Skip to main content

Java

3270 CVEs product

Monthly

CVE-2026-44241 Maven HIGH PATCH GHSA This Week

Unauthenticated remote denial-of-service in Micronaut Framework 4.3.0–4.10.21 allows heap exhaustion via crafted Accept-Language headers. The TimeConverterRegistrar component caches DateTimeFormatter instances in an unbounded ConcurrentHashMap keyed by @Format pattern plus locale. Attackers exploit BCP 47 private-use extensions (e.g., en-x-0001, en-x-0002) to generate millions of unique cache entries, consuming 500+ MB per 100,000 requests until JVM crashes with OutOfMemoryError. Publicly available exploit code exists (PoC provided in advisory). EPSS score not yet available for this 2026 CVE. Affects all Micronaut HTTP servers using documented @Format temporal parameter binding—a first-class framework feature requiring no special configuration. Vendor-released patch: 4.10.22 fixes both this and sibling vulnerability GHSA-3rfq-4wpf-qqw3 in ResourceBundleMessageSource. Structurally identical to previously patched GHSA-2hcp-gjrf-7fhc but in different component.

Denial Of Service Java
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44242 Maven LOW PATCH GHSA Monitor

Memory exhaustion in Micronaut Core's ResourceBundleMessageSource allows unauthenticated remote attackers to exhaust heap memory by sending HTTP requests with crafted Accept-Language headers that populate an unbounded bundleCache. Vulnerable applications must explicitly register a ResourceBundleMessageSource bean and serve HTML error responses; each unique locale value creates a persistent cache entry (100-200 bytes for non-matching locales, or several KB if bundles match), and sustained attack over thousands of requests causes gradual heap degradation with partial availability impact (CVSS 3.7, AC:H). The sibling messageCache is properly bounded at 100 entries, but bundleCache uses an uncontrolled ConcurrentHashMap, allowing unbounded growth keyed by (Locale, baseName) pairs derived from untrusted HTTP headers.

Denial Of Service Java
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-29080 PyPI CRITICAL POC PATCH GHSA Act Now

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.

SQLi PostgreSQL Java Python Oracle +1
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-42188 Maven LOW PATCH GHSA Monitor

Server-side request forgery (SSRF) in Geyser through version 2.9.2 allows authenticated attackers with operator privileges to cause the Minecraft server to issue arbitrary HTTP GET requests to internal or attacker-controlled endpoints via crafted Base64-encoded player head texture URLs in the /give command. The vulnerability enables blind SSRF attacks for network reconnaissance, cloud metadata probing, and server IP disclosure without requiring unauthenticated access. Publicly available exploit code exists demonstrating proof-of-concept via webhook.site.

SSRF Java
NVD GitHub
CVSS 3.1
2.4
EPSS
0.0%
CVE-2026-41417 Maven MEDIUM PATCH This Month

HTTP request smuggling and RTSP request injection in Netty arise from incomplete input validation in DefaultHttpRequest and DefaultFullHttpRequest. When these objects are created with a safe URI and later modified via setUri() with attacker-controlled input, the setUri() method bypasses CRLF validation that is enforced in constructors. HttpRequestEncoder and RtspEncoder then serialize the malicious URI directly into request lines, allowing attackers to inject additional HTTP or RTSP requests. Vendor-released patches: 4.1.133.Final and 4.2.13.Final address the vulnerability by applying consistent validation in setUri().

Authentication Bypass Java Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7412 Maven HIGH PATCH GHSA This Week

Server-Side Request Forgery (SSRF) in Eclipse BaSyx Java Server SDK prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to force the server to execute blind HTTP POST requests to arbitrary internal or external targets via the unvalidated Operation Delegation feature. Attackers can exploit this to bypass network segmentation, pivot into isolated IT/OT infrastructure, or access Cloud Metadata services (IMDS) - enabling potential credential theft and lateral movement. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but the SSRF attack pattern is well-understood and readily exploitable.

SSRF Java
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-7411 Maven CRITICAL PATCH GHSA Act Now

Remote code execution in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to write arbitrary files anywhere on the host filesystem via path traversal in the Submodel HTTP API's file upload fileName parameter, leading to complete system compromise. The vulnerability receives the maximum CVSS score of 10.0 due to network-accessible exploitation requiring no authentication, privileges, or user interaction, with scope change enabling impact beyond the vulnerable component. EPSS data not available; KEV status not confirmed; exploitation status depends on release recency and deployment exposure of this industrial automation SDK.

RCE Java Path Traversal File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2023-54342 CRITICAL POC Act Now

Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java RCE
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-43868 Cargo MEDIUM PATCH This Month

Apache Thrift versions prior to 0.23.0 are vulnerable to a denial-of-service condition with unspecified attack mechanisms related to CWE-789 (uncontrolled memory allocation). The vulnerability affects multiple language implementations including Rust, Java, and Node.js, and can be triggered remotely without authentication or user interaction, though the technical mechanism remains partially obscured in available disclosures. With EPSS score of 0.02% (percentile 5%), active exploitation appears unlikely despite the low CVSS complexity score.

Information Disclosure Apache Java Node.js Thrift
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-43870 npm HIGH PATCH GHSA This Week

Path traversal vulnerability in Apache Thrift Node.js web_server.js (versions prior to 0.23.0) allows remote unauthenticated attackers to read arbitrary files, write to unauthorized locations, and potentially execute code. Disclosed via oss-security mailing list pre-NVD publication. EPSS score of 0.01% indicates low observed exploitation probability despite network-accessible attack vector and no authentication requirement. CISA SSVC framework classifies this as automatable with partial technical impact but no confirmed exploitation. Patch available in version 0.23.0.

Apache Java Path Traversal Node.js
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-43869 Maven HIGH PATCH GHSA This Week

TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.23.0), allowing remote unauthenticated attackers to perform man-in-the-middle attacks against encrypted communications. The vulnerability enables interception and potential modification of data in transit with low attack complexity and no user interaction required. While EPSS shows minimal current exploitation activity (0.00%), CISA SSVC classifies this as automatable with partial technical impact, and a vendor patch is available in version 0.23.0.

Information Disclosure Apache Java Node.js Thrift
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-42333 Maven MEDIUM PATCH GHSA This Month

Quarkus OpenAPI Generator versions before 2.16.0-lts and 2.16.0 (fixed in 2.17.0) send authentication credentials to unintended API endpoints due to overly broad path-parameter regex matching. The generated authentication filter treats OpenAPI path-template placeholders like {param} as .* patterns, allowing a single parameter to consume forward slashes and match multiple distinct operations. This causes bearer tokens, OAuth tokens, API keys, and basic credentials configured for one protected operation to be leaked to different, unprotected operations on the same service when a client invokes them through normal generated-code paths. No public exploit code has been identified, but the vulnerability is trivial to trigger and affects all authentication schemes relying on the shared path-matching logic.

Python Information Disclosure Apache Java
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-41258 Maven CRITICAL PATCH GHSA Act Now

Server-side template injection in OpenMRS Core allows authenticated users with 'Manage Concepts' privilege to execute arbitrary Java code by injecting malicious Apache Velocity templates into concept reference range criteria fields. The vulnerability stems from unsafe VelocityEngine initialization without sandbox restrictions (no SecureUberspector), enabling unrestricted Java reflection. Exploitation persists across all facility users whenever observations are validated against the compromised concept, creating a persistent remote code execution vector. Fixed in versions 2.7.9 and 2.8.6 via migration from Velocity to sandboxed Spring Expression Language (SpEL) with SimpleEvaluationContext. No active exploitation confirmed (not in CISA KEV), but proof-of-concept details available from researcher advisory at machinespirits.com.

Apache Tomcat Java RCE Privilege Escalation +1
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-40076 Maven CRITICAL GHSA Act Now

Path traversal (Zip Slip) vulnerability in OpenMRS Core ≤ 2.7.8 and 2.8.0-2.8.5 allows authenticated administrators to achieve remote code execution by uploading a malicious .omod module archive to the REST API endpoint POST /openmrs/ws/rest/v1/module. Attackers can write arbitrary JSP files to the Tomcat webroot via crafted ZIP entries containing directory traversal sequences (e.g., web/module/../../../../malicious.jsp), which bypass incomplete path validation in WebModuleUtil.startModule(). The vulnerability also bypasses the module.allow_web_admin security control, as the REST API does not enforce this restriction despite Legacy UI being protected. No vendor-released patch identified at time of analysis for either affected version range.

Java Path Traversal Tomcat RCE
NVD GitHub
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-40075 Maven HIGH PATCH GHSA This Week

Path traversal in OpenMRS Core's ModuleResourcesServlet allows unauthenticated attackers to read arbitrary files from the server filesystem, including sensitive configuration files and system files like /etc/passwd. The vulnerability exists in versions ≤ 2.7.8 and 2.8.0-2.8.5, with exploitation requiring Apache Tomcat < 8.5.31 where path parameter bypass protections are absent. Fix available in version 2.8.6 for the 2.8.x branch; no patch released for 2.7.x series at time of analysis. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact.

