Java

Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Java SE, Oracle G (CVSS 6.1).

Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 7.4).

Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Java SE, Oracle G (CVSS 4.8).

Unrestricted file upload in lwj flow's SVG File Handler (FormResource.java) allows authenticated remote attackers to upload arbitrary files due to insufficient input validation on the File parameter. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. Affected installations using Java should restrict file upload functionality until an update is available.

PublicCMS versions up to 5.202506.d contain an authorization bypass in the Trade Address Deletion endpoint that allows authenticated attackers to manipulate request parameters and delete arbitrary trade addresses. The vulnerability is network-accessible, requires valid credentials, and has public exploit code available with no patch currently provided. An attacker with legitimate access could leverage this flaw to perform unauthorized data deletion affecting the trade functionality.

Path traversal in Sanluan PublicCMS up to version 5.202506.d allows remote attackers with high privileges to manipulate the path parameter in the Task Template Management handler, enabling unauthorized file access or manipulation. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Bastillion up to version 4.0.1 contains a command injection vulnerability in the System Management Module that allows remote attackers with high privileges to execute arbitrary commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch. The impact is limited to low-level confidentiality, integrity, and availability compromise.

Command injection in Bastillion's public key management system (versions up to 4.0.1) allows remote attackers with high privileges to execute arbitrary commands through the AuthKeysKtrl.java component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. The attack requires network access and high-level authentication but carries minimal complexity once access is obtained.

Teamwork Management System versions up to 2.28.0. is affected by server-side request forgery (ssrf) (CVSS 6.3).

Unrestricted file upload in Teamwork Management System (TMS) versions up to 2.28.0 allows authenticated attackers to upload malicious files by manipulating the filename parameter in the FileController. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for organizations using affected versions.

SQL injection in the REST authentication endpoint of risesoft-y9 Digital-Infrastructure up to version 9.6.7 allows unauthenticated remote attackers to manipulate input parameters and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification. The attack requires no user interaction and can compromise data confidentiality, integrity, and availability.

Gradle versions before 9.3.0 fail to properly handle certain exceptions during dependency resolution, allowing attackers who control a repository to serve malicious artifacts by disrupting legitimate repository services. When transient errors occur, Gradle incorrectly continues to the next configured repository instead of disabling the failing source, enabling attackers to intercept and redirect dependency resolution to attacker-controlled repositories. This vulnerability affects Java builds using vulnerable Gradle versions and requires network-level control over a repository to exploit.

Gradle before version 9.3.0 fails to treat certain dependency resolution exceptions as fatal errors, allowing builds to continue using alternate repositories when encountering unresolvable hostnames. An attacker could exploit this by registering a domain matching a typo or lapsed registration to intercept and supply malicious dependencies to affected builds. This affects Java projects using vulnerable Gradle versions with multiple configured repositories.

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. [CVSS 7.5 HIGH]

The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. [CVSS 3.0 LOW]

SAP Wily Introscope Enterprise Manager uses a vulnerable third-party component that allows unauthenticated attackers to create malicious JNLP files at public URLs. Victims who click these URLs execute OS commands on their machines. Scope change. Patch available.

Operation And Maintenance Management System versions up to 3.0.8. is affected by command injection (CVSS 8.8).

Fastjson before 1.2.48 has a well-known autoType deserialization vulnerability enabling JNDI injection and RCE. Exploited in the wild since 2023 through GodzillaWebShell. Maximum CVSS 10.0 with scope change.

JimuReport through 2.1.3 has RCE via user-controlled H2 JDBC URLs. The application passes attacker-supplied JDBC connection strings directly to the H2 driver, which supports directives for arbitrary Java code execution. PoC available.

Unsafe deserialization in Bio-Formats up to version 8.3.0 allows local attackers to execute arbitrary code or cause denial of service by crafting malicious .bfmemo cache files that are automatically loaded during image processing without validation. The Memoizer class deserializes untrusted data from these files, enabling potential remote code execution if suitable Java gadget chains are available on the classpath. No patch is currently available for this vulnerability (CVSS 7.8).

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently b...

Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal network scanning, and session hijacking. Affects a widely-used Java application server component.

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML for...

A vulnerability was determined in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. [CVSS 5.4 MEDIUM]

A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. [CVSS 6.3 MEDIUM]

Improper authorization in the saveUserRole request handler of yeqifu Warehouse allows authenticated remote attackers to gain unauthorized access to user role functionality and modify permissions. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects Java-based Warehouse deployments using the affected commit and earlier versions.

