Java
Monthly
SmartAdmin versions up to 3.29 contain a template injection vulnerability in the FreeMarker template handler that allows authenticated remote attackers to manipulate template content and achieve code execution. The flaw exists in the MailService component's freemarkerResolverContent function and has a public exploit available. Since no patch is available and the vendor has not responded, organizations using affected versions should immediately assess exposure and consider alternative solutions.
A weakness has been identified in 1024-lab/lab1024 SmartAdmin versions up to 3.29. is affected by cross-site scripting (xss) (CVSS 3.5).
Jackson Core versions 3.0.0 through 3.0.x fail to enforce maximum nesting depth limits in UTF8DataInputJsonParser and ReaderBasedJsonParser, allowing attackers to craft deeply nested JSON documents that trigger StackOverflowError and crash the application. This denial of service vulnerability affects any Java application using the vulnerable Jackson Core versions to parse untrusted JSON input. A patch is available in version 3.1.0.
Arbitrary code execution in NLTK <= 3.9.2 StanfordSegmenter module. CVSS 10.0, EPSS 0.48%.
Eclipse Jetty 12.0.0 through 12.0.31 and 12.1.0 through 12.1.5 suffer from a denial-of-service vulnerability in GzipHandler where decompressor resources leak when processing gzip-compressed requests that generate uncompressed responses. An unauthenticated remote attacker can exhaust server memory by repeatedly sending compressed requests, causing service degradation or unavailability. No patch is currently available.
Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic.
SQL injection in renren-security before v5.5.0 in BaseServiceImpl.java. PoC available.
Jeesite versions up to 5.15.1. contains a vulnerability that allows attackers to xml external entity reference (CVSS 5.0).
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. [CVSS 8.7 HIGH]
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. [CVSS 3.3 LOW]
Path traversal in Sanluan PublicCMS 6.202506.d's Template Cache Generation component allows authenticated remote attackers to manipulate the saveMetadata function and access arbitrary files on the system. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor who has not responded to disclosure attempts.
SQL injection in Youlai Mall 2.0.0's product pagination endpoint allows authenticated remote attackers to manipulate the sortField parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch. Attackers with valid credentials can exploit this flaw to read or modify sensitive data within the database.
Server-side request forgery in Paicoding 1.0.0-1.0.3 allows authenticated attackers to manipulate the image upload parameter and trigger arbitrary outbound requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but poses risks to internal network reconnaissance and data exfiltration.
Server-side request forgery in PSI Probe up to version 5.3.0 allows authenticated attackers to conduct arbitrary network requests through the Whois lookup function. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. The flaw requires valid credentials but can be exploited remotely with minimal complexity.
Psi Probe versions up to 5.3.0 contain a denial of service vulnerability in the session expiration handler that allows authenticated remote attackers to crash the application through request manipulation. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The vulnerability affects Java-based deployments of Psi Probe used for Tomcat monitoring.
Improper access controls in PSI Probe up to version 5.3.0 allow authenticated remote attackers to manipulate session attributes through the RemoveSessAttributeController, enabling unauthorized modifications to application state. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Junrar versions prior to 7.5.8 contain a path traversal vulnerability in LocalFolderExtractor that allows attackers to write arbitrary files to the filesystem when processing malicious RAR archives on Linux/Unix systems. Public exploit code exists for this vulnerability, which can facilitate remote code execution through file overwrite attacks such as modifying shell profiles or cron jobs. Users should upgrade to version 7.5.8 or later to remediate this issue.
Fastcms versions prior to 0.1.6 contain a code injection vulnerability in the PluginController component that allows local attackers with user-level privileges to execute arbitrary code with full system compromise. Public exploit code exists for this vulnerability, and no patch is currently available. Java environments running affected Fastcms instances are at risk of privilege escalation and complete system takeover.
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via m...
JNDI injection in mchange-commons-java library allows remote code execution through crafted JNDI lookup strings. Similar to Log4Shell attack pattern. PoC and patch available.
Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.9 with scope change — affects one of the largest Java CMS platforms.
HummerRisk versions up to 1.5.0 contain a path traversal vulnerability in the archive extraction functionality that allows authenticated remote attackers to read and write arbitrary files on the system. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects the extractTarGZ and extractZip functions in the common utilities library.
Hummerrisk versions up to 1.5.0. contains a vulnerability that allows attackers to command injection (CVSS 6.3).
Command injection in HummerRisk up to version 1.5.0 allows authenticated remote attackers to execute arbitrary commands through the Cloud Task Dry-run feature by manipulating the fileName parameter in CloudTaskService.java. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can achieve remote code execution with limited impact on confidentiality, integrity, and availability.