Java Path Traversal Apache Tomcat
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-7710 MEDIUM This Month

Authentication bypass in YunaiV yudao-cloud up to version 3.8.0 allows remote unauthenticated attackers to manipulate the mock-token argument in JwtAuthenticationTokenFilter.java, circumventing JWT authentication mechanisms and gaining unauthorized access. The vulnerability affects the Ruoyi-Vue-Pro component, has publicly available exploit code, and impacts confidentiality, integrity, and availability of protected resources with low severity per CVSS 4.0 scoring (CVSS:5.5, AV:N/AC:L/PR:N/UI:N, VC:L/VI:L/VA:L). The vendor has not responded to early disclosure notification.

Java Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7679 MEDIUM POC This Month

Authentication bypass in YunaiV yudao-cloud (versions up to 2026.01) allows remote unauthenticated attackers to obtain unauthorized access tokens via manipulation of the getAccessToken function in OAuth2TokenServiceImpl.java. Public exploit code exists (GitHub PoC available), enabling attackers to bypass authentication controls and gain low-level access to confidential data, integrity, and availability. EPSS risk assessment unavailable, but the combination of network attack vector, low complexity (AC:L), no authentication requirement (PR:N), and publicly available exploit creates immediate exploitation risk. Vendor was notified but did not respond, leaving no official patch timeline.

Java Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7678 LOW POC Monitor

SQL injection in YunaiV yudao-cloud up to version 2026.01 allows authenticated remote attackers to execute arbitrary SQL queries via the getDataBySQL function in GoViewDataServiceImpl.java, potentially compromising confidentiality, integrity, and availability of the application database. Publicly available exploit code exists, and the vendor did not respond to early disclosure notifications.

Java SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7677 LOW POC Monitor

Stored cross-site scripting (XSS) in kerwincui FastBee up to version 1.2.1 allows authenticated remote attackers to inject malicious scripts via the noticeContent parameter in the System Notice Handler component, which are then executed in the browsers of other users viewing notices. The vulnerability requires user interaction (victims must view the injected notice) and authenticated access, limiting immediate attack scope, though publicly available exploit code and vendor non-responsiveness increase real-world risk.

Java XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7676 LOW POC Monitor

Path traversal vulnerability in kerwincui FastBee up to version 1.2.1 allows authenticated remote attackers to read arbitrary files on the server via manipulation of the fileName parameter in the ToolController.download endpoint. The vulnerability has publicly available exploit code and affects the Tool Download functionality, enabling unauthorized file disclosure with low CVSS impact (4.3) due to authentication requirements and limited scope.

Java Path Traversal
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7673 LOW POC Monitor

Unrestricted file upload in crmeb_java Admin Upload component (versions up to 1.3.4) allows high-privileged remote attackers to upload arbitrary files by manipulating the model argument in UploadServiceImpl.java, resulting in potential code execution or system compromise. Publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Java File Upload
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7672 LOW Monitor

SQL injection in youlai-boot up to version 2.21.1 via argument order manipulation in the getUserList endpoint allows authenticated remote attackers to execute arbitrary SQL queries with limited data access impact. The vulnerability affects the Users Endpoint component, has publicly available exploit code, and the vendor has not responded to disclosure attempts despite early notification.

Java SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7605 LOW POC PATCH Monitor

Server-side request forgery in JeecgBoot up to 3.9.1 allows authenticated remote attackers to manipulate the CommonController.uploadImgByHttp endpoint and trigger arbitrary HTTP requests from the server, with publicly available exploit code and vendor confirmation of the issue. The vulnerability affects the image upload functionality through HttpFileToMultipartFileUtil.httpFileToMultipartFile and downloadImageData methods, enabling attackers with valid credentials to abuse the application as a proxy for outbound requests.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7604 LOW Monitor

Server-side request forgery in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the originUrl parameter in OpenApiController.add and OpenApiController.call methods, enabling arbitrary HTTP requests from the affected server. The vulnerability requires low-level authentication privileges and carries minimal direct impact (CVSS 2.1), but public exploit code exists and vendors confirmed the issue with a fix planned for an upcoming release.

Java SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-41586 Maven CRITICAL GHSA Act Now

Remote code execution in Hyperledger fabric-sdk-java (all versions 1.0.0 through 2.2.26) allows unauthenticated attackers to execute arbitrary commands via malicious serialized Java objects. The deprecated SDK's Channel.java class deserializes untrusted byte arrays without input filtering in readObject() and deSerializeChannel() methods, enabling classic Java gadget chain exploitation. Publicly available exploit code exists (ysoserial toolkit), and exploitation requires only that an application accept Channel serialization data from attacker-controlled sources such as compromised files, external APIs, or injected parameters. EPSS data unavailable; not listed in CISA KEV. Vendor has published GHSA advisory but provides no patch-remediation requires migration to the replacement fabric-gateway SDK.

Deserialization Java
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-22745 Maven MEDIUM PATCH This Month

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is serving static resources from the file system * the application is running on a Windows platform When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Microsoft Java Denial Of Service Red Hat
NVD HeroDevs VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-22741 Maven LOW PATCH Monitor

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Java Denial Of Service
NVD HeroDevs VulDB
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-7306 LOW Monitor

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-7305 LOW Monitor

A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.

Java SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7303 Maven LOW PATCH Monitor

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.

Information Disclosure Java
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-7292 LOW POC Monitor

Improper authorization in o2oa up to version 10.0 allows remote attackers to bypass authentication via the syncFile function in NodeAgent.java, leading to unauthorized access to file operations. The vulnerability requires high attack complexity and has publicly available exploit code, though no active exploitation in the wild has been confirmed at this time.

Java Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-7291 LOW POC Monitor

Server-side request forgery (SSRF) in o2oa up to version 10.0 allows authenticated remote attackers to manipulate the fileUrl parameter in the FileAction component to trigger arbitrary HTTP requests from the server. The vulnerability requires authenticated access (PR:L) but can facilitate attacks against internal services, exfiltrate sensitive data, or pivot to backend systems. Publicly available exploit code exists, and the vendor has not yet responded to early notification.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7290 LOW POC PATCH Monitor

SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to execute arbitrary SQL commands through the loadDict endpoint by manipulating the keyword parameter in the SqlInjectionUtil function. The vulnerability has a CVSS score of 6.3 with network-accessible attack vector, and publicly available exploit code exists; patch availability is confirmed via GitHub commit a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b.

Java SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-40969 Maven LOW PATCH Monitor

Spring gRPC versions 1.0.0 through 1.0.2 leak sensitive authentication failure details in gRPC status descriptions to unauthenticated remote callers, enabling reconnaissance for follow-up attacks. The vulnerability exposes raw server-side AuthenticationException messages without sanitization, providing attackers with information about authentication mechanisms and potential weaknesses. This low-severity information disclosure (CVSS 3.7) requires high attack complexity but affects default configurations.

Information Disclosure Java
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-40968 Maven MEDIUM PATCH This Month

Spring gRPC 1.0.0 through 1.0.2 inherits authenticated user identity on gRPC worker threads after access denial, allowing a subsequent unauthenticated request on the same thread to gain escalated permissions. The vulnerability requires an authenticated attacker with prior knowledge of thread reuse patterns and affects only configurations where both authenticated and unauthenticated requests share gRPC worker threads. A patch is available in version 1.0.3.

Java Privilege Escalation
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-40980 Maven MEDIUM PATCH This Month

Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4 are vulnerable to denial of service through uncontrolled resource consumption when processing maliciously crafted PDF files via the ForkPDFLayoutTextStripper component. Authenticated remote attackers can exhaust server memory and crash affected applications by uploading or processing specially designed PDFs. Vendor-released patches address the issue in versions 1.0.6 and 1.1.5.

Java Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-40979 Maven MEDIUM PATCH This Month

Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4 expose ONNX machine learning models to unauthorized disclosure when the application runs in shared hosting environments, allowing local users with limited system access to read sensitive model files and potentially reverse-engineer proprietary ML logic. The vulnerability stems from insecure temporary file handling (CWE-377) that fails to restrict file permissions on extracted model artifacts. Authentication requirements are minimal-only local system access is needed-making this a significant risk in multi-tenant cloud platforms and shared servers.

Information Disclosure Java
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-40978 Maven HIGH PATCH GHSA This Week

SQL injection in Spring AI's CosmosDBVectorStore component (versions 1.0.0-1.0.5 and 1.1.0-1.1.4) enables authenticated remote attackers to execute arbitrary SQL queries through malicious document IDs, potentially achieving full database compromise including data exfiltration, modification, and denial of service. VMware has released patches in versions 1.0.6 and 1.1.5. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires low-privilege authenticated access to the vector store API.

