosed with exploit code available; however, the vendor has not responded to early disclosure notifications and no official patch has been released.

Path traversal vulnerability in Quarkus OpenAPI Generator (Quarkiverse) versions prior to 2.16.0 and 2.15.0-lts allows unauthenticated remote attackers to write arbitrary files outside intended directories via malicious ZIP archives. The ApicurioCodegenWrapper.java unzip() method fails to validate file paths during extraction, enabling path traversal sequences (../../) to bypass output directory restrictions and achieve arbitrary file write with high integrity impact. No public exploit identified at time of analysis. Affects Java-based Quarkus extensions for REST client and server stub generation.

Man-in-the-middle attacks are possible in Apache Log4j Core through 2.25.3 when SMTP, Socket, or Syslog appenders use TLS with the verifyHostName attribute configured in the <Ssl> element, because the attribute was silently ignored despite being available since version 2.12.0. This is a regression from an incomplete fix to CVE-2025-68161 that only addressed hostname verification via system property. An attacker with a certificate from a trusted CA can intercept TLS connections. Apache has released patched version 2.25.4 to correct this issue.

SSL bundle configuration bypass in VMware Spring Cloud Gateway 4.2.0 allows unaneticated remote attackers to compromise integrity through forced fallback to default SSL settings. When administrators configure custom SSL bundles via spring.ssl.bundle property, the framework silently ignores this configuration and applies insecure defaults instead, enabling man-in-the-middle attacks against intended encrypted communications. Affects Spring Cloud Gateway 4.2.0 with no public exploit identified at time of analysis.

Improper neutralization of special elements in FreeMarker template processing within Sanluan PublicCMS up to version 6.202506.d allows high-privileged remote attackers to cause information disclosure through manipulation of the AbstractFreemarkerView.doRender function. The vulnerability has a CVSS score of 5.1 with publicly available exploit code, though exploitation requires administrative privileges (PR:H). CISA KEV status not confirmed; however, the disclosure of exploit code and vendor non-response indicate moderate real-world risk despite the high privilege requirement.

DNS rebinding in Model Context Protocol (MCP) Java SDK before v1.0.0 enables remote attackers to invoke arbitrary tool calls on local or network-private MCP servers via a victim's browser. The SDK failed to validate Origin headers per MCP specification requirements, violating mandatory server-side protections against cross-origin attacks. Exploitation requires social engineering (victim visits malicious site), but grants full tool invocation privileges as if the attacker were a locally authorized AI agent. Patch available in v1.0.0. No public exploit identified at time of analysis, but attack technique is well-understood (DNS rebinding). EPSS data not available; authentication requirements not confirmed from available data.

SQL injection in PowerJob 5.1.0 through 5.1.2 allows remote attackers to execute arbitrary SQL queries via the customQuery parameter in the detailPlus endpoint of InstanceController.java, potentially enabling unauthorized data access or modification. The vulnerability is remotely exploitable without authentication (CVSS 6.9, EPSS P), with a GitHub pull request indicating a fix is under review but not yet released as a patched version.

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue

Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.