HummerRisk versions up to 1.5.0 contain a command injection vulnerability in the Cloud Task Scheduler component where the regionId parameter is insufficiently validated, allowing authenticated remote attackers to execute arbitrary commands. Public exploit code exists for this vulnerability and the vendor has not provided a patch despite early disclosure notification. An authenticated attacker can exploit this to achieve remote code execution with limited scope impact.
Dinky versions up to 1.2.5 contain an authentication bypass in the OpenAPI endpoint handler that allows unauthenticated remote attackers to manipulate interceptor configuration. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
Server-side request forgery in Dinky up to version 1.2.5 allows authenticated attackers to make arbitrary HTTP requests through the Flink Proxy Controller's proxyUba function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can leverage this to access internal resources or perform actions on behalf of the affected server.
Path traversal in Dinky up to version 1.2.5 allows authenticated remote attackers to access arbitrary files on the system through manipulation of the projectName parameter in the GitRepository component. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can exploit this to read sensitive files or potentially escalate privileges within Java-based Dinky deployments.
Cross-site scripting (XSS) in the doAdd function of Jeewms up to version 3.7 allows unauthenticated remote attackers to inject malicious scripts through the Name parameter. Public exploit code exists for this vulnerability, and the vendor has not released patches or responded to disclosure attempts. An attacker can exploit this via a user interaction to perform actions in the context of the affected application.
Server-side request forgery in Tiandy Video Surveillance System 7.17.0 allows authenticated remote attackers to manipulate the urlPath parameter in the downloadImage function, enabling arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires valid credentials but no user interaction, posing a medium-severity risk to organizations deploying this surveillance platform.
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]
A vulnerability was determined in a466350665 Smart-SSO up to 2.1.1. This affects the function Save of the file smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java of the component Role Edit Page. [CVSS 2.4 LOW]
The deleteBackup function in Dst Admin up to version 1.5.0 contains an improper resource handling flaw that permits authenticated remote attackers to trigger denial of service conditions. Public exploit code is available for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but no user interaction, making it actionable in environments where access controls are weak.
A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. [CVSS 3.5 LOW]
A security vulnerability has been detected in rymcu forest up to 0.0.5. Affected by this issue is the function XssUtils.replaceHtmlCode of the file src/main/java/com/rymcu/forest/util/XssUtils.java of the component Article Content/Comments/Portfolio. [CVSS 3.5 LOW]
Path traversal in the pictureDelete function of feng_ha_ha/megagao ssm-erp and production_ssm allows authenticated remote attackers to manipulate the picName parameter and access arbitrary files on the system. Public exploit code exists for this vulnerability. No patch is currently available, and the developers have not responded to the disclosure.
Path traversal in the FileServiceImpl.deleteFile function of feng_ha_ha/megagao ssm-erp and production_ssm allows authenticated attackers to manipulate file deletion operations remotely. Public exploit code exists for this vulnerability, and the developer has not yet addressed the reported issue. An attacker with valid credentials could delete or access arbitrary files on the affected system.
Improper authorization in the EmployeeController.java file of feng_ha_ha/megagao ssm-erp and production_ssm allows authenticated remote attackers to gain unauthorized access to sensitive data or modify system information. Public exploit code exists for this vulnerability, and the developers have not yet provided a patch despite early notification. Java-based deployments of these products are vulnerable to this medium-severity attack requiring valid credentials.
Improper access controls in the Sales endpoint of Yeqifu Warehouse allow authenticated remote attackers to manipulate sales records through the addSales, updateSales, and deleteSales functions, potentially compromising data integrity and confidentiality. Public exploit code exists for this vulnerability, and no patch is currently available despite early notification to the developers.
Improper access controls in the Inport Endpoint of yeqifu Warehouse allow authenticated remote attackers to manipulate critical functions (addInport, updateInport, deleteInport) and gain unauthorized access to sensitive data or operations. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects Java-based deployments with network access to the warehouse application.
Improper access controls in the Customer Endpoint of yeqifu Warehouse allow authenticated remote attackers to manipulate customer data through the addCustomer, updateCustomer, and deleteCustomer functions. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch. An attacker with valid credentials can achieve unauthorized information disclosure, modification, and denial of service with low attack complexity.
Improper access controls in the Cache Sync Handler of yeqifu Warehouse allow authenticated remote attackers to manipulate cache operations (deleteCache, removeAllCache, syncCache) and achieve unauthorized modification or denial of service. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.