Java SQLi
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-40966 Maven MEDIUM PATCH This Month

Spring AI fails to properly isolate conversation contexts when user-supplied input is passed directly as conversationId to VectorStoreChatMemoryAdvisor, allowing remote unauthenticated attackers to inject filter logic that exfiltrates sensitive data from other users' chat histories, including secrets and credentials. Exploitation requires moderately complex attack construction (AC:H) but no user interaction, affecting only applications with the specific vulnerable configuration pattern.

Java Authentication Bypass
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-40967 Maven HIGH PATCH GHSA This Week

Filter expression injection in Spring AI 1.0.0-1.0.5 and 1.1.0-1.1.4 allows remote unauthenticated attackers to manipulate vector store queries through unescaped keys and values in FilterExpressionConverter implementations. The vulnerability enables query language injection across multiple vector database backends, potentially exposing sensitive data (CVSS:C:H) and modifying query results (CVSS:I:L). VMware has released patches in versions 1.0.6 and 1.1.5. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack vector (AV:N/AC:L/PR:N) and code injection classification (CWE-94) indicate significant risk for applications processing untrusted filter expressions.

Java Code Injection RCE
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-41602 Go HIGH PATCH GHSA This Week

Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash server processes via specially crafted uint32 values. Affects all Thrift versions prior to 0.23.0 with EPSS score of 0.02% (low exploitation probability). This is one of six related vulnerabilities disclosed simultaneously affecting different Thrift language bindings (Go, Swift, Java, c_glib), indicating coordinated security audit findings. Vendor patch available in version 0.23.0 released April 2026.

Denial Of Service Integer Overflow Java Apache Thrift
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41603 HIGH PATCH This Week

Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.

Denial Of Service Java Apache Thrift
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-41604 HIGH PATCH This Week

Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigger denial of service and disclose limited memory contents via malformed skip() operations during protocol deserialization. Affects all versions prior to 0.23.0, with publicly disclosed exploit details on oss-security mailing list. EPSS exploitation probability remains low (5th percentile) despite network-accessible attack vector, suggesting limited real-world targeting to date. Vendor patch released in version 0.23.0 addresses all six concurrently disclosed Thrift vulnerabilities (CVE-2026-41602 through CVE-2026-41607).

Buffer Overflow Information Disclosure Java Apache Thrift
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-40977 Maven MEDIUM PATCH This Month

Spring Boot applications configured with ApplicationPidFileWriter are vulnerable to local file corruption when a high-privilege user can write to the PID file directory. An attacker with high privileges and write access to the PID file location can corrupt arbitrary files each time the application restarts, achieving denial of service or data integrity violations. Exploitation requires local access and elevated privileges, limiting real-world impact to co-resident or insider threat scenarios. No active exploitation has been publicly reported.

Information Disclosure Java Red Hat
NVD HeroDevs VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-40976 Maven CRITICAL PATCH GHSA Act Now

Authentication bypass in Spring Boot 4.0.0-4.0.5 allows remote unauthenticated attackers to access all application endpoints, bypassing default web security filters entirely. Affects servlet-based applications using spring-boot-actuator-autoconfigure without custom Spring Security configuration and without spring-boot-health dependency. Vendor patch released (upgrade to 4.0.6+). No public exploit code identified at time of analysis, but CVSS 9.1 with network attack vector (AV:N/AC:L/PR:N) indicates trivial exploitation once configuration prerequisites are met.

Java Authentication Bypass Spring Boot
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-40975 Maven HIGH PATCH This Week

{random.value}` property placeholder are generated with a non-cryptographic pseudo-random number generator, making them unsuitable for use as secrets such as passwords, tokens, or keys. The numeric `${random.int}` and `${random.long}` placeholders are even weaker, drawing from a small predictable range, while `${random.uuid}` is explicitly unaffected. There is no public exploit identified at time of analysis (SSVC exploitation: none; EPSS 0.03%), so the practical risk depends entirely on whether a given deployment actually used these placeholders to seed real secrets.

Information Disclosure Java Spring Boot
NVD HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-40974 Maven MEDIUM PATCH This Month

Spring Boot's Cassandra auto-configuration fails to verify hostnames during SSL/TLS connection establishment to Cassandra servers, enabling man-in-the-middle attackers on the local network to intercept credentials and data by presenting a valid certificate for any domain. Affects Spring Boot 2.7.0-4.0.5; vendor-released patches available for all supported versions (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33). No public exploit code identified at time of analysis.

Information Disclosure Java
NVD HeroDevs VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-40973 Maven HIGH PATCH GHSA This Week

Local privilege escalation and session hijacking in Spring Boot allows attackers with local access to hijack authenticated sessions or execute arbitrary code by taking control of the ApplicationTemp directory. The vulnerability affects Spring Boot versions 2.7.0 through 4.0.5 when server.servlet.session.persistent is enabled, requiring attack persistence across application restarts. VMware has released patches for all supported branches (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33), though unsupported versions remain vulnerable. No active exploitation confirmed at time of analysis.

Information Disclosure Java Red Hat
NVD HeroDevs VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-40972 Maven HIGH PATCH GHSA This Week

Timing attack against Spring Boot DevTools remote secret comparison allows adjacent network attackers to recover the shared secret and achieve remote code execution by uploading malicious classes. Affects Spring Boot 2.7.x through 4.0.x when DevTools remote feature is enabled. Attacker must be on same network segment (AV:A) and overcome high attack complexity (timing-based cryptographic weakness), but requires no authentication or user interaction. CVSS 7.5 severity reflects adjacent vector limitation; real-world risk depends heavily on whether DevTools remote restart is enabled in production (not recommended practice) and network segmentation. No confirmed active exploitation (not in CISA KEV). Vendor-released patches available across all affected branches.

Java RCE Red Hat
NVD HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40971 Maven MEDIUM PATCH This Month

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.0-4.0.5 (fix 4.0.6), 3.5.0-3.5.13 (fix 3.5.14) per vendor advisory.

Information Disclosure Java
NVD VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-40970 Maven MEDIUM PATCH This Month

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0-4.0.5; upgrade to 4.0.6 or later per vendor advisory.

Java Information Disclosure Elastic
NVD VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-27172 Maven HIGH PATCH This Week

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1.

RCE Java Deserialization Apache Apache Camel
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40858 Maven HIGH POC PATCH GHSA This Week

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23322 refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.

RCE Java Atlassian Deserialization Apache +1
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40473 Maven HIGH POC PATCH GHSA This Week

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

RCE Java Deserialization Apache Camel
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40048 Maven HIGH PATCH GHSA This Week

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application - for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack - can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.

RCE Java Apache Deserialization Path Traversal +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-7060 MEDIUM POC PATCH This Month

SQL injection in Yu Picture's PageRequest handler allows remote unauthenticated attackers to manipulate database queries via the sortField parameter in PictureServiceImpl.java. The vulnerability exists in MyBatis-Plus integration code at commit a053632c41340152bf75b66b3c543d129123d8ec. Publicly available exploit code exists (GitHub issue #4) with EPSS not yet calculated. Vendor patch available via pull request #3 but remains unmerged, leaving deployed instances vulnerable. CVSS 7.3 reflects network-accessible, low-complexity exploitation with no authentication required, enabling partial confidentiality, integrity, and availability compromise.

Java SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7045 Maven MEDIUM PATCH This Month

SpEL expression injection in baomidou dynamic-datasource 2.5.0 allows authenticated remote attackers to execute arbitrary code via the DsSpelExpressionProcessor component. The vulnerability stems from unsafe evaluation of Spring Expression Language (SpEL) in datasource routing logic, enabling attackers with application access to inject malicious expressions that execute with application privileges. No public exploit code or active exploitation has been identified at time of analysis, though upstream fix is available.

Java Code Injection
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-7024 LOW POC Monitor

Path traversal in rawchen sims DeleteFileServlet endpoint allows authenticated remote attackers to manipulate the filename parameter and access arbitrary files on the system, potentially leading to information disclosure or file modification. The vulnerability affects all versions up to commit 004f783b1db5ecdfad81c8fdc3b34171211112de, with publicly available exploit code and no vendor response to early disclosure notification.

Java Path Traversal
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-7018 LOW POC PATCH Monitor

Datavane Datavines up to commit 13607645e14a4982468cfdbcf75c85cde63bae71 uses a hard-coded cryptographic key in the JWT Token Handler component, allowing remote attackers to manipulate the tokenSecret parameter and bypass authentication or forge tokens. The vulnerability requires high attack complexity but has publicly available exploit code; the vendor has been informed via pull request but has not yet merged the fix.