MessagePack for Java versions prior to 0.9.11 are vulnerable to denial-of-service attacks through malicious .msgpack files that exploit unbounded heap allocation when deserializing EXT32 objects. An unauthenticated attacker can craft a small payload with attacker-controlled extension lengths that causes the library to attempt allocating excessive memory, leading to JVM heap exhaustion and service unavailability. Public exploit code exists for this vulnerability; organizations using affected versions should update immediately.

Path traversal in the yeqifu Warehouse application's file handling function allows authenticated attackers to read arbitrary files on the system through manipulated path parameters. Public exploit code exists for this vulnerability, increasing the risk of exploitation. The rolling-release nature of the product means affected users lack clear version guidance and no official patch is currently available.

A buffer information disclosure vulnerability exists in the Aircompressor Java compression library affecting Snappy and LZ4 decompressor implementations. Versions 3.3 and below of Airlift Aircompressor allow remote attackers to read previous buffer contents through crafted compressed input, potentially leaking sensitive data from applications that reuse output buffers across multiple decompression operations. With an EPSS score of 0.19% (41st percentile), active exploitation appears low probability despite the network-accessible attack vector, and no public proof-of-concept is currently documented.

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+

yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.

Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request.

Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors.

A weakness has been identified in Yohann0617 oci-helper up to 3.2.4. This issue affects the function addCfg of the file src/main/java/com/yohann/ocihelper/service/impl/OciServiceImpl.java of the component OCI Configuration Upload. Executing manipulation of the argument File can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was determined in jsnjfz WebStack-Guns 1.0. This vulnerability affects unknown code of the file src/main/java/com/jsnjfz/manage/core/common/constant/factory/PageFactory.java. Executing a manipulation of the argument sort can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in jsnjfz WebStack-Guns 1.0. This affects the function renderPicture of the file src/main/java/com/jsnjfz/manage/modular/system/controller/KaptchaController.java. Performing a manipulation results in path traversal. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this issue is some unknown functionality of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineInfoController.java of the component SSH Connection Handler. Such manipulation of the argument host/sshPort/username/password/authType leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure but did not respond in any way.

A security vulnerability in orionsec orion-ops (CVSS 7.3). Risk factors: public PoC available.

A security vulnerability in orionsec orion-ops (CVSS 4.3). Risk factors: public PoC available.

A security vulnerability in nutzam NutzBoot (CVSS 7.3). Risk factors: public PoC available.

A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing a manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks.

A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Ethereum Wallet Handler. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

A vulnerability was identified in Scada-LTS up to 2.7.8.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

A flaw was found in the Keycloak LDAP User Federation provider. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A security vulnerability has been detected in Dreampie Resty up to 1.3.1.SNAPSHOT. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A flaw has been found in Dromara dataCompare up to 1.0.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A security vulnerability has been detected in wwwlike vlife up to 2.0.1.java of the component VLifeApi. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A weakness has been identified in lsfusion platform up to 6.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was determined in lsfusion platform up to 6.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was found in lsfusion platform up to 6.1. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was identified in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required. No vendor patch available.

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224.java. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Dataease is an open source data visualization analysis tool. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

CVE-2025-54086 is an excess permissions vulnerability in the Warehouse component of Absolute Secure Access prior to version 14.10. Attackers with access to the local file system can read the Java keystore file. The attack complexity is low, there are no attack requirements, the privileges required are low and no user interaction is required. Impact to confidentiality is low, there is no impact to integrity or availability.

Hardcoded cryptographic key in Flock Safety DetectionProcessing app for ANPR. PoC available.

A remote code execution vulnerability in conditional configuration file processing by QOS.CH logback-core (CVSS 5.9) that allows an attacker. Remediation should follow standard vulnerability management procedures.

Knowage is an open source analytics and business intelligence suite. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

MicroWorld eScan AV's update mechanism failed to ensure authenticity and integrity of updates: update packages were delivered and accepted without robust cryptographic verification. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability has been found in youth-is-as-pale-as-poetry e-learning 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the alph parameters in src/main/Java/cn/gson/oasys/controller/address/AddrController. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability has been found in fcba_zzm ics-park Smart Park Management System 2.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity. No vendor patch available.

SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.