SQL injection in Tsinghua Unigroup Electronic Archives System versions up to 3.2.210802 allows authenticated remote attackers to manipulate the comid parameter via the /mine/PublicReport/prinReport.html endpoint, potentially leading to unauthorized data access or modification. Public exploit code is available for this vulnerability, and the vendor has not provided a patch despite early notification.
Improper authorization in GoogTech sms-ssm's LoginInterceptor API interface allows remote authenticated attackers to bypass access controls and manipulate protected functions. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, requiring organizations to implement compensating controls or restrict access to the affected API endpoints.
Unrestricted file upload in huanzi-qch base-admin's JSP file upload function allows authenticated remote attackers to upload arbitrary files by manipulating the File parameter, potentially leading to code execution. The vulnerability affects the SysFileController component and has public exploit code available. No patch is currently available from the developers.
Path traversal in Blossom up to version 1.17.1 file upload functionality allows authenticated remote attackers to access arbitrary files on affected systems. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. [CVSS 3.5 LOW]
A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. [CVSS 3.5 LOW]
Server-side request forgery in Cskefu up to version 8.0.1 allows authenticated remote attackers to manipulate the URL parameter in the MediaController endpoint to perform arbitrary HTTP requests from the affected server. Public exploit code exists for this vulnerability and the vendor has not provided a patch despite early notification. The attack requires valid authentication credentials but can be executed remotely with low complexity.
JeecgBoot 3.9.1's RAG knowledge controller fails to properly validate ZIP file imports, allowing authenticated remote attackers to trigger unsafe deserialization with public exploit code available. The vulnerability requires authentication and complex attack execution but could enable information disclosure or integrity compromise. No patch is currently available from the vendor.
Improper access controls in LibrarySystem BookController.java (versions up to 1.1.1) allow unauthenticated remote attackers to gain unauthorized access and potentially modify or disable library system functions. Public exploit code exists for this vulnerability and the vendor has not yet provided a patch despite early notification.
OpenCC JFlow versions up to 20260129 contain an XML External Entity (XXE) injection vulnerability in the Workflow Engine's file handling component that allows authenticated remote attackers to read sensitive files or perform denial of service attacks. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch. The issue affects Java-based deployments and requires valid credentials to exploit.
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. [CVSS 7.3 HIGH]
A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. [CVSS 2.4 LOW]
Improper authorization in WukongCRM up to version 11.3.3 allows authenticated remote attackers to manipulate URL handling logic and bypass access controls. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The flaw affects the PermissionServiceImpl component and enables attackers to gain unauthorized access to restricted functionality.
Improper authorization in the yeqifu Warehouse Log Info Handler allows authenticated remote attackers to access, modify, or delete log information through the loadAllLoginfo, deleteLoginfo, and batchDeleteLoginfo functions. Public exploit code exists for this vulnerability, and the developers have not yet released a patch despite early notification. Java-based deployments using affected versions are at risk of unauthorized log manipulation by authenticated users.
Improper authorization in Yeqifu Warehouse's Notice Management component allows authenticated users to perform unauthorized operations on notice records through the addNotice, updateNotice, deleteNotice, and batchDeleteNotice functions. Public exploit code exists for this vulnerability, and the vendor has not yet responded to the disclosure. An attacker with valid credentials can remotely manipulate notice data, compromising the confidentiality, integrity, and availability of the application.
Improper authorization in the Department Management component of yeqifu Warehouse allows authenticated users to manipulate department operations (add, update, delete) without proper access controls. Public exploit code exists for this vulnerability, which can be leveraged remotely by attackers with valid credentials. No patch is currently available from the vendor.
Improper authorization in the Menu Management component of Yeqifu Warehouse allows authenticated remote attackers to manipulate menu operations (add, update, delete) without proper access controls. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. The flaw affects Java-based deployments running the vulnerable commit and could enable unauthorized administrative actions.
Improper authorization in the Permission Management component of yeqifu Warehouse allows authenticated remote attackers to manipulate permission-related functions (addPermission, updatePermission, deletePermission) and gain unauthorized access or modify system permissions. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects Java-based Warehouse deployments with a CVSS score of 6.3.
Improper authorization in yeqifu Warehouse's Role Management Handler (addRole/updateRole/deleteRole functions) allows authenticated remote attackers to perform unauthorized privilege escalation and data manipulation. Public exploit code exists for this vulnerability, and the vendor has not released a patch or responded to disclosure. An attacker with valid credentials can bypass authorization controls to modify system roles and access restrictions.