Information Disclosure Java
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-41433 Go HIGH PATCH GHSA This Week

OpenTelemetry eBPF Instrumentation versions 0.4.0 through 0.7.x allow local attackers controlling a Java workload to overwrite arbitrary host files via path traversal when Java injection is enabled and the agent runs with elevated privileges. The vulnerability exploits unsafe file creation in the Java agent injection path, where the injector trusts the target process's TMPDIR environment variable and lacks boundary checks, enabling symlink-based file clobbering and filesystem escape. Vendor-released patch available in version 0.8.0. No public exploit identified at time of analysis, but CVSS 8.4 reflects high integrity and availability impact with scope change from container to host.

Java Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-40912 Go HIGH PATCH GHSA This Week

Authentication bypass in Traefik's StripPrefixRegex middleware allows unauthenticated remote attackers to access protected resources when combined with ForwardAuth, BasicAuth, or DigestAuth. By inserting a percent-encoded dot (%2e) in the URL prefix, attackers exploit a length mismatch between decoded path matching and encoded path slicing, causing ForwardAuth to receive a dot-segment path (/./admin/secret) that bypasses protection rules while backend servers normalize it to the protected path (/admin/secret). Confirmed with working proof-of-concept against Traefik v3.6.11. Patches released for v2.11.43, v3.6.14, and v3.7.0-rc.2. No CVSS score assigned yet, but meets criteria for high severity given complete authentication bypass with network attack vector requiring no privileges or user interaction.

Docker Java Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-33524 Maven HIGH PATCH GHSA This Week

Unbounded memory allocation in Eclipse zserio serialization framework allows remote attackers to trigger system crashes via crafted payloads as small as 4-5 bytes, forcing allocations up to 16 GB and causing out-of-memory errors. Affects both C++ and Java runtimes used in Navigation Data Standard (NDS) implementations deployed across millions of vehicles from Toyota, BMW, Volkswagen, Mercedes-Benz, and 39 other automotive manufacturers. Vendor-released patch available in zserio v2.18.1, addressing unchecked length parameters in Array.h, BitStreamReader.h, and Java runtime equivalents. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation without authentication.

Docker Java Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-39920 CRITICAL POC PATCH Act Now

Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure.

Information Disclosure Java Apache
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-41044 Maven HIGH PATCH GHSA This Week

Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Spring XML contexts that execute arbitrary code on the broker's JVM. Attackers exploit improper broker name validation to embed xbean bindings, then trigger VM transport creation via DestinationView mbean to load remote Spring XML files containing malicious bean factory methods like Runtime.exec(). EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability despite CVSS 8.8, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patches available: versions 5.19.6 and 6.2.5 address the vulnerability.

RCE Java Apache Apache Activemq Apache Activemq Broker +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40466 Maven HIGH POC PATCH GHSA This Week

Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath.

RCE Java Apache Apache Activemq Broker Apache Activemq All +1
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41166 Maven HIGH PATCH GHSA This Week

OpenRemote Manager allows privilege escalation to Keycloak master realm administrator through improper authorization in the Manager API. Users with write:admin permission in any non-master realm can manipulate realm role assignments in other realms, including master, by exploiting missing authorization checks in the updateUserRealmRoles endpoint. An attacker controlling any user in the master realm can grant themselves admin privileges, achieving full Keycloak administrator access. Vendor-released patch version 1.22.1 addresses this vulnerability. No public exploit code identified at time of analysis, though a detailed proof-of-concept is documented in the advisory.

Java Authentication Bypass Privilege Escalation
NVD GitHub
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-22754 Maven HIGH PATCH GHSA This Week

Authorization bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to circumvent access controls when applications use servlet-path-based intercept-url configurations. The framework fails to include the servlet path when computing pattern matches for authorization rules, causing protected endpoints to become accessible without proper authorization checks. No public exploit code identified at time of analysis, but the straightforward bypass condition (misconfigured servlet-path directives) and network attack vector (CVSS AV:N/AC:L/PR:N) make this readily exploitable in affected deployments.

Authentication Bypass Java Spring Security
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22753 Maven HIGH PATCH GHSA This Week

Path matching bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to evade authentication, authorization, and other security controls when applications use securityMatchers(String) with a PathPatternRequestMatcher.Builder bean to prepend servlet paths. Improper matcher configuration causes filter chains to silently fail, leaving protected endpoints exposed without intended security controls. No active exploitation confirmed, but CVSS 7.5 with network attack vector (AV:N/AC:L/PR:N) indicates readily exploitable if applications use the specific configuration pattern. VMware-reported vulnerability requires immediate patching for affected Spring Security 7.x deployments.

Information Disclosure Java Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22748 Maven MEDIUM PATCH This Month

JWT token validation bypass in Spring Security allows authenticated attackers to forge or manipulate JWT tokens when NimbusJwtDecoder or NimbusReactiveJwtDecoder is used without explicit OAuth2TokenValidator configuration, enabling unauthorized access to protected resources. The vulnerability affects Spring Security versions 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.9, and 7.0.0-7.0.4. CVSS 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N) reflects network-accessible exploitation requiring low-privilege authentication and high attack complexity.

Information Disclosure Java Red Hat
NVD VulDB HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22747 Maven HIGH PATCH This Week

Authentication bypass via user impersonation affects Spring Security 7.0.0 through 7.0.4, where the SubjectX500PrincipalExtractor mishandles malformed CN values in X.509 client certificates and extracts the wrong username. Authenticated attackers presenting a carefully crafted certificate can be authenticated as a different (potentially higher-privileged) user. No public exploit identified at time of analysis; EPSS is very low (0.02%) and CISA SSVC marks exploitation as none.

Information Disclosure Java Spring Security
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22746 Maven LOW PATCH Monitor

Spring Security's DaoAuthenticationProvider can leak timing information about user account status when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked attributes for user validation. This allows remote attackers to enumerate disabled, expired, or locked accounts through timing analysis of authentication responses across affected versions 5.7.0-5.7.22, 5.8.0-5.8.24, 6.3.0-6.3.15, 6.5.0-6.5.9, and 7.0.0-7.0.4. No public exploit code or active exploitation has been identified at this time.

Authentication Bypass Java
NVD VulDB HeroDevs
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-6797 MEDIUM This Month

A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function ZipSecureFile.setMinflateRatio of the file common/src/main/java/com/publiccms/common/tools/DocToHtmlUtils.java. Such manipulation leads to resource consumption. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Denial Of Service Java
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-35229 HIGH This Week

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Authentication Bypass Oracle Java
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34282 HIGH PATCH This Week

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Denial Of Service Oracle Java Oracle Java Se Oracle Graalvm For Jdk +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34268 LOW PATCH Monitor

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Oracle Java Information Disclosure
NVD VulDB
CVSS 3.1
2.9
EPSS
0.0%
CVE-2026-22021 MEDIUM PATCH This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Denial Of Service Oracle Java Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22018 LOW PATCH Monitor

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Denial Of Service Oracle Java
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-22016 HIGH PATCH This Week

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Authentication Bypass Oracle Java Information Disclosure Oracle Java Se +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22013 MEDIUM PATCH This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

Authentication Bypass Oracle Java Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22008 LOW PATCH Monitor

Vulnerability in Oracle Java SE (component: Libraries). The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Oracle Java Privilege Escalation
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-22007 LOW PATCH Monitor

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Oracle Java Information Disclosure
NVD VulDB
CVSS 3.1
2.9
EPSS
0.0%
CVE-2026-22003 MEDIUM PATCH This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).

Denial Of Service Oracle Java Suse
NVD VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-6796 MEDIUM This Month

A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext storage in a file or on disk. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Information Disclosure Java
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-22751 Maven MEDIUM PATCH This Month

Time-of-check Time-of-use (TOCTOU) race condition in Spring Security's JdbcOneTimeTokenService allows unauthenticated remote attackers to bypass one-time token validation and gain unauthorized access. Affected versions include 6.4.0-6.4.15, 6.5.0-6.5.9, and 7.0.0-7.0.4. The vulnerability requires explicit configuration of One-Time Token login and involves high attack complexity, limiting real-world exploitation despite network accessibility.

Information Disclosure Java
NVD VulDB HeroDevs
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-32613 Maven CRITICAL PATCH GHSA Act Now

Remote code execution in Spinnaker's Echo service (all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2) allows authenticated attackers with low privileges to execute arbitrary system commands and access files through unrestricted Spring Expression Language (SPeL) injection in artifact processing. Unlike Spinnaker's Orca service which implemented SPeL sandbox restrictions, Echo permits full JVM class access, enabling attackers to invoke arbitrary Java classes for deep system compromise. The CVSS 9.9 score reflects network attack vector with low complexity, scope change to impact other components, and complete CIA triad compromise. EPSS and KEV data not available - exploitation status unknown but patches are available from Spinnaker project.

Code Injection Java RCE
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-41245 Maven HIGH PATCH This Week

Path traversal in Junrar library versions prior to 7.5.10 allows remote attackers to write arbitrary files into sibling directories by extracting a crafted RAR archive, enabling unauthorized file creation and potential code injection. The vulnerability requires high attack complexity (AC:H) but no authentication or user interaction, affecting any Java application using vulnerable Junrar versions to process untrusted RAR files. Vendor-released patch: version 7.5.10.

Path Traversal Java Junrar
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-6625 MEDIUM POC This Month

Server-side request forgery (SSRF) in Mogu Blog v2 up to version 5.2 allows unauthenticated remote attackers to initiate arbitrary HTTP requests from the affected server through the picture upload functionality. The vulnerability exists in the LocalFileServiceImpl.uploadPictureByUrl method within the Picture Storage Service component, enabling attackers to access internal services, scan internal networks, or exfiltrate sensitive data. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

SSRF Java
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6620 LOW POC Monitor

Remote authenticated path traversal in SonicCloudOrg sonic-server up to version 2.0.0 allows attackers with low-level privileges to manipulate the Type parameter in the File Upload Endpoint (FileTool.java) to traverse the filesystem and read or write arbitrary files. The vulnerability has publicly available exploit code and affects all versions up to 2.0.0; the vendor has not responded to early disclosure attempts, leaving no patch available.

File Upload Path Traversal Java
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-40490 Maven MEDIUM PATCH This Month

AsyncHttpClient (AHC) library prior to versions 3.0.9 and 2.14.5 leaks Authorization, Proxy-Authorization headers, and plaintext Realm credentials to arbitrary redirect targets when followRedirect(true) is enabled, affecting all Java applications using vulnerable versions. This occurs across domain, scheme, and port changes including HTTPS-to-HTTP downgrades. An attacker controlling a redirect destination via open redirect, DNS rebinding, or MITM can capture Bearer tokens, Basic auth credentials, or any Authorization header value. No public exploit code or active exploitation has been confirmed at analysis time, though the vulnerability is exploitable with high-confidence conditions when redirect following is enabled (CVSS 6.8, network vector, no authentication required).

Information Disclosure Java Open Redirect Red Hat
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-33207 HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.

Java SQLi
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated remote denial-of-service in Micronaut Framework 4.3.0–4.10.21 allows heap exhaustion via crafted Accept-Language headers. The TimeConverterRegistrar component caches DateTimeFormatter instances in an unbounded ConcurrentHashMap keyed by @Format pattern plus locale. Attackers exploit BCP 47 private-use extensions (e.g., en-x-0001, en-x-0002) to generate millions of unique cache entries, consuming 500+ MB per 100,000 requests until JVM crashes with OutOfMemoryError. Publicly available exploit code exists (PoC provided in advisory). EPSS score not yet available for this 2026 CVE. Affects all Micronaut HTTP servers using documented @Format temporal parameter binding—a first-class framework feature requiring no special configuration. Vendor-released patch: 4.10.22 fixes both this and sibling vulnerability GHSA-3rfq-4wpf-qqw3 in ResourceBundleMessageSource. Structurally identical to previously patched GHSA-2hcp-gjrf-7fhc but in different component.

Denial Of Service Java
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Memory exhaustion in Micronaut Core's ResourceBundleMessageSource allows unauthenticated remote attackers to exhaust heap memory by sending HTTP requests with crafted Accept-Language headers that populate an unbounded bundleCache. Vulnerable applications must explicitly register a ResourceBundleMessageSource bean and serve HTML error responses; each unique locale value creates a persistent cache entry (100-200 bytes for non-matching locales, or several KB if bundles match), and sustained attack over thousands of requests causes gradual heap degradation with partial availability impact (CVSS 3.7, AC:H). The sibling messageCache is properly bounded at 100 entries, but bundleCache uses an uncontrolled ConcurrentHashMap, allowing unbounded growth keyed by (Locale, baseName) pairs derived from untrusted HTTP headers.

Denial Of Service Java
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.

SQLi PostgreSQL Java +3
NVD GitHub
EPSS 0% CVSS 2.4
LOW PATCH Monitor

Server-side request forgery (SSRF) in Geyser through version 2.9.2 allows authenticated attackers with operator privileges to cause the Minecraft server to issue arbitrary HTTP GET requests to internal or attacker-controlled endpoints via crafted Base64-encoded player head texture URLs in the /give command. The vulnerability enables blind SSRF attacks for network reconnaissance, cloud metadata probing, and server IP disclosure without requiring unauthenticated access. Publicly available exploit code exists demonstrating proof-of-concept via webhook.site.

SSRF Java
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

HTTP request smuggling and RTSP request injection in Netty arise from incomplete input validation in DefaultHttpRequest and DefaultFullHttpRequest. When these objects are created with a safe URI and later modified via setUri() with attacker-controlled input, the setUri() method bypasses CRLF validation that is enforced in constructors. HttpRequestEncoder and RtspEncoder then serialize the malicious URI directly into request lines, allowing attackers to inject additional HTTP or RTSP requests. Vendor-released patches: 4.1.133.Final and 4.2.13.Final address the vulnerability by applying consistent validation in setUri().

Authentication Bypass Java Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Eclipse BaSyx Java Server SDK prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to force the server to execute blind HTTP POST requests to arbitrary internal or external targets via the unvalidated Operation Delegation feature. Attackers can exploit this to bypass network segmentation, pivot into isolated IT/OT infrastructure, or access Cloud Metadata services (IMDS) - enabling potential credential theft and lateral movement. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but the SSRF attack pattern is well-understood and readily exploitable.

SSRF Java
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to write arbitrary files anywhere on the host filesystem via path traversal in the Submodel HTTP API's file upload fileName parameter, leading to complete system compromise. The vulnerability receives the maximum CVSS score of 10.0 due to network-accessible exploitation requiring no authentication, privileges, or user interaction, with scope change enabling impact beyond the vulnerable component. EPSS data not available; KEV status not confirmed; exploitation status depends on release recency and deployment exposure of this industrial automation SDK.

RCE Java Path Traversal +1
NVD
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java RCE
NVD Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Apache Thrift versions prior to 0.23.0 are vulnerable to a denial-of-service condition with unspecified attack mechanisms related to CWE-789 (uncontrolled memory allocation). The vulnerability affects multiple language implementations including Rust, Java, and Node.js, and can be triggered remotely without authentication or user interaction, though the technical mechanism remains partially obscured in available disclosures. With EPSS score of 0.02% (percentile 5%), active exploitation appears unlikely despite the low CVSS complexity score.

Information Disclosure Apache Java +2
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Path traversal vulnerability in Apache Thrift Node.js web_server.js (versions prior to 0.23.0) allows remote unauthenticated attackers to read arbitrary files, write to unauthorized locations, and potentially execute code. Disclosed via oss-security mailing list pre-NVD publication. EPSS score of 0.01% indicates low observed exploitation probability despite network-accessible attack vector and no authentication requirement. CISA SSVC framework classifies this as automatable with partial technical impact but no confirmed exploitation. Patch available in version 0.23.0.

Apache Java Path Traversal +1
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.23.0), allowing remote unauthenticated attackers to perform man-in-the-middle attacks against encrypted communications. The vulnerability enables interception and potential modification of data in transit with low attack complexity and no user interaction required. While EPSS shows minimal current exploitation activity (0.00%), CISA SSVC classifies this as automatable with partial technical impact, and a vendor patch is available in version 0.23.0.

Information Disclosure Apache Java +2
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Quarkus OpenAPI Generator versions before 2.16.0-lts and 2.16.0 (fixed in 2.17.0) send authentication credentials to unintended API endpoints due to overly broad path-parameter regex matching. The generated authentication filter treats OpenAPI path-template placeholders like {param} as .* patterns, allowing a single parameter to consume forward slashes and match multiple distinct operations. This causes bearer tokens, OAuth tokens, API keys, and basic credentials configured for one protected operation to be leaked to different, unprotected operations on the same service when a client invokes them through normal generated-code paths. No public exploit code has been identified, but the vulnerability is trivial to trigger and affects all authentication schemes relying on the shared path-matching logic.

Python Information Disclosure Apache +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Server-side template injection in OpenMRS Core allows authenticated users with 'Manage Concepts' privilege to execute arbitrary Java code by injecting malicious Apache Velocity templates into concept reference range criteria fields. The vulnerability stems from unsafe VelocityEngine initialization without sandbox restrictions (no SecureUberspector), enabling unrestricted Java reflection. Exploitation persists across all facility users whenever observations are validated against the compromised concept, creating a persistent remote code execution vector. Fixed in versions 2.7.9 and 2.8.6 via migration from Velocity to sandboxed Spring Expression Language (SpEL) with SimpleEvaluationContext. No active exploitation confirmed (not in CISA KEV), but proof-of-concept details available from researcher advisory at machinespirits.com.