A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. [CVSS 6.3 MEDIUM]
Improper access control in the Role-Permission Binding Handler of yeqifu Warehouse allows authenticated remote attackers to modify role permissions through the saveRolePermission function, potentially gaining unauthorized access to sensitive operations. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification of the issue.
Improper authorization in Sanluan PublicCMS versions up to 4.0.202506.d, 5.202506.d, and 6.202506.d allows authenticated attackers to manipulate the paymentId parameter in the Trade Payment Handler, potentially leading to integrity and availability impacts. Public exploit code exists for this vulnerability, though exploitation requires high complexity and specific conditions. A patch is available and should be applied promptly to affected Java-based deployments.
JinJava template engine has a server-side template injection vulnerability enabling arbitrary code execution through crafted Jinja-style templates.
Unrestricted file upload in Bolo Solo up to version 2.6.4 allows authenticated remote attackers to upload arbitrary files via the FreeMarker Template Handler component. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification. An attacker with valid credentials can achieve limited confidentiality, integrity, and availability impacts.
Path traversal in Bolo Solo up to version 2.6.4 allows authenticated attackers to manipulate file path arguments in the backup import function, potentially accessing or modifying arbitrary files on the affected system. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. The attack requires valid credentials but can be executed remotely over the network.
Path traversal in Bolo Solo's importFromMarkdown function allows authenticated attackers to manipulate file paths and access arbitrary files on affected systems. The vulnerability affects Bolo Solo versions up to 2.6.4 and requires valid credentials but no user interaction to exploit. Public exploit code exists for this vulnerability, and no patch is currently available.
Path traversal in Bolo Solo up to version 2.6.4 allows authenticated attackers to manipulate ZIP file extraction operations in the BackupService component, potentially reading or writing arbitrary files on the affected system. Public exploit code is available for this vulnerability, and the vendor has not yet provided a patch despite early notification.
Pre-authentication RCE in AirControl 1.4.2 network management allows unauthenticated system command execution. PoC available.
Unsafe deserialization in Bolo Solo up to version 2.6.4 through the SnakeYAML component allows authenticated attackers to execute arbitrary code remotely via the importMarkdownsSync function. Public exploit code exists for this vulnerability and no patch is currently available. Authenticated users with access to the backup functionality can trigger this flaw to compromise affected systems.
A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. [CVSS 5.3 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java.
Improperly Controlled Sequential Memory Allocation vulnerability in foxinmy weixin4j (weixin4j-base/src/main/java/com/foxinmy/weixin4j/util modules). This vulnerability is associated with program files CharArrayBuffer.Java, ClassUtil.Java.
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis (tis-console/src/main/java/com/qlangtech/tis/runtime/module/action modules). This vulnerability is associated with program files ChangeDomainAction.Java.
Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java.
Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java.
Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java.
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java.
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in CardboardPowered cardboard (src/main/java/org/cardboardpowered/impl/world modules). This vulnerability is associated with program files WorldImpl.Java.
Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java.
XXE (XML External Entity) injection in AssertJ Java testing library from 1.4.0 to before 3.27.7 allows reading arbitrary files when parsing XML assertions. Patch available.
Access control bypass in SpringBlade v4.5.0 importUser function allows low-privileged users to import sensitive user data and escalate privileges. PoC available.
A vulnerability was determined in lcg0124 BootDo up to 5ccd963c74058036b466e038cff37de4056c1600. Affected by this vulnerability is the function redirectToLogin of the file AccessControlFilter.java of the component Host Header Handler. [CVSS 3.5 LOW]
SpringBlade v4.5.0 has an access control flaw in authRoutes allowing low-privileged users to escalate to admin through the authentication routing mechanism.
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantia...
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. [CVSS 4.5 MEDIUM]
Oracle Applications DBA versions 12.2.3-12.2.15 contain an authorization flaw in the Java utilities component that allows high-privileged attackers to gain unauthorized read and write access to sensitive data via HTTP. An authenticated attacker with administrative credentials can exploit this vulnerability to create, modify, or delete critical application data without restriction. A patch is available and should be prioritized for deployment in affected Oracle E-Business Suite environments.
Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. [CVSS 3.1 LOW]
Remote denial of service in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated attackers to trigger application hangs or crashes via network-accessible protocols. Multiple Java versions including JDK 8u471, 11.0.29, 17.0.17, 21.0.9, and 25.0.1 are affected through a flaw in the Security component. No patch is currently available for this high-severity vulnerability.
SmartAdmin versions up to 3.29 contain a template injection vulnerability in the FreeMarker template handler that allows authenticated remote attackers to manipulate template content and achieve code execution. The flaw exists in the MailService component's freemarkerResolverContent function and has a public exploit available. Since no patch is available and the vendor has not responded, organizations using affected versions should immediately assess exposure and consider alternative solutions.
A weakness has been identified in 1024-lab/lab1024 SmartAdmin versions up to 3.29. is affected by cross-site scripting (xss) (CVSS 3.5).
Jackson Core versions 3.0.0 through 3.0.x fail to enforce maximum nesting depth limits in UTF8DataInputJsonParser and ReaderBasedJsonParser, allowing attackers to craft deeply nested JSON documents that trigger StackOverflowError and crash the application. This denial of service vulnerability affects any Java application using the vulnerable Jackson Core versions to parse untrusted JSON input. A patch is available in version 3.1.0.
Arbitrary code execution in NLTK <= 3.9.2 StanfordSegmenter module. CVSS 10.0, EPSS 0.48%.
Eclipse Jetty 12.0.0 through 12.0.31 and 12.1.0 through 12.1.5 suffer from a denial-of-service vulnerability in GzipHandler where decompressor resources leak when processing gzip-compressed requests that generate uncompressed responses. An unauthenticated remote attacker can exhaust server memory by repeatedly sending compressed requests, causing service degradation or unavailability. No patch is currently available.
Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic.
SQL injection in renren-security before v5.5.0 in BaseServiceImpl.java. PoC available.
Jeesite versions up to 5.15.1. contains a vulnerability that allows attackers to xml external entity reference (CVSS 5.0).
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. [CVSS 8.7 HIGH]
A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. [CVSS 3.3 LOW]
Path traversal in Sanluan PublicCMS 6.202506.d's Template Cache Generation component allows authenticated remote attackers to manipulate the saveMetadata function and access arbitrary files on the system. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor who has not responded to disclosure attempts.
SQL injection in Youlai Mall 2.0.0's product pagination endpoint allows authenticated remote attackers to manipulate the sortField parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch. Attackers with valid credentials can exploit this flaw to read or modify sensitive data within the database.
Server-side request forgery in Paicoding 1.0.0-1.0.3 allows authenticated attackers to manipulate the image upload parameter and trigger arbitrary outbound requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but poses risks to internal network reconnaissance and data exfiltration.
Server-side request forgery in PSI Probe up to version 5.3.0 allows authenticated attackers to conduct arbitrary network requests through the Whois lookup function. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. The flaw requires valid credentials but can be exploited remotely with minimal complexity.
Psi Probe versions up to 5.3.0 contain a denial of service vulnerability in the session expiration handler that allows authenticated remote attackers to crash the application through request manipulation. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The vulnerability affects Java-based deployments of Psi Probe used for Tomcat monitoring.
Improper access controls in PSI Probe up to version 5.3.0 allow authenticated remote attackers to manipulate session attributes through the RemoveSessAttributeController, enabling unauthorized modifications to application state. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Junrar versions prior to 7.5.8 contain a path traversal vulnerability in LocalFolderExtractor that allows attackers to write arbitrary files to the filesystem when processing malicious RAR archives on Linux/Unix systems. Public exploit code exists for this vulnerability, which can facilitate remote code execution through file overwrite attacks such as modifying shell profiles or cron jobs. Users should upgrade to version 7.5.8 or later to remediate this issue.
Fastcms versions prior to 0.1.6 contain a code injection vulnerability in the PluginController component that allows local attackers with user-level privileges to execute arbitrary code with full system compromise. Public exploit code exists for this vulnerability, and no patch is currently available. Java environments running affected Fastcms instances are at risk of privilege escalation and complete system takeover.
c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via m...
JNDI injection in mchange-commons-java library allows remote code execution through crafted JNDI lookup strings. Similar to Log4Shell attack pattern. PoC and patch available.
Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.9 with scope change — affects one of the largest Java CMS platforms.
HummerRisk versions up to 1.5.0 contain a path traversal vulnerability in the archive extraction functionality that allows authenticated remote attackers to read and write arbitrary files on the system. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects the extractTarGZ and extractZip functions in the common utilities library.
Hummerrisk versions up to 1.5.0. contains a vulnerability that allows attackers to command injection (CVSS 6.3).
Command injection in HummerRisk up to version 1.5.0 allows authenticated remote attackers to execute arbitrary commands through the Cloud Task Dry-run feature by manipulating the fileName parameter in CloudTaskService.java. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can achieve remote code execution with limited impact on confidentiality, integrity, and availability.