Apache Tomcat Java +3
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL Act Now

Path traversal (Zip Slip) vulnerability in OpenMRS Core ≤ 2.7.8 and 2.8.0-2.8.5 allows authenticated administrators to achieve remote code execution by uploading a malicious .omod module archive to the REST API endpoint POST /openmrs/ws/rest/v1/module. Attackers can write arbitrary JSP files to the Tomcat webroot via crafted ZIP entries containing directory traversal sequences (e.g., web/module/../../../../malicious.jsp), which bypass incomplete path validation in WebModuleUtil.startModule(). The vulnerability also bypasses the module.allow_web_admin security control, as the REST API does not enforce this restriction despite Legacy UI being protected. No vendor-released patch identified at time of analysis for either affected version range.

Java Path Traversal Tomcat +1
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Path traversal in OpenMRS Core's ModuleResourcesServlet allows unauthenticated attackers to read arbitrary files from the server filesystem, including sensitive configuration files and system files like /etc/passwd. The vulnerability exists in versions ≤ 2.7.8 and 2.8.0-2.8.5, with exploitation requiring Apache Tomcat < 8.5.31 where path parameter bypass protections are absent. Fix available in version 2.8.6 for the 2.8.x branch; no patch released for 2.7.x series at time of analysis. CVSS 7.5 (High) reflects network-accessible unauthenticated exploitation with high confidentiality impact.

Java Path Traversal Apache +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Authentication bypass in YunaiV yudao-cloud up to version 3.8.0 allows remote unauthenticated attackers to manipulate the mock-token argument in JwtAuthenticationTokenFilter.java, circumventing JWT authentication mechanisms and gaining unauthorized access. The vulnerability affects the Ruoyi-Vue-Pro component, has publicly available exploit code, and impacts confidentiality, integrity, and availability of protected resources with low severity per CVSS 4.0 scoring (CVSS:5.5, AV:N/AC:L/PR:N/UI:N, VC:L/VI:L/VA:L). The vendor has not responded to early disclosure notification.

Java Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authentication bypass in YunaiV yudao-cloud (versions up to 2026.01) allows remote unauthenticated attackers to obtain unauthorized access tokens via manipulation of the getAccessToken function in OAuth2TokenServiceImpl.java. Public exploit code exists (GitHub PoC available), enabling attackers to bypass authentication controls and gain low-level access to confidential data, integrity, and availability. EPSS risk assessment unavailable, but the combination of network attack vector, low complexity (AC:L), no authentication requirement (PR:N), and publicly available exploit creates immediate exploitation risk. Vendor was notified but did not respond, leaving no official patch timeline.

Java Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in YunaiV yudao-cloud up to version 2026.01 allows authenticated remote attackers to execute arbitrary SQL queries via the getDataBySQL function in GoViewDataServiceImpl.java, potentially compromising confidentiality, integrity, and availability of the application database. Publicly available exploit code exists, and the vendor did not respond to early disclosure notifications.

Java SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.0
LOW POC Monitor

Stored cross-site scripting (XSS) in kerwincui FastBee up to version 1.2.1 allows authenticated remote attackers to inject malicious scripts via the noticeContent parameter in the System Notice Handler component, which are then executed in the browsers of other users viewing notices. The vulnerability requires user interaction (victims must view the injected notice) and authenticated access, limiting immediate attack scope, though publicly available exploit code and vendor non-responsiveness increase real-world risk.

Java XSS
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal vulnerability in kerwincui FastBee up to version 1.2.1 allows authenticated remote attackers to read arbitrary files on the server via manipulation of the fileName parameter in the ToolController.download endpoint. The vulnerability has publicly available exploit code and affects the Tool Download functionality, enabling unauthorized file disclosure with low CVSS impact (4.3) due to authentication requirements and limited scope.

Java Path Traversal
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

Unrestricted file upload in crmeb_java Admin Upload component (versions up to 1.3.4) allows high-privileged remote attackers to upload arbitrary files by manipulating the model argument in UploadServiceImpl.java, resulting in potential code execution or system compromise. Publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Java File Upload
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

SQL injection in youlai-boot up to version 2.21.1 via argument order manipulation in the getUserList endpoint allows authenticated remote attackers to execute arbitrary SQL queries with limited data access impact. The vulnerability affects the Users Endpoint component, has publicly available exploit code, and the vendor has not responded to disclosure attempts despite early notification.

Java SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Server-side request forgery in JeecgBoot up to 3.9.1 allows authenticated remote attackers to manipulate the CommonController.uploadImgByHttp endpoint and trigger arbitrary HTTP requests from the server, with publicly available exploit code and vendor confirmation of the issue. The vulnerability affects the image upload functionality through HttpFileToMultipartFileUtil.httpFileToMultipartFile and downloadImageData methods, enabling attackers with valid credentials to abuse the application as a proxy for outbound requests.

Java SSRF
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Server-side request forgery in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the originUrl parameter in OpenApiController.add and OpenApiController.call methods, enabling arbitrary HTTP requests from the affected server. The vulnerability requires low-level authentication privileges and carries minimal direct impact (CVSS 2.1), but public exploit code exists and vendors confirmed the issue with a fix planned for an upcoming release.

Java SSRF
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in Hyperledger fabric-sdk-java (all versions 1.0.0 through 2.2.26) allows unauthenticated attackers to execute arbitrary commands via malicious serialized Java objects. The deprecated SDK's Channel.java class deserializes untrusted byte arrays without input filtering in readObject() and deSerializeChannel() methods, enabling classic Java gadget chain exploitation. Publicly available exploit code exists (ysoserial toolkit), and exploitation requires only that an application accept Channel serialization data from attacker-controlled sources such as compromised files, external APIs, or injected parameters. EPSS data unavailable; not listed in CISA KEV. Vendor has published GHSA advisory but provides no patch-remediation requires migration to the replacement fabric-gateway SDK.

Deserialization Java
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is serving static resources from the file system * the application is running on a Windows platform When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Microsoft Java Denial Of Service +1
NVD HeroDevs VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Java Denial Of Service
NVD HeroDevs VulDB
EPSS 0% CVSS 2.9
LOW Monitor

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.

Information Disclosure Java
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.

Java SSRF
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW PATCH Monitor

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.

Information Disclosure Java
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper authorization in o2oa up to version 10.0 allows remote attackers to bypass authentication via the syncFile function in NodeAgent.java, leading to unauthorized access to file operations. The vulnerability requires high attack complexity and has publicly available exploit code, though no active exploitation in the wild has been confirmed at this time.

Java Authentication Bypass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery (SSRF) in o2oa up to version 10.0 allows authenticated remote attackers to manipulate the fileUrl parameter in the FileAction component to trigger arbitrary HTTP requests from the server. The vulnerability requires authenticated access (PR:L) but can facilitate attacks against internal services, exfiltrate sensitive data, or pivot to backend systems. Publicly available exploit code exists, and the vendor has not yet responded to early notification.

Java SSRF
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to execute arbitrary SQL commands through the loadDict endpoint by manipulating the keyword parameter in the SqlInjectionUtil function. The vulnerability has a CVSS score of 6.3 with network-accessible attack vector, and publicly available exploit code exists; patch availability is confirmed via GitHub commit a9c8e8eb1185751c4c3c68d2a53f3dadee9edc6b.

Java SQLi
NVD VulDB GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Spring gRPC versions 1.0.0 through 1.0.2 leak sensitive authentication failure details in gRPC status descriptions to unauthenticated remote callers, enabling reconnaissance for follow-up attacks. The vulnerability exposes raw server-side AuthenticationException messages without sanitization, providing attackers with information about authentication mechanisms and potential weaknesses. This low-severity information disclosure (CVSS 3.7) requires high attack complexity but affects default configurations.

Information Disclosure Java
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Spring gRPC 1.0.0 through 1.0.2 inherits authenticated user identity on gRPC worker threads after access denial, allowing a subsequent unauthenticated request on the same thread to gain escalated permissions. The vulnerability requires an authenticated attacker with prior knowledge of thread reuse patterns and affects only configurations where both authenticated and unauthenticated requests share gRPC worker threads. A patch is available in version 1.0.3.

Java Privilege Escalation
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4 are vulnerable to denial of service through uncontrolled resource consumption when processing maliciously crafted PDF files via the ForkPDFLayoutTextStripper component. Authenticated remote attackers can exhaust server memory and crash affected applications by uploading or processing specially designed PDFs. Vendor-released patches address the issue in versions 1.0.6 and 1.1.5.

Java Denial Of Service
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4 expose ONNX machine learning models to unauthorized disclosure when the application runs in shared hosting environments, allowing local users with limited system access to read sensitive model files and potentially reverse-engineer proprietary ML logic. The vulnerability stems from insecure temporary file handling (CWE-377) that fails to restrict file permissions on extracted model artifacts. Authentication requirements are minimal-only local system access is needed-making this a significant risk in multi-tenant cloud platforms and shared servers.