HummerRisk versions up to 1.5.0 contain a command injection vulnerability in the Cloud Task Scheduler component where the regionId parameter is insufficiently validated, allowing authenticated remote attackers to execute arbitrary commands. Public exploit code exists for this vulnerability and the vendor has not provided a patch despite early disclosure notification. An authenticated attacker can exploit this to achieve remote code execution with limited scope impact.
Dinky versions up to 1.2.5 contain an authentication bypass in the OpenAPI endpoint handler that allows unauthenticated remote attackers to manipulate interceptor configuration. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
Server-side request forgery in Dinky up to version 1.2.5 allows authenticated attackers to make arbitrary HTTP requests through the Flink Proxy Controller's proxyUba function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can leverage this to access internal resources or perform actions on behalf of the affected server.
Path traversal in Dinky up to version 1.2.5 allows authenticated remote attackers to access arbitrary files on the system through manipulation of the projectName parameter in the GitRepository component. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can exploit this to read sensitive files or potentially escalate privileges within Java-based Dinky deployments.
Cross-site scripting (XSS) in the doAdd function of Jeewms up to version 3.7 allows unauthenticated remote attackers to inject malicious scripts through the Name parameter. Public exploit code exists for this vulnerability, and the vendor has not released patches or responded to disclosure attempts. An attacker can exploit this via a user interaction to perform actions in the context of the affected application.
Server-side request forgery in Tiandy Video Surveillance System 7.17.0 allows authenticated remote attackers to manipulate the urlPath parameter in the downloadImage function, enabling arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires valid credentials but no user interaction, posing a medium-severity risk to organizations deploying this surveillance platform.
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]
A vulnerability was determined in a466350665 Smart-SSO up to 2.1.1. This affects the function Save of the file smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java of the component Role Edit Page. [CVSS 2.4 LOW]
The deleteBackup function in Dst Admin up to version 1.5.0 contains an improper resource handling flaw that permits authenticated remote attackers to trigger denial of service conditions. Public exploit code is available for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but no user interaction, making it actionable in environments where access controls are weak.
A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. [CVSS 3.5 LOW]
A security vulnerability has been detected in rymcu forest up to 0.0.5. Affected by this issue is the function XssUtils.replaceHtmlCode of the file src/main/java/com/rymcu/forest/util/XssUtils.java of the component Article Content/Comments/Portfolio. [CVSS 3.5 LOW]
Path traversal in the pictureDelete function of feng_ha_ha/megagao ssm-erp and production_ssm allows authenticated remote attackers to manipulate the picName parameter and access arbitrary files on the system. Public exploit code exists for this vulnerability. No patch is currently available, and the developers have not responded to the disclosure.
Path traversal in the FileServiceImpl.deleteFile function of feng_ha_ha/megagao ssm-erp and production_ssm allows authenticated attackers to manipulate file deletion operations remotely. Public exploit code exists for this vulnerability, and the developer has not yet addressed the reported issue. An attacker with valid credentials could delete or access arbitrary files on the affected system.
Improper authorization in the EmployeeController.java file of feng_ha_ha/megagao ssm-erp and production_ssm allows authenticated remote attackers to gain unauthorized access to sensitive data or modify system information. Public exploit code exists for this vulnerability, and the developers have not yet provided a patch despite early notification. Java-based deployments of these products are vulnerable to this medium-severity attack requiring valid credentials.
Improper access controls in the Sales endpoint of Yeqifu Warehouse allow authenticated remote attackers to manipulate sales records through the addSales, updateSales, and deleteSales functions, potentially compromising data integrity and confidentiality. Public exploit code exists for this vulnerability, and no patch is currently available despite early notification to the developers.
Improper access controls in the Inport Endpoint of yeqifu Warehouse allow authenticated remote attackers to manipulate critical functions (addInport, updateInport, deleteInport) and gain unauthorized access to sensitive data or operations. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects Java-based deployments with network access to the warehouse application.
Improper access controls in the Customer Endpoint of yeqifu Warehouse allow authenticated remote attackers to manipulate customer data through the addCustomer, updateCustomer, and deleteCustomer functions. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch. An attacker with valid credentials can achieve unauthorized information disclosure, modification, and denial of service with low attack complexity.
Improper access controls in the Cache Sync Handler of yeqifu Warehouse allow authenticated remote attackers to manipulate cache operations (deleteCache, removeAllCache, syncCache) and achieve unauthorized modification or denial of service. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.
SQL injection in Tsinghua Unigroup Electronic Archives System versions up to 3.2.210802 allows authenticated remote attackers to manipulate the comid parameter via the /mine/PublicReport/prinReport.html endpoint, potentially leading to unauthorized data access or modification. Public exploit code is available for this vulnerability, and the vendor has not provided a patch despite early notification.
Improper authorization in GoogTech sms-ssm's LoginInterceptor API interface allows remote authenticated attackers to bypass access controls and manipulate protected functions. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, requiring organizations to implement compensating controls or restrict access to the affected API endpoints.
Unrestricted file upload in huanzi-qch base-admin's JSP file upload function allows authenticated remote attackers to upload arbitrary files by manipulating the File parameter, potentially leading to code execution. The vulnerability affects the SysFileController component and has public exploit code available. No patch is currently available from the developers.
Path traversal in Blossom up to version 1.17.1 file upload functionality allows authenticated remote attackers to access arbitrary files on affected systems. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. [CVSS 3.5 LOW]
A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. [CVSS 3.5 LOW]
Server-side request forgery in Cskefu up to version 8.0.1 allows authenticated remote attackers to manipulate the URL parameter in the MediaController endpoint to perform arbitrary HTTP requests from the affected server. Public exploit code exists for this vulnerability and the vendor has not provided a patch despite early notification. The attack requires valid authentication credentials but can be executed remotely with low complexity.
JeecgBoot 3.9.1's RAG knowledge controller fails to properly validate ZIP file imports, allowing authenticated remote attackers to trigger unsafe deserialization with public exploit code available. The vulnerability requires authentication and complex attack execution but could enable information disclosure or integrity compromise. No patch is currently available from the vendor.
Improper access controls in LibrarySystem BookController.java (versions up to 1.1.1) allow unauthenticated remote attackers to gain unauthorized access and potentially modify or disable library system functions. Public exploit code exists for this vulnerability and the vendor has not yet provided a patch despite early notification.
OpenCC JFlow versions up to 20260129 contain an XML External Entity (XXE) injection vulnerability in the Workflow Engine's file handling component that allows authenticated remote attackers to read sensitive files or perform denial of service attacks. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch. The issue affects Java-based deployments and requires valid credentials to exploit.
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. [CVSS 7.3 HIGH]
A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. [CVSS 2.4 LOW]
Improper authorization in WukongCRM up to version 11.3.3 allows authenticated remote attackers to manipulate URL handling logic and bypass access controls. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The flaw affects the PermissionServiceImpl component and enables attackers to gain unauthorized access to restricted functionality.
Improper authorization in the yeqifu Warehouse Log Info Handler allows authenticated remote attackers to access, modify, or delete log information through the loadAllLoginfo, deleteLoginfo, and batchDeleteLoginfo functions. Public exploit code exists for this vulnerability, and the developers have not yet released a patch despite early notification. Java-based deployments using affected versions are at risk of unauthorized log manipulation by authenticated users.
Improper authorization in Yeqifu Warehouse's Notice Management component allows authenticated users to perform unauthorized operations on notice records through the addNotice, updateNotice, deleteNotice, and batchDeleteNotice functions. Public exploit code exists for this vulnerability, and the vendor has not yet responded to the disclosure. An attacker with valid credentials can remotely manipulate notice data, compromising the confidentiality, integrity, and availability of the application.
Improper authorization in the Department Management component of yeqifu Warehouse allows authenticated users to manipulate department operations (add, update, delete) without proper access controls. Public exploit code exists for this vulnerability, which can be leveraged remotely by attackers with valid credentials. No patch is currently available from the vendor.
Improper authorization in the Menu Management component of Yeqifu Warehouse allows authenticated remote attackers to manipulate menu operations (add, update, delete) without proper access controls. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. The flaw affects Java-based deployments running the vulnerable commit and could enable unauthorized administrative actions.
Improper authorization in the Permission Management component of yeqifu Warehouse allows authenticated remote attackers to manipulate permission-related functions (addPermission, updatePermission, deletePermission) and gain unauthorized access or modify system permissions. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects Java-based Warehouse deployments with a CVSS score of 6.3.
Improper authorization in yeqifu Warehouse's Role Management Handler (addRole/updateRole/deleteRole functions) allows authenticated remote attackers to perform unauthorized privilege escalation and data manipulation. Public exploit code exists for this vulnerability, and the vendor has not released a patch or responded to disclosure. An attacker with valid credentials can bypass authorization controls to modify system roles and access restrictions.
A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. [CVSS 6.3 MEDIUM]
Improper access control in the Role-Permission Binding Handler of yeqifu Warehouse allows authenticated remote attackers to modify role permissions through the saveRolePermission function, potentially gaining unauthorized access to sensitive operations. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification of the issue.
Improper authorization in Sanluan PublicCMS versions up to 4.0.202506.d, 5.202506.d, and 6.202506.d allows authenticated attackers to manipulate the paymentId parameter in the Trade Payment Handler, potentially leading to integrity and availability impacts. Public exploit code exists for this vulnerability, though exploitation requires high complexity and specific conditions. A patch is available and should be applied promptly to affected Java-based deployments.
JinJava template engine has a server-side template injection vulnerability enabling arbitrary code execution through crafted Jinja-style templates.
Unrestricted file upload in Bolo Solo up to version 2.6.4 allows authenticated remote attackers to upload arbitrary files via the FreeMarker Template Handler component. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification. An attacker with valid credentials can achieve limited confidentiality, integrity, and availability impacts.
Path traversal in Bolo Solo up to version 2.6.4 allows authenticated attackers to manipulate file path arguments in the backup import function, potentially accessing or modifying arbitrary files on the affected system. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. The attack requires valid credentials but can be executed remotely over the network.
Path traversal in Bolo Solo's importFromMarkdown function allows authenticated attackers to manipulate file paths and access arbitrary files on affected systems. The vulnerability affects Bolo Solo versions up to 2.6.4 and requires valid credentials but no user interaction to exploit. Public exploit code exists for this vulnerability, and no patch is currently available.
Path traversal in Bolo Solo up to version 2.6.4 allows authenticated attackers to manipulate ZIP file extraction operations in the BackupService component, potentially reading or writing arbitrary files on the affected system. Public exploit code is available for this vulnerability, and the vendor has not yet provided a patch despite early notification.
Pre-authentication RCE in AirControl 1.4.2 network management allows unauthenticated system command execution. PoC available.
Unsafe deserialization in Bolo Solo up to version 2.6.4 through the SnakeYAML component allows authenticated attackers to execute arbitrary code remotely via the importMarkdownsSync function. Public exploit code exists for this vulnerability and no patch is currently available. Authenticated users with access to the backup functionality can trigger this flaw to compromise affected systems.
A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. [CVSS 5.3 MEDIUM]
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java.
Improperly Controlled Sequential Memory Allocation vulnerability in foxinmy weixin4j (weixin4j-base/src/main/java/com/foxinmy/weixin4j/util modules). This vulnerability is associated with program files CharArrayBuffer.Java, ClassUtil.Java.
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis (tis-console/src/main/java/com/qlangtech/tis/runtime/module/action modules). This vulnerability is associated with program files ChangeDomainAction.Java.
Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java.
Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java.
Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java.
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java.
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in CardboardPowered cardboard (src/main/java/org/cardboardpowered/impl/world modules). This vulnerability is associated with program files WorldImpl.Java.
Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java.
XXE (XML External Entity) injection in AssertJ Java testing library from 1.4.0 to before 3.27.7 allows reading arbitrary files when parsing XML assertions. Patch available.
Access control bypass in SpringBlade v4.5.0 importUser function allows low-privileged users to import sensitive user data and escalate privileges. PoC available.
A vulnerability was determined in lcg0124 BootDo up to 5ccd963c74058036b466e038cff37de4056c1600. Affected by this vulnerability is the function redirectToLogin of the file AccessControlFilter.java of the component Host Header Handler. [CVSS 3.5 LOW]
SpringBlade v4.5.0 has an access control flaw in authRoutes allowing low-privileged users to escalate to admin through the authentication routing mechanism.
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantia...
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. [CVSS 4.5 MEDIUM]
Oracle Applications DBA versions 12.2.3-12.2.15 contain an authorization flaw in the Java utilities component that allows high-privileged attackers to gain unauthorized read and write access to sensitive data via HTTP. An authenticated attacker with administrative credentials can exploit this vulnerability to create, modify, or delete critical application data without restriction. A patch is available and should be prioritized for deployment in affected Oracle E-Business Suite environments.
Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. [CVSS 3.1 LOW]
Remote denial of service in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated attackers to trigger application hangs or crashes via network-accessible protocols. Multiple Java versions including JDK 8u471, 11.0.29, 17.0.17, 21.0.9, and 25.0.1 are affected through a flaw in the Security component. No patch is currently available for this high-severity vulnerability.