Information Disclosure Java
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection in Spring AI's CosmosDBVectorStore component (versions 1.0.0-1.0.5 and 1.1.0-1.1.4) enables authenticated remote attackers to execute arbitrary SQL queries through malicious document IDs, potentially achieving full database compromise including data exfiltration, modification, and denial of service. VMware has released patches in versions 1.0.6 and 1.1.5. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires low-privilege authenticated access to the vector store API.

Java SQLi
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Spring AI fails to properly isolate conversation contexts when user-supplied input is passed directly as conversationId to VectorStoreChatMemoryAdvisor, allowing remote unauthenticated attackers to inject filter logic that exfiltrates sensitive data from other users' chat histories, including secrets and credentials. Exploitation requires moderately complex attack construction (AC:H) but no user interaction, affecting only applications with the specific vulnerable configuration pattern.

Java Authentication Bypass
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Filter expression injection in Spring AI 1.0.0-1.0.5 and 1.1.0-1.1.4 allows remote unauthenticated attackers to manipulate vector store queries through unescaped keys and values in FilterExpressionConverter implementations. The vulnerability enables query language injection across multiple vector database backends, potentially exposing sensitive data (CVSS:C:H) and modifying query results (CVSS:I:L). VMware has released patches in versions 1.0.6 and 1.1.5. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack vector (AV:N/AC:L/PR:N) and code injection classification (CWE-94) indicate significant risk for applications processing untrusted filter expressions.

Java Code Injection RCE
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash server processes via specially crafted uint32 values. Affects all Thrift versions prior to 0.23.0 with EPSS score of 0.02% (low exploitation probability). This is one of six related vulnerabilities disclosed simultaneously affecting different Thrift language bindings (Go, Swift, Java, c_glib), indicating coordinated security audit findings. Vendor patch available in version 0.23.0 released April 2026.

Denial Of Service Integer Overflow Java +2
NVD VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.

Denial Of Service Java Apache +1
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigger denial of service and disclose limited memory contents via malformed skip() operations during protocol deserialization. Affects all versions prior to 0.23.0, with publicly disclosed exploit details on oss-security mailing list. EPSS exploitation probability remains low (5th percentile) despite network-accessible attack vector, suggesting limited real-world targeting to date. Vendor patch released in version 0.23.0 addresses all six concurrently disclosed Thrift vulnerabilities (CVE-2026-41602 through CVE-2026-41607).

Buffer Overflow Information Disclosure Java +2
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Spring Boot applications configured with ApplicationPidFileWriter are vulnerable to local file corruption when a high-privilege user can write to the PID file directory. An attacker with high privileges and write access to the PID file location can corrupt arbitrary files each time the application restarts, achieving denial of service or data integrity violations. Exploitation requires local access and elevated privileges, limiting real-world impact to co-resident or insider threat scenarios. No active exploitation has been publicly reported.

Information Disclosure Java Red Hat
NVD HeroDevs VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass in Spring Boot 4.0.0-4.0.5 allows remote unauthenticated attackers to access all application endpoints, bypassing default web security filters entirely. Affects servlet-based applications using spring-boot-actuator-autoconfigure without custom Spring Security configuration and without spring-boot-health dependency. Vendor patch released (upgrade to 4.0.6+). No public exploit code identified at time of analysis, but CVSS 9.1 with network attack vector (AV:N/AC:L/PR:N) indicates trivial exploitation once configuration prerequisites are met.

Java Authentication Bypass Spring Boot
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

{random.value}` property placeholder are generated with a non-cryptographic pseudo-random number generator, making them unsuitable for use as secrets such as passwords, tokens, or keys. The numeric `${random.int}` and `${random.long}` placeholders are even weaker, drawing from a small predictable range, while `${random.uuid}` is explicitly unaffected. There is no public exploit identified at time of analysis (SSVC exploitation: none; EPSS 0.03%), so the practical risk depends entirely on whether a given deployment actually used these placeholders to seed real secrets.

Information Disclosure Java Spring Boot
NVD HeroDevs VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Spring Boot's Cassandra auto-configuration fails to verify hostnames during SSL/TLS connection establishment to Cassandra servers, enabling man-in-the-middle attackers on the local network to intercept credentials and data by presenting a valid certificate for any domain. Affects Spring Boot 2.7.0-4.0.5; vendor-released patches available for all supported versions (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33). No public exploit code identified at time of analysis.

Information Disclosure Java
NVD HeroDevs VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation and session hijacking in Spring Boot allows attackers with local access to hijack authenticated sessions or execute arbitrary code by taking control of the ApplicationTemp directory. The vulnerability affects Spring Boot versions 2.7.0 through 4.0.5 when server.servlet.session.persistent is enabled, requiring attack persistence across application restarts. VMware has released patches for all supported branches (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33), though unsupported versions remain vulnerable. No active exploitation confirmed at time of analysis.

Information Disclosure Java Red Hat
NVD HeroDevs VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Timing attack against Spring Boot DevTools remote secret comparison allows adjacent network attackers to recover the shared secret and achieve remote code execution by uploading malicious classes. Affects Spring Boot 2.7.x through 4.0.x when DevTools remote feature is enabled. Attacker must be on same network segment (AV:A) and overcome high attack complexity (timing-based cryptographic weakness), but requires no authentication or user interaction. CVSS 7.5 severity reflects adjacent vector limitation; real-world risk depends heavily on whether DevTools remote restart is enabled in production (not recommended practice) and network segmentation. No confirmed active exploitation (not in CISA KEV). Vendor-released patches available across all affected branches.

Java RCE Red Hat
NVD HeroDevs VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.0-4.0.5 (fix 4.0.6), 3.5.0-3.5.13 (fix 3.5.14) per vendor advisory.

Information Disclosure Java
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0-4.0.5; upgrade to 4.0.6 or later per vendor advisory.

Java Information Disclosure Elastic
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1.

RCE Java Deserialization +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23322 refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.

RCE Java Atlassian +3
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

RCE Java Deserialization +2
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application - for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack - can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.

RCE Java Apache +3
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

SQL injection in Yu Picture's PageRequest handler allows remote unauthenticated attackers to manipulate database queries via the sortField parameter in PictureServiceImpl.java. The vulnerability exists in MyBatis-Plus integration code at commit a053632c41340152bf75b66b3c543d129123d8ec. Publicly available exploit code exists (GitHub issue #4) with EPSS not yet calculated. Vendor patch available via pull request #3 but remains unmerged, leaving deployed instances vulnerable. CVSS 7.3 reflects network-accessible, low-complexity exploitation with no authentication required, enabling partial confidentiality, integrity, and availability compromise.

Java SQLi
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

SpEL expression injection in baomidou dynamic-datasource 2.5.0 allows authenticated remote attackers to execute arbitrary code via the DsSpelExpressionProcessor component. The vulnerability stems from unsafe evaluation of Spring Expression Language (SpEL) in datasource routing logic, enabling attackers with application access to inject malicious expressions that execute with application privileges. No public exploit code or active exploitation has been identified at time of analysis, though upstream fix is available.

Java Code Injection
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in rawchen sims DeleteFileServlet endpoint allows authenticated remote attackers to manipulate the filename parameter and access arbitrary files on the system, potentially leading to information disclosure or file modification. The vulnerability affects all versions up to commit 004f783b1db5ecdfad81c8fdc3b34171211112de, with publicly available exploit code and no vendor response to early disclosure notification.

Java Path Traversal
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Datavane Datavines up to commit 13607645e14a4982468cfdbcf75c85cde63bae71 uses a hard-coded cryptographic key in the JWT Token Handler component, allowing remote attackers to manipulate the tokenSecret parameter and bypass authentication or forge tokens. The vulnerability requires high attack complexity but has publicly available exploit code; the vendor has been informed via pull request but has not yet merged the fix.

Information Disclosure Java
NVD VulDB GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

OpenTelemetry eBPF Instrumentation versions 0.4.0 through 0.7.x allow local attackers controlling a Java workload to overwrite arbitrary host files via path traversal when Java injection is enabled and the agent runs with elevated privileges. The vulnerability exploits unsafe file creation in the Java agent injection path, where the injector trusts the target process's TMPDIR environment variable and lacks boundary checks, enabling symlink-based file clobbering and filesystem escape. Vendor-released patch available in version 0.8.0. No public exploit identified at time of analysis, but CVSS 8.4 reflects high integrity and availability impact with scope change from container to host.

Java Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Authentication bypass in Traefik's StripPrefixRegex middleware allows unauthenticated remote attackers to access protected resources when combined with ForwardAuth, BasicAuth, or DigestAuth. By inserting a percent-encoded dot (%2e) in the URL prefix, attackers exploit a length mismatch between decoded path matching and encoded path slicing, causing ForwardAuth to receive a dot-segment path (/./admin/secret) that bypasses protection rules while backend servers normalize it to the protected path (/admin/secret). Confirmed with working proof-of-concept against Traefik v3.6.11. Patches released for v2.11.43, v3.6.14, and v3.7.0-rc.2. No CVSS score assigned yet, but meets criteria for high severity given complete authentication bypass with network attack vector requiring no privileges or user interaction.

Docker Java Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unbounded memory allocation in Eclipse zserio serialization framework allows remote attackers to trigger system crashes via crafted payloads as small as 4-5 bytes, forcing allocations up to 16 GB and causing out-of-memory errors. Affects both C++ and Java runtimes used in Navigation Data Standard (NDS) implementations deployed across millions of vehicles from Toyota, BMW, Volkswagen, Mercedes-Benz, and 39 other automotive manufacturers. Vendor-released patch available in zserio v2.18.1, addressing unchecked length parameters in Array.h, BitStreamReader.h, and Java runtime equivalents. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation without authentication.

Docker Java Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure.

Information Disclosure Java Apache
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Spring XML contexts that execute arbitrary code on the broker's JVM. Attackers exploit improper broker name validation to embed xbean bindings, then trigger VM transport creation via DestinationView mbean to load remote Spring XML files containing malicious bean factory methods like Runtime.exec(). EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability despite CVSS 8.8, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patches available: versions 5.19.6 and 6.2.5 address the vulnerability.

RCE Java Apache +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath.

RCE Java Apache +3
NVD VulDB GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

OpenRemote Manager allows privilege escalation to Keycloak master realm administrator through improper authorization in the Manager API. Users with write:admin permission in any non-master realm can manipulate realm role assignments in other realms, including master, by exploiting missing authorization checks in the updateUserRealmRoles endpoint. An attacker controlling any user in the master realm can grant themselves admin privileges, achieving full Keycloak administrator access. Vendor-released patch version 1.22.1 addresses this vulnerability. No public exploit code identified at time of analysis, though a detailed proof-of-concept is documented in the advisory.

Java Authentication Bypass Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authorization bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to circumvent access controls when applications use servlet-path-based intercept-url configurations. The framework fails to include the servlet path when computing pattern matches for authorization rules, causing protected endpoints to become accessible without proper authorization checks. No public exploit code identified at time of analysis, but the straightforward bypass condition (misconfigured servlet-path directives) and network attack vector (CVSS AV:N/AC:L/PR:N) make this readily exploitable in affected deployments.

Authentication Bypass Java Spring Security
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path matching bypass in Spring Security 7.0.0-7.0.4 allows unauthenticated remote attackers to evade authentication, authorization, and other security controls when applications use securityMatchers(String) with a PathPatternRequestMatcher.Builder bean to prepend servlet paths. Improper matcher configuration causes filter chains to silently fail, leaving protected endpoints exposed without intended security controls. No active exploitation confirmed, but CVSS 7.5 with network attack vector (AV:N/AC:L/PR:N) indicates readily exploitable if applications use the specific configuration pattern. VMware-reported vulnerability requires immediate patching for affected Spring Security 7.x deployments.

Information Disclosure Java Red Hat
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

JWT token validation bypass in Spring Security allows authenticated attackers to forge or manipulate JWT tokens when NimbusJwtDecoder or NimbusReactiveJwtDecoder is used without explicit OAuth2TokenValidator configuration, enabling unauthorized access to protected resources. The vulnerability affects Spring Security versions 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.9, and 7.0.0-7.0.4. CVSS 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N) reflects network-accessible exploitation requiring low-privilege authentication and high attack complexity.

Information Disclosure Java Red Hat
NVD VulDB HeroDevs
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass via user impersonation affects Spring Security 7.0.0 through 7.0.4, where the SubjectX500PrincipalExtractor mishandles malformed CN values in X.509 client certificates and extracts the wrong username. Authenticated attackers presenting a carefully crafted certificate can be authenticated as a different (potentially higher-privileged) user. No public exploit identified at time of analysis; EPSS is very low (0.02%) and CISA SSVC marks exploitation as none.

Information Disclosure Java Spring Security
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Spring Security's DaoAuthenticationProvider can leak timing information about user account status when applications rely on UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked attributes for user validation. This allows remote attackers to enumerate disabled, expired, or locked accounts through timing analysis of authentication responses across affected versions 5.7.0-5.7.22, 5.8.0-5.8.24, 6.3.0-6.3.15, 6.5.0-6.5.9, and 7.0.0-7.0.4. No public exploit code or active exploitation has been identified at this time.

Authentication Bypass Java
NVD VulDB HeroDevs
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function ZipSecureFile.setMinflateRatio of the file common/src/main/java/com/publiccms/common/tools/DocToHtmlUtils.java. Such manipulation leads to resource consumption. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Denial Of Service Java
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Authentication Bypass Oracle Java
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Denial Of Service Oracle Java +3
NVD VulDB
EPSS 0% CVSS 2.9
LOW PATCH Monitor

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Oracle Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Denial Of Service Oracle Java +2
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Denial Of Service Oracle Java
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Authentication Bypass Oracle Java +4
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

Authentication Bypass Oracle Java +2
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Vulnerability in Oracle Java SE (component: Libraries). The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Oracle Java Privilege Escalation
NVD VulDB
EPSS 0% CVSS 2.9
LOW PATCH Monitor

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Oracle Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).

Denial Of Service Oracle Java +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext storage in a file or on disk. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Information Disclosure Java
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Time-of-check Time-of-use (TOCTOU) race condition in Spring Security's JdbcOneTimeTokenService allows unauthenticated remote attackers to bypass one-time token validation and gain unauthorized access. Affected versions include 6.4.0-6.4.15, 6.5.0-6.5.9, and 7.0.0-7.0.4. The vulnerability requires explicit configuration of One-Time Token login and involves high attack complexity, limiting real-world exploitation despite network accessibility.

Information Disclosure Java
NVD VulDB HeroDevs
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in Spinnaker's Echo service (all versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2) allows authenticated attackers with low privileges to execute arbitrary system commands and access files through unrestricted Spring Expression Language (SPeL) injection in artifact processing. Unlike Spinnaker's Orca service which implemented SPeL sandbox restrictions, Echo permits full JVM class access, enabling attackers to invoke arbitrary Java classes for deep system compromise. The CVSS 9.9 score reflects network attack vector with low complexity, scope change to impact other components, and complete CIA triad compromise. EPSS and KEV data not available - exploitation status unknown but patches are available from Spinnaker project.

Code Injection Java RCE
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path traversal in Junrar library versions prior to 7.5.10 allows remote attackers to write arbitrary files into sibling directories by extracting a crafted RAR archive, enabling unauthorized file creation and potential code injection. The vulnerability requires high attack complexity (AC:H) but no authentication or user interaction, affecting any Java application using vulnerable Junrar versions to process untrusted RAR files. Vendor-released patch: version 7.5.10.

Path Traversal Java Junrar
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery (SSRF) in Mogu Blog v2 up to version 5.2 allows unauthenticated remote attackers to initiate arbitrary HTTP requests from the affected server through the picture upload functionality. The vulnerability exists in the LocalFileServiceImpl.uploadPictureByUrl method within the Picture Storage Service component, enabling attackers to access internal services, scan internal networks, or exfiltrate sensitive data. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

SSRF Java
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Remote authenticated path traversal in SonicCloudOrg sonic-server up to version 2.0.0 allows attackers with low-level privileges to manipulate the Type parameter in the File Upload Endpoint (FileTool.java) to traverse the filesystem and read or write arbitrary files. The vulnerability has publicly available exploit code and affects all versions up to 2.0.0; the vendor has not responded to early disclosure attempts, leaving no patch available.

File Upload Path Traversal Java
NVD VulDB GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

AsyncHttpClient (AHC) library prior to versions 3.0.9 and 2.14.5 leaks Authorization, Proxy-Authorization headers, and plaintext Realm credentials to arbitrary redirect targets when followRedirect(true) is enabled, affecting all Java applications using vulnerable versions. This occurs across domain, scheme, and port changes including HTTPS-to-HTTP downgrades. An attacker controlling a redirect destination via open redirect, DNS rebinding, or MITM can capture Bearer tokens, Basic auth credentials, or any Authorization header value. No public exploit code or active exploitation has been confirmed at analysis time, though the vulnerability is exploitable with high-confidence conditions when redirect following is enabled (CVSS 6.8, network vector, no authentication required).

Information Disclosure Java Open Redirect +1
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /datasource/getTableField endpoint. The getTableFiledSql method in CalciteProvider.java incorporates the tableName parameter directly into SQL query strings using String.format without parameterization or sanitization. Although DatasourceServer.java validates that the table name exists in the datasource, an attacker can bypass this by first registering an API datasource with a malicious deTableName, which is then returned by getTables and passes the validation check. An authenticated attacker can execute arbitrary SQL commands, enabling error-based extraction of sensitive database information. This issue has been fixed in version 2.10.21.

Java SQLi
NVD GitHub
Prev Page 4 of 37 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy