Skip to main content

Java

3270 CVEs product

Monthly

CVE-2026-40882 Maven HIGH PATCH GHSA This Week

### Summary The Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. ### Details Velbus import uses `DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(...)` on untrusted XML input, without explicit safeguards to disable DTD/external entities. ```154:165:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java @Override public Future<Void> startAssetImport(byte[] fileData, Consumer<AssetTreeNode[]> assetConsumer) { return executorService.submit(() -> { Document xmlDoc; try { String xmlStr = new String(fileData, StandardCharsets.UTF_8); LOG.info("Parsing VELBUS project file"); xmlDoc = DocumentBuilderFactory .newInstance() .newDocumentBuilder() .parse(new InputSource(new StringReader(xmlStr))); ``` Expanded `Caption` content is propagated into created asset names: ```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java String name = module.getElementsByTagName("Caption").item(0).getTextContent(); name = isNullOrEmpty(name) ? deviceType.toString() : name; // TODO: Use device specific asset types Asset<?> device = new ThingAsset(name); ``` ### PoC 1. Log in to a realm with a user that can call Velbus asset import. 2. Create/select a Velbus TCP Agent in that same realm. 3. Send `POST /api/{realm}/agent/assetImport/{agentId}` with a Velbus project XML payload and compare behavior against a baseline import file. 3. Save the below code as a `xxe.xml` and upload to `Setup` under `https://localhost/manager/?realm=<YOUR_REALM>#/assets/false/<ASSET_ID>`. Chnage the `file:///etc/passwd` to another file if your `passwd` is longer than 1023 characters. ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE velbus [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <Project> <Module type="VMB1RY" address="01" build="00" serial="LAB"> <Caption>&xxe;</Caption> </Module> </Project> ``` As long as the file content is under 1023 characters, the exploit will succeed. <img width="1200" height="662" alt="image" src="https://github.com/user-attachments/assets/213f063d-98b6-4717-b98c-f4255952026b" /> If the file content reaches the limit, an error is thrown. <img width="1200" height="630" alt="image" src="https://github.com/user-attachments/assets/ee177a6b-2cb2-48ae-94df-c994ecb41429" /> ### Impact - **Type:** XML External Entity (XXE) - **Affected:** Deployments exposing Velbus import to authenticated users with import access - **Risk:** limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.

XXE SSRF Java
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-3505 Maven HIGH PATCH GHSA This Week

Pre-authentication resource exhaustion in Bouncy Castle BC-JAVA PGP modules (bcpg) allows remote attackers to trigger denial-of-service by exploiting unbounded AEAD chunk sizes, affecting all versions before 1.84. The maximum CVSS 4.0 score of 10.0 reflects complete compromise potential across confidentiality, integrity, and availability with no attack complexity, no authentication requirements, and network-based exploitation. No public exploit identified at time of analysis, though the attack s

Denial Of Service Java Bc Java
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-5588 Maven MEDIUM PATCH This Month

Signature verification bypass in Bouncy Castle BC-JAVA (bcpkix module versions 1.49-1.83) allows remote unauthenticated attackers to forge cryptographic signatures by submitting empty signature sequences that are incorrectly accepted as valid by the draft CompositeVerifier implementation. This critical flaw (CVSS 4.0: 10.0) enables complete subversion of digital signature trust chains, potentially allowing authentication bypass, code signing forgery, and man-in-the-middle attacks against Java ap

Java Information Disclosure Bc Java
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-5598 Maven HIGH PATCH GHSA This Week

Non-constant time comparison operations in the Legion of the Bouncy Castle BC-JAVA cryptographic library (core modules, versions 2.17.3 through 1.83) expose FrodoKEM private keys to timing side-channel attacks, enabling remote unauthenticated attackers to extract cryptographic secrets through statistical analysis of operation timing variations. CVSS 4.0 score of 10.0 reflects maximum confidentiality and integrity impact across system and subsequent contexts. EPSS probability is low (0.04%, 14th percentile) and no active exploitation is confirmed, but SSVC framework rates this as automatable with total technical impact. Vendor patch available in BC-JAVA 1.84.

Java Information Disclosure Bc Java
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-0636 Maven MEDIUM PATCH GHSA This Month

LDAP injection in Bouncy Castle BC-JAVA bcprov module (versions 1.49 through 1.83) allows remote unauthenticated attackers to manipulate LDAP queries via specially crafted input to LDAPStoreHelper.java, enabling complete compromise of confidentiality, integrity, and availability across security boundaries. This critical vulnerability (CVSS 10.0) affects a widely deployed cryptographic library used throughout the Java ecosystem. No active exploitation confirmed (not in CISA KEV), but the attack r

Java LDAP Code Injection Bc Java
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14813 Maven CRITICAL PATCH GHSA Act Now

GOST CTR block cipher in Bouncy Castle BC-JAVA processes only the first 255 blocks correctly, causing silent data corruption in encryption/decryption operations for longer messages. Affects BC-JAVA versions 1.59 through 1.83, with fix available in version 1.84. Local attack vector (CVSS AV:L) with critical CVSS 9.4 score reflects potential for both confidentiality and integrity compromise when applications process GOST-encrypted data streams exceeding 255 blocks (~4KB). No KEV listing or public

Java Information Disclosure Bc Java
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-39842 Maven CRITICAL PATCH GHSA Act Now

Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c

Information Disclosure RCE Apple Docker Deserialization +5
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-27674 MEDIUM This Month

Cross-site scripting via code injection in SAP NetWeaver Application Server Java Web Dynpro allows unauthenticated remote attackers to inject arbitrary client-side code through crafted input, compromising user sessions and application data integrity when victims interact with the affected functionality. CVSS 6.1 (medium) reflects the requirement for user interaction and limited scope, but exploitation is straightforward with no authentication needed and low attack complexity.

SAP Code Injection RCE Java
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-6220 LOW POC Monitor

A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-35582 Maven HIGH PATCH GHSA This Week

Shell command injection in NSA Emissary's Executrix.getCommand() allows authenticated users with place configuration authorship to achieve arbitrary OS command execution when any payload is processed. The framework constructs /bin/sh -c commands by directly substituting IN_FILE_ENDING and OUT_FILE_ENDING configuration values into temporary file paths without escaping or validation, despite implementing input sanitization for similar parameters (placeName). Vendor-released patch available (commit 1faf33f). CVSS 8.8 (high) reflects local attack vector requiring low privileges, but scope change to C indicates container/JVM breakout potential. No CISA KEV listing or public exploit identified at time of analysis, though detailed proof-of-concept exists in advisory including Docker-based reproduction and unit test.

Denial Of Service Command Injection Docker Java Microsoft
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-25204 MEDIUM This Month

Deserialization of untrusted data in Samsung Open Source Escargot JavaScript engine prior to commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 allows local attackers without privileges to trigger a denial of service condition via process abort. The vulnerability exploits unsafe deserialization of Java objects, resulting in application termination rather than code execution. No public exploit code or active exploitation has been identified at the time of analysis.

Deserialization Samsung Denial Of Service Java
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-6105 MEDIUM This Month

Improper authorization in perfree go-fastdfs-web up to version 1.3.7 allows remote unauthenticated attackers to access the doInstall interface in InstallController.java, potentially disclosing sensitive information or manipulating system configuration. The vulnerability has been publicly disclosed with exploit code available; however, the vendor has not responded to early disclosure notifications and no official patch has been released.

Java Information Disclosure
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-40180 Maven HIGH POC PATCH This Week

Path traversal vulnerability in Quarkus OpenAPI Generator (Quarkiverse) versions prior to 2.16.0 and 2.15.0-lts allows unauthenticated remote attackers to write arbitrary files outside intended directories via malicious ZIP archives. The ApicurioCodegenWrapper.java unzip() method fails to validate file paths during extraction, enabling path traversal sequences (../../) to bypass output directory restrictions and achieve arbitrary file write with high integrity impact. No public exploit identified at time of analysis. Affects Java-based Quarkus extensions for REST client and server stub generation.

Java Path Traversal
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-34477 Maven MEDIUM POC PATCH This Month

Man-in-the-middle attacks are possible in Apache Log4j Core through 2.25.3 when SMTP, Socket, or Syslog appenders use TLS with the verifyHostName attribute configured in the <Ssl> element, because the attribute was silently ignored despite being available since version 2.12.0. This is a regression from an incomplete fix to CVE-2025-68161 that only addressed hostname verification via system property. An attacker with a certificate from a trusted CA can intercept TLS connections. Apache has released patched version 2.25.4 to correct this issue.

Apache Java Information Disclosure
NVD GitHub VulDB HeroDevs
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-22750 Maven HIGH PATCH GHSA This Week

SSL bundle configuration bypass in VMware Spring Cloud Gateway 4.2.0 allows unaneticated remote attackers to compromise integrity through forced fallback to default SSL settings. When administrators configure custom SSL bundles via spring.ssl.bundle property, the framework silently ignores this configuration and applies insecure defaults instead, enabling man-in-the-middle attacks against intended encrypted communications. Affects Spring Cloud Gateway 4.2.0 with no public exploit identified at time of analysis.

Information Disclosure Java
NVD HeroDevs
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5987 LOW Monitor

Improper neutralization of special elements in FreeMarker template processing within Sanluan PublicCMS up to version 6.202506.d allows high-privileged remote attackers to cause information disclosure through manipulation of the AbstractFreemarkerView.doRender function. The vulnerability has a CVSS score of 5.1 with publicly available exploit code, though exploitation requires administrative privileges (PR:H). CISA KEV status not confirmed; however, the disclosure of exploit code and vendor non-response indicate moderate real-world risk despite the high privilege requirement.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-35568 Maven HIGH PATCH GHSA This Week

DNS rebinding in Model Context Protocol (MCP) Java SDK before v1.0.0 enables remote attackers to invoke arbitrary tool calls on local or network-private MCP servers via a victim's browser. The SDK failed to validate Origin headers per MCP specification requirements, violating mandatory server-side protections against cross-origin attacks. Exploitation requires social engineering (victim visits malicious site), but grants full tool invocation privileges as if the attacker were a locally authorized AI agent. Patch available in v1.0.0. No public exploit identified at time of analysis, but attack technique is well-understood (DNS rebinding). EPSS data not available; authentication requirements not confirmed from available data.

Nginx Information Disclosure Java
NVD GitHub
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-5736 Maven MEDIUM GHSA This Month

SQL injection in PowerJob 5.1.0 through 5.1.2 allows remote attackers to execute arbitrary SQL queries via the customQuery parameter in the detailPlus endpoint of InstanceController.java, potentially enabling unauthorized data access or modification. The vulnerability is remotely exploitable without authentication (CVSS 6.9, EPSS P), with a GitHub pull request indicating a fix is under review but not yet released as a patched version.

Java SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-33439 Maven CRITICAL POC PATCH GHSA Act Now

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue

Deserialization RCE Java Apache Tomcat +3
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-35554 Maven HIGH PATCH GHSA This Week

Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.

Information Disclosure Memory Corruption Apache Use After Free Deserialization +3
NVD HeroDevs
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-34197 Maven HIGH POC KEV PATCH THREAT NEWS GHSA Act Now

Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec(

Apache Java RCE Apache Activemq Broker Apache Activemq
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.1%
Threat
4.8
CVE-2026-31271 CRITICAL Act Now

Unauthenticated account creation bypass in megagao production_ssm v1.0 allows remote attackers to create super administrator accounts via direct API access to /user/insert endpoint. The UserController.java insert() method processes account creation requests without authentication enforcement (CVSS vector PR:N confirms unauthenticated access). Successful exploitation grants full administrative control, enabling attackers to compromise confidentiality, integrity, and availability of the entire application. No public exploit identified at time of analysis.

Authentication Bypass Java N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31272 CRITICAL Act Now

Unauthenticated super administrator account creation in MRCMS 3.1.2 allows remote attackers to bypass all access controls and add privileged accounts directly via UserController.save() method. The vulnerability exposes full system compromise through network-accessible endpoints requiring no prior authentication. CVSS 9.8 critical severity reflects unrestricted administrative takeover. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).

Authentication Bypass Java
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-35515 npm MEDIUM PATCH GHSA This Month

NestJS Core's Server-Sent Events (SSE) stream handler fails to sanitize newline characters in message type and ID fields, allowing remote attackers to inject arbitrary SSE events, spoof event types, and corrupt client reconnection state. Affected versions prior to @nestjs/core@11.1.18 are vulnerable when developers map user-controlled data to SSE message type or id fields. This mirrors a vulnerability patched in Spring Framework and can lead to event spoofing, data injection with XSS potential, and reconnection state corruption if client applications render SSE data without additional sanitization.

XSS Java Red Hat
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-5616 MEDIUM PATCH This Month

Missing authentication in JeecgBoot 3.9.0 and 3.9.1 allows unauthenticated remote attackers to access the AI Chat Module functionality without credential verification. The vulnerability resides in JeecgBizToolsProvider.java within the jeecg-module-system component. Vendor-released patches are available via GitHub commits (b7c9aeba and 2c1cc88b) pending inclusion in the next official release. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) with no authentication required (PR:N) indicate trivial exploitation potential.

Authentication Bypass Java
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-5535 LOW POC Monitor

Path traversal in FedML-AI FedML up to version 0.8.9 allows authenticated remote attackers to read arbitrary files via manipulation of the dataSet argument in the MQTT Message Handler (FileUtils.java component). The vulnerability has a CVSS score of 4.3 and publicly available exploit code exists; however, it requires low-privilege authentication and provides only information disclosure without modification or availability impact. The vendor did not respond to early disclosure efforts.

Path Traversal Java
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5462 LOW POC Monitor

Wahoo Fitness SYSTM App on Android up to version 7.2.1 exposes a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to manipulate app arguments and potentially inject malicious data or alter user profiles. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and has publicly available exploit code; however, the vendor has not responded to early disclosure notifications.

Google Java Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5458 LOW POC Monitor

Noelse Individuals & Pro App for Android versions up to 2.1.7 uses a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to perform information disclosure and potential data injection attacks. The vulnerability requires local access and authenticated user privileges on the device, with publicly available exploit code demonstrating the attack. Despite early vendor notification, no patch or response has been provided.

Google Java Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5457 LOW POC Monitor

PropertyGuru AgentNet Singapore App versions up to 23.7.10 on Android expose hard-coded cryptographic keys (SEGMENT_ANDROID_WRITE_KEY and SEGMENT_TOS_WRITE_KEY) in the BuildConfig component, allowing local authenticated attackers to conduct information disclosure and data injection attacks. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and publicly available exploit code exists; however, the vendor has not responded to early disclosure efforts.

Google Java Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5456 LOW POC Monitor

Align Technology My Invisalign App 3.12.4 on Android exposes a hard-coded cryptographic key in the BuildConfig.java component that can be extracted via manipulation of the CDAACCESS_TOKEN argument, allowing local attackers with limited user privileges to obtain sensitive credentials. The vulnerability carries a low CVSS score (1.9) due to local-only attack vector and minimal confidentiality impact, but publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Google Java Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5453 LOW POC Monitor

Hard-coded cryptographic key in Rico's Só Vantagem Pra Investir Android app (version 4.58.32.12421 and earlier) allows local authenticated attackers to manipulate the SEGMENT_WRITE_KEY argument in br/com/rico/mobile/di/SegmentSettingsModule.java, enabling unauthorized data injection and user profile manipulation with low confidentiality impact. The vulnerability requires local access and authenticated privileges; publicly available exploit code exists, but the vendor has not responded to disclosure.

Google Java Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5452 LOW POC Monitor

UCC CampusConnect App for Android versions up to 14.3.5 expose hard-coded cryptographic keys in the BuildConfig.java file, allowing local attackers with limited privileges to access sensitive cryptographic material and potentially decrypt or forge authentication tokens. The vulnerability has a low CVSS score of 1.9 due to local-only attack vector and limited confidentiality impact, but publicly available exploit code exists, making it actionable for any user with app access on a shared device.

Information Disclosure Java Google
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5420 LOW POC Monitor

Hard-coded cryptographic keys in Shinrays Games Goods Triple App up to version 1.200 allow local authenticated users to decrypt sensitive data by manipulating AES_IV and AES_PASSWORD parameters in the jRwTX.java component. The vulnerability requires local access and elevated privileges but has low complexity once exploited; publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Java Information Disclosure
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-5418 MEDIUM POC This Month

Server-side request forgery (SSRF) in Appsmith Dashboard component allows unauthenticated remote attackers to manipulate the computeDisallowedHosts function in WebClientUtils.java, enabling unauthorized server-side requests. Affecting all versions through 1.97, this vulnerability carries moderate real-world risk (CVSS 6.9, EPSS P) with publicly available exploit code. Vendor released patched version 1.99 and responded professionally to early disclosure.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5328 LOW POC PATCH Monitor

SQL injection in shsuishang modulithshop allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the sidx/sort parameter in the ProductItemDao Interface listItem function, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability affects the rolling-release product across an unspecified version range; publicly available exploit code exists. CVSS 6.3 with exploitation probability noted (E:P), and a patch is available via upstream commit 42bcb9463425d1be906c3b290cf29885eb5a2324.

Java SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5259 LOW POC Monitor

Server-side request forgery in AutohomeCorp frostmourne up to version 1.0 allows authenticated remote attackers to manipulate the Alarm Preview component via an unknown function in AlarmController.java, enabling arbitrary HTTP requests from the vulnerable server with potential to access internal resources, leak sensitive data, or interact with backend systems. Publicly available exploit code exists; CVSS 6.3 reflects moderate severity with low attack complexity and limited impact scope.

SSRF Java
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-28228 HIGH PATCH This Week

Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). The vulnerability leverages Java reflection through Velocity templates to instantiate ProcessBuilder and execute commands with Tomcat process privileges, often root in containerized environments. EPSS data not provided; no CISA KEV status confirmed; publicly available exploit code exists per GitHub security advisory disclosure.

Java Tomcat Ssti Code Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-34237 Maven MEDIUM PATCH GHSA This Month

Hardcoded wildcard CORS headers (Access-Control-Allow-Origin: *) in the Model Context Protocol Java SDK transport layer enable cross-origin session hijacking, allowing attackers to extract session IDs from victim browsers and relay authenticated requests back to internal MCP servers. The vulnerability affects the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes in mcp-core; no public exploit code has been identified, though the attack requires user interaction (victim visiting attacker-controlled page). CVSS 6.1 reflects the combination of network-accessible vector, low attack complexity, and cross-origin impact, though practical exploitation depends on MCP server deployment architecture.

Java Cors Misconfiguration Information Disclosure Python
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-34361 Maven CRITICAL PATCH GHSA Act Now

Server-Side Request Forgery (SSRF) in HAPI FHIR Validator HTTP service leaks authentication credentials for configured FHIR package registries to attacker-controlled domains. The unauthenticated `/loadIG` endpoint accepts arbitrary URLs, and a flawed `startsWith()` prefix matching logic in credential provider causes Bearer tokens, Basic auth, and API keys to be sent to domains like `packages.fhir.org.attacker.com` when legitimate servers like `packages.fhir.org` are configured. No public exploit identified at time of analysis, but EPSS score and detailed proof-of-concept in advisory indicate high weaponization potential. CVSS 9.3 (Critical) reflects scope change — stolen credentials compromise external FHIR registries and clinical data repositories beyond the vulnerable validator.

Java SSRF
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-34360 Maven MEDIUM PATCH GHSA This Month

Server-side request forgery (SSRF) in FHIR Validator HTTP service allows unauthenticated remote attackers to probe internal network services and cloud metadata endpoints via the /loadIG endpoint, which accepts arbitrary URLs without hostname or domain validation. The vulnerability defaults to allowing all outbound requests, and redirect following bypasses even configured domain restrictions. With the explore=true default setting, each request amplifies reconnaissance capability through multiple outbound HTTP calls, enabling blind network topology mapping and metadata service access.

SSRF Java Microsoft
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-34359 Maven HIGH PATCH GHSA This Week

Authentication credential theft in HAPI FHIR Core library allows network attackers to intercept Bearer tokens, Basic auth credentials, and API keys through malicious URL prefix matching. The vulnerable `ManagedWebAccessUtils.getServer()` method uses unsafe `String.startsWith()` checks without host boundary validation, causing credentials configured for `http://tx.fhir.org` to be dispatched to attacker-controlled domains like `http://tx.fhir.org.attacker.com` when HTTP redirects occur. Affects Maven packages `ca.uhn.hapi.fhir:org.hl7.fhir.core` and `ca.uhn.hapi.fhir:org.hl7.fhir.utilities`. CVSS 7.4 (High) reflects network attack vector with high attack complexity requiring redirect manipulation. EPSS data not available; no confirmed active exploitation (CISA KEV), but detailed proof-of-concept code demonstrates the exploit chain through both SimpleHTTPClient and OkHttp redirect paths.

Java Information Disclosure
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2017-20227 CRITICAL POC PATCH Act Now

JAD Java Decompiler 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying overly long input that exceeds buffer. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Memory Corruption Java Buffer Overflow
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-4954 LOW POC Monitor

SQL injection in mingSoft MCMS 5.5.0 allows authenticated remote attackers to manipulate the Web Content List Endpoint (ContentAction.java) and execute arbitrary database queries, potentially leading to unauthorized data disclosure, modification, or deletion. The vulnerability requires low-privilege authentication (CVSS PR:L) and has publicly available exploit code disclosed on GitHub, making it an active threat to deployed MCMS instances.

SQLi Java
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4953 MEDIUM POC This Month

Server-side request forgery in mingSoft MCMS versions through 5.5.0 enables remote unauthenticated attackers to force the application server to make arbitrary HTTP requests to internal or external systems via the catchimage parameter in the Editor Endpoint's catchImage function. Publicly available exploit code exists (GitHub POC published), increasing immediate risk. The CVSS score of 7.3 reflects network-based attack vector with no authentication required and impacts to confidentiality, integrity, and availability.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-22744 Maven HIGH PATCH GHSA This Week

Spring AI Redis vector store implementations expose sensitive data through unescaped TAG field filter injection in versions 1.0.0-1.0.4 and 1.1.0-1.1.3. Unauthenticated remote attackers can craft malicious filter expressions that bypass query boundaries in RediSearch TAG blocks, allowing extraction of unauthorized information from the vector database (CVSS 7.5 High, C:H). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given its low attack complexity (AC:L).

Java Redis Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22743 Maven HIGH PATCH GHSA This Week

Cypher injection in Spring AI Neo4j vector store (versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3) allows unauthenticated remote attackers to access confidential data stored in Neo4j databases. The vulnerability exists in Neo4jVectorFilterExpressionConverter where user-controlled filter expression keys are embedded into Cypher property accessors without proper backtick escaping, enabling attackers to break out of the intended property context and execute arbitrary Cypher queries. CVSS score of 7.5 reflects high confidentiality impact with network accessibility and low attack complexity, though no public exploit has been identified at time of analysis.

Java SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22742 Maven HIGH PATCH GHSA This Week

Server-Side Request Forgery in Spring AI Bedrock Converse module enables unauthenticated remote attackers to force the application server to issue HTTP requests to arbitrary internal or external destinations by supplying malicious media URLs in multimodal messages. Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 are affected. The vulnerability carries a CVSS score of 8.6 with high confidentiality impact and changed scope, indicating potential access to internal network resources. No public exploit identified at time of analysis.

Java SSRF
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-22738 Maven CRITICAL PATCH NEWS GHSA Act Now

Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 allow unauthenticated remote code execution through Spring Expression Language (SpEL) injection in the SimpleVectorStore component when user-supplied input is incorporated into filter expression keys. This critical vulnerability (CVSS 9.8) enables attackers to execute arbitrary code without authentication on applications using SimpleVectorStore with untrusted filter input. No public exploit identified at time of analysis, though the attack complexity is low and requires no user interaction according to the CVSS vector (AV:N/AC:L/PR:N/UI:N).

Java RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-33871 Maven HIGH PATCH This Week

Netty HTTP/2 servers can be rendered unresponsive by remote attackers flooding CONTINUATION frames with zero-byte payloads, bypassing existing header size limits and exhausting CPU resources. The affected package is io.netty:netty-codec-http2 (tracked via GitHub Security Advisory GHSA-w9fj-cfpg-grvv). Authentication requirements are not confirmed from available data. No public exploit identified at time of analysis, though the technical details provided in the advisory enable straightforward reproduction. The low bandwidth requirement for this CPU-based denial of service makes it highly practical for disrupting services at scale.

Java Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-33728 Maven CRITICAL PATCH GHSA Act Now

Remote code execution is possible in DataDog's dd-trace-java agent versions prior to 1.60.3 when running on JDK 16 or earlier with exposed JMX/RMI ports. The vulnerability stems from unsafe deserialization in the RMI instrumentation's custom endpoint, allowing network-accessible attackers to execute arbitrary code if gadget-chain libraries exist on the classpath. Vendor-released patch: version 1.60.3. No public exploit identified at time of analysis, though the issue was responsibly disclosed through DataDog's bug bounty program by Mohamed Amine ait Ouchebou.

RCE Java Deserialization
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-4860 MEDIUM POC This Month

A deserialization vulnerability exists in the wvp-GB28181-pro project (a video streaming platform using GB28181 protocol) through version 2.7.4, specifically in the GenericFastJsonRedisSerializer implementation within the Redis configuration. The flaw allows unauthenticated remote attackers to exploit insecure deserialization through the API endpoint, potentially achieving code execution or data manipulation with low complexity. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, and the vendor has not responded to disclosure attempts.

Java Redis Deserialization
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-33701 Maven CRITICAL PATCH NEWS Act Now

A deserialization vulnerability in OpenTelemetry Java instrumentation versions prior to 2.26.1 allows remote code execution when the RMI instrumentation endpoint processes untrusted data without serialization filters. The vulnerability affects applications using the OpenTelemetry Java agent with network-reachable RMI/JMX endpoints and gadget-chain-compatible libraries on the classpath. This was responsibly disclosed in coordination with Datadog, and a patch is available in version 2.26.1.

RCE Java Deserialization
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-4741 HIGH PATCH This Week

Path traversal in JoyConDroid through version 1.0.93 allows unauthenticated remote attackers to access arbitrary files on affected systems through improper pathname validation in the UnzipUtil module. An attacker can exploit this vulnerability to read sensitive data and potentially modify files, achieving high integrity and availability impact. A patch is available for this high-severity vulnerability affecting Java and Joycondroid users.

Java Path Traversal
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-4735 HIGH PATCH This Week

A deserialization of untrusted data vulnerability exists in DTStack chunjun versions prior to 1.16.1, specifically in the GsonUtil.java module within chunjun-core. An attacker can exploit this CWE-502 flaw to execute arbitrary code by crafting malicious serialized objects that are processed during deserialization. The vulnerability is reportedly patched as of version 1.16.1, with a patch available from the vendor via GitHub pull request #1939.

Deserialization Java
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-22739 Maven HIGH POC PATCH This Week

Spring Cloud Config Server contains a path traversal vulnerability when using the native file system backend, allowing unauthenticated remote attackers to access arbitrary files outside configured search directories by manipulating the profile parameter in requests. This affects Spring Cloud versions 3.1.X before 3.1.13, 4.1.X before 4.1.9, 4.2.X before 4.2.3, 4.3.X before 4.3.2, and 5.0.X before 5.0.2. With a CVSS score of 8.6 indicating high confidentiality impact with some integrity and availability impact, and network-based attack vector requiring no authentication, this represents a significant information disclosure risk for exposed Config Server instances.

Java Path Traversal
NVD HeroDevs VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-4597 LOW POC Monitor

SQL injection in the Stream Proxy Query Handler component of wvp-GB28181-pro up to version 2.7.4 allows authenticated remote attackers to execute arbitrary SQL queries and potentially read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The affected Java application processes unsanitized input in the selectAll function without proper parameterized queries.

SQLi Java
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4594 MEDIUM POC This Month

SQL injection in Erupt up to version 1.13.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through the sort.field parameter in the HQL query builder. Public exploit code exists for this vulnerability, and no patch is currently available. Affected Java applications using vulnerable versions of Erupt are at risk of data exfiltration and manipulation.

SQLi Java
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4593 LOW POC Monitor

SQL injection in Erupt's MCP Tool Interface allows authenticated attackers to manipulate database queries through the EruptDataQuery component, potentially exposing or modifying sensitive data. The vulnerability affects Java-based Erupt deployments version 1.13.3 and has public exploit code available. No patch is currently available from the vendor, who has not responded to disclosure efforts.

Java SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4586 LOW POC Monitor

An unrestricted file upload vulnerability exists in CodePhiliaX Chat2DB versions up to 0.3.7 in the JDBC Driver Upload functionality, allowing authenticated attackers to upload arbitrary files to the server. The vulnerability affects the JdbcDriverController.java component and has a CVSS score of 6.3 (medium severity) with a public proof-of-concept exploit available, though the vendor has not responded to disclosure attempts.

Java File Upload
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4495 LOW POC Monitor

A Stored Cross-Site Scripting (XSS) vulnerability exists in atjiu pybbs 6.0.0 within the CommentApiController.java file's create function, allowing authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing comments. The vulnerability requires user interaction (UI:R per CVSS vector) but carries a low CVSS score of 3.5 due to low impact scope; however, a public proof-of-concept exploit is available and the vulnerability has been disclosed, increasing real-world exploitation risk despite the low severity rating.

Java XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4494 LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in atjiu pybbs 6.0.0 within the TopicApiController.java create function that allows authenticated attackers to inject malicious scripts into topic creation requests. The vulnerability affects all versions of the pybbs application matching the CPE cpe:2.3:a:atjiu:pybbs:*:*:*:*:*:*:*:*, and while the CVSS score of 3.5 is low, a publicly available proof-of-concept exploit has been disclosed, indicating active research and potential real-world exploitation risk.

XSS Java
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-33013 Maven HIGH PATCH GHSA This Week

The Micronaut Framework contains an infinite loop vulnerability in its form-urlencoded body binding mechanism that occurs when array indices are processed in descending order, allowing remote attackers to trigger denial of service through CPU exhaustion and out-of-memory conditions. Versions prior to 4.10.16 and 3.10.5 are affected, with the vulnerability exploitable by sending crafted indexed form parameters without authentication. No public exploit code has been confirmed, but the issue is straightforward to trigger and has been patched in the referenced versions.

Java Denial Of Service Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-32939 HIGH PATCH This Week

DataEase versions 2.10.19 and below contain a locale-dependent validation bypass vulnerability that allows attackers to smuggle dangerous JDBC parameters past security filters. The flaw stems from inconsistent locale handling where DataEase's validation uses the JVM default locale while H2 JDBC always uses English locale, causing Turkish locale environments to misinterpret malicious parameters like 'iNIT' (bypassing blacklist as 'İNIT' while H2 executes it as 'INIT'). This has been confirmed as exploitable in real deployment scenarios and enables authenticated attackers with low privileges to achieve high-impact code execution or data access, though there is no evidence yet of active exploitation or public proof-of-concept.

Java Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22737 Maven MEDIUM PATCH This Month

Spring Framework applications using Java scripting engines (JRuby, Jython) for template views in Spring MVC or Spring WebFlux can leak sensitive file contents from outside intended directories through path traversal. Affected versions include 7.0.0-7.0.5, 6.2.0-6.2.16, 6.1.0-6.1.25, and 5.3.0-5.3.46, with no patch currently available. An unauthenticated remote attacker can read arbitrary files on the system with confidentiality impact.

Java Path Traversal
NVD HeroDevs VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-22735 Maven LOW PATCH Monitor

CVE-2026-22735 is a security vulnerability (CVSS 2.6). Remediation should follow standard vulnerability management procedures.

Java Information Disclosure
NVD HeroDevs VulDB
CVSS 3.1
2.6
EPSS
0.0%
CVE-2026-22733 Maven HIGH PATCH This Week

This is an authentication bypass vulnerability in Spring Boot applications using Spring Security with Actuator endpoints. When an authenticated application endpoint is declared under the CloudFoundry Actuator path, attackers can bypass authentication requirements and gain unauthorized access to protected resources. The vulnerability affects multiple versions of Spring Security from 2.7.0 through 4.0.3 and carries a high CVSS score of 8.2, though no active exploitation or proof-of-concept has been reported.

Authentication Bypass Java
NVD VulDB HeroDevs
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-22732 Maven CRITICAL POC PATCH Act Now

Spring Security fails to properly write HTTP response headers in servlet applications across multiple versions (5.7.0-5.7.21, 5.8.0-5.8.23, 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.8, 7.0.0-7.0.3), allowing attackers to bypass security controls that rely on these headers such as HSTS, X-Frame-Options, or CSP policies. This header omission could enable various attacks including clickjacking, man-in-the-middle attacks, or other exploits depending on which protections are intended. No patch is currently available for this critical vulnerability.

Java Information Disclosure
NVD VulDB HeroDevs GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-22731 Maven HIGH PATCH GHSA This Week

Spring Boot Actuator endpoints can be bypassed for authentication when application endpoints are configured under Health Group paths in versions 4.0 before 4.0.3, 3.5 before 3.5.11, and 3.4 before 3.4.15. An unauthenticated attacker can exploit this path-based misconfiguration to gain unauthorized access to protected resources with high confidence in authentication bypass and partial information disclosure. No patch is currently available.

Authentication Bypass Java
NVD VulDB HeroDevs
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-33306 Ruby MEDIUM PATCH This Month

JRuby's BCrypt implementation suffers from a signed integer overflow when the cost parameter is set to 31, causing the key-strengthening loop to execute zero iterations and reducing password hashing to a negligible computational cost. Applications using bcrypt-ruby with cost=31 generate seemingly valid hashes that verify correctly but provide virtually no protection against brute-force attacks. No patch is currently available for this vulnerability.

Java Integer Overflow Buffer Overflow Red Hat bcrypt
NVD GitHub VulDB
CVSS 4.0
4.5
EPSS
0.0%
CVE-2026-3511 HIGH PATCH This Week

An XML External Entity (XXE) vulnerability in the XMLUtils.java component of Slovensko.Digital Autogram allows remote unauthenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and read local files from the filesystem. The vulnerability affects Autogram software and can be exploited when a victim visits a specially crafted website that sends malicious XML to the application's local HTTP server /sign endpoint. A blog post detailing exploitation research is publicly available, increasing the likelihood of exploitation attempts.

XXE Java Authentication Bypass SSRF Autogram
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-32735 LOW PATCH Monitor

A security vulnerability in version 5.1.1 and (CVSS 2.3) that allows users. Remediation should follow standard vulnerability management procedures.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-33166 Maven HIGH PATCH This Week

Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available.

Jenkins Path Traversal Information Disclosure Java
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-22729 Maven HIGH PATCH This Week

Spring AI's AbstractFilterExpressionConverter fails to properly escape user-controlled input in JSONPath queries, allowing authenticated attackers to inject arbitrary expressions and bypass access controls in vector store implementations. This impacts applications relying on the converter for multi-tenant isolation, role-based access, or metadata-based document filtering, enabling attackers to access unauthorized documents. No patch is currently available.

Java Authentication Bypass
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-22730 Maven HIGH PATCH This Week

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter component allows authenticated attackers to bypass metadata-based access controls and execute arbitrary SQL commands due to missing input sanitization. VMware Spring AI versions 1.0.x prior to 1.0.4 and 1.1.x prior to 1.1.3 are affected. With a CVSS score of 8.8, this vulnerability enables attackers with low-level privileges to compromise confidentiality, integrity, and availability of the database system through network-based attacks with low complexity.

Java SQLi
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3207 HIGH PATCH This Week

Unauthenticated attackers can gain unauthorized access to TIBCO BPM Enterprise 4.x through a misconfigured Java Management Extensions (JMX) interface, potentially allowing full system compromise. This vulnerability affects the availability, integrity, and confidentiality of affected systems with no patch currently available.

Java Authentication Bypass
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-4285 LOW Monitor

A vulnerability was identified in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433.

Path Traversal Java
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-4284 LOW Monitor

The PPT File Handler in taoofagi easegen-admin contains a server-side request forgery vulnerability in the downloadFile function that allows authenticated remote attackers to manipulate file URLs and access arbitrary network resources. Public exploit code exists for this vulnerability, and the vendor has not provided patches or updates despite notification. The flaw affects Java-based deployments using the affected rolling release version.

SSRF Java
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4243 LOW Monitor

A weakness has been identified in La Nacion App 10.2.25 on Android.

Java Authentication Bypass Google
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-25534 Maven CRITICAL PATCH Act Now

Java URL parsing in Spinnaker's clouddriver and Orca components fails to properly validate URLs containing underscores, allowing authenticated attackers to bypass URL sanitation controls and potentially execute arbitrary code or access unauthorized resources. This vulnerability affects both the clouddriver artifact handling and Orca fromUrl expression evaluation in versions prior to 2025.2.4, 2025.3.1, 2025.4.1, and 2026.0.0. Patched versions are available, and affected deployments can temporarily disable the vulnerable components as a workaround.

SSRF Java
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-4242 LOW POC Monitor

A security vulnerability in A security flaw (CVSS 2.5). Risk factors: public PoC available.

Google Information Disclosure Java
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-4219 LOW POC Monitor

A hard-coded credentials vulnerability exists in the INDEX Conferences & Exhibitions Organization YWF BPOF APGCS Android application (versions up to 1.0.2) where attackers can manipulate ACCESS_KEY and HASH_KEY arguments in the BuildConfig.java component to extract embedded credentials. The vulnerability requires local execution on the device and grants only confidentiality impact (CWE-798: Use of Hard-Coded Credentials), but the existence of a published exploit and vendor non-responsiveness elevate practical risk despite the low CVSS score of 3.3.

Google Authentication Bypass Java
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4218 LOW POC Monitor

A local information disclosure vulnerability exists in myAEDES App versions up to 1.18.4 on Android, stemming from improper handling of the AUTH_KEY argument in the EngageBayUtils.java component. An authenticated local attacker with high complexity can manipulate this parameter to disclose sensitive information, though the attack requires local device access and significant technical effort. A public proof-of-concept exploit is now available, and the vendor has not responded to early disclosure attempts.

Information Disclosure Java Google
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-4217 LOW POC Monitor

A key management error exists in the XREAL Nebula App (Android) up to version 3.2.1, specifically in the CloudStoragePlugin.java component where accessKey, secretAccessKey, and securityToken arguments are improperly handled. An attacker with local access and moderate privileges can manipulate these credentials to bypass authentication controls, resulting in unauthorized information disclosure. A proof-of-concept has been publicly disclosed, though the vulnerability requires high complexity to exploit and the vendor has not responded to early notification.

Java Google Information Disclosure
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-4215 LOW POC Monitor

Server-side request forgery in FlowCI flow-core-x up to version 1.23.01 allows authenticated remote attackers to conduct SSRF attacks through the SMTP Host Handler configuration function. Public exploit code exists for this vulnerability and the vendor has not released a patch. An attacker with valid credentials can manipulate the system to make arbitrary outbound requests from the affected server.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4201 MEDIUM POC This Month

An unrestricted file upload vulnerability exists in the glowxq-oj online judge system that allows remote attackers without authentication to upload malicious files through the SysFileController Upload function. A proof-of-concept exploit is publicly available, and while not currently in CISA's KEV catalog, the vulnerability poses moderate risk with a CVSS score of 7.3 and publicly disclosed exploitation code.

Java File Upload
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4200 MEDIUM POC This Month

Server-side request forgery in Glowxq OJ's test case upload functionality (ProblemCaseController.java) allows unauthenticated remote attackers to make arbitrary network requests from the affected server. Public exploit code is available and the vulnerability remains unpatched, with the vendor unresponsive to disclosure attempts.

Java SSRF
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4173 LOW POC Monitor

CodePhiliaX Chat2DB versions up to 0.3.7 contain a SQL injection vulnerability in the Database Export Handler component (DMDBManage.java) affecting multiple export functions. An authenticated attacker with low privileges can remotely exploit this vulnerability to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts.

SQLi Java
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3968 LOW Monitor

AutohomeCorp's frostmourne application (version 1.0 and earlier) allows attackers to inject malicious code through the EXPRESSION parameter in the ExpressionRule.java component, which uses Oracle's Nashorn JavaScript engine without proper input validation. This vulnerability affects users of frostmourne and can be exploited remotely by unauthenticated attackers to execute arbitrary code on affected systems. The vendor has not responded to disclosure attempts, leaving users vulnerable to potential system compromise.

Java Information Disclosure Oracle
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3967 LOW Monitor

Unsafe deserialization in Alfresco Activiti up to versions 7.19 and 8.8.0 allows authenticated remote attackers to achieve arbitrary code execution through the Process Variable Serialization System component. An attacker with valid credentials can manipulate serialized objects during deserialization to execute malicious code on the affected system. Public exploit code is available and no patch has been released by the vendor.

Java Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3966 LOW Monitor

Server-side request forgery in wvp-GB28181-pro up to version 2.7.4-20260107 allows authenticated attackers to manipulate the MediaServer.streamIp parameter in the IP Address Handler component, enabling arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to the disclosure.

Java SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 7.6
HIGH PATCH This Week

### Summary The Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. ### Details Velbus import uses `DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(...)` on untrusted XML input, without explicit safeguards to disable DTD/external entities. ```154:165:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java @Override public Future<Void> startAssetImport(byte[] fileData, Consumer<AssetTreeNode[]> assetConsumer) { return executorService.submit(() -> { Document xmlDoc; try { String xmlStr = new String(fileData, StandardCharsets.UTF_8); LOG.info("Parsing VELBUS project file"); xmlDoc = DocumentBuilderFactory .newInstance() .newDocumentBuilder() .parse(new InputSource(new StringReader(xmlStr))); ``` Expanded `Caption` content is propagated into created asset names: ```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java String name = module.getElementsByTagName("Caption").item(0).getTextContent(); name = isNullOrEmpty(name) ? deviceType.toString() : name; // TODO: Use device specific asset types Asset<?> device = new ThingAsset(name); ``` ### PoC 1. Log in to a realm with a user that can call Velbus asset import. 2. Create/select a Velbus TCP Agent in that same realm. 3. Send `POST /api/{realm}/agent/assetImport/{agentId}` with a Velbus project XML payload and compare behavior against a baseline import file. 3. Save the below code as a `xxe.xml` and upload to `Setup` under `https://localhost/manager/?realm=<YOUR_REALM>#/assets/false/<ASSET_ID>`. Chnage the `file:///etc/passwd` to another file if your `passwd` is longer than 1023 characters. ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE velbus [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <Project> <Module type="VMB1RY" address="01" build="00" serial="LAB"> <Caption>&xxe;</Caption> </Module> </Project> ``` As long as the file content is under 1023 characters, the exploit will succeed. <img width="1200" height="662" alt="image" src="https://github.com/user-attachments/assets/213f063d-98b6-4717-b98c-f4255952026b" /> If the file content reaches the limit, an error is thrown. <img width="1200" height="630" alt="image" src="https://github.com/user-attachments/assets/ee177a6b-2cb2-48ae-94df-c994ecb41429" /> ### Impact - **Type:** XML External Entity (XXE) - **Affected:** Deployments exposing Velbus import to authenticated users with import access - **Risk:** limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.

XXE SSRF Java
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Pre-authentication resource exhaustion in Bouncy Castle BC-JAVA PGP modules (bcpg) allows remote attackers to trigger denial-of-service by exploiting unbounded AEAD chunk sizes, affecting all versions before 1.84. The maximum CVSS 4.0 score of 10.0 reflects complete compromise potential across confidentiality, integrity, and availability with no attack complexity, no authentication requirements, and network-based exploitation. No public exploit identified at time of analysis, though the attack s

Denial Of Service Java Bc Java
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Signature verification bypass in Bouncy Castle BC-JAVA (bcpkix module versions 1.49-1.83) allows remote unauthenticated attackers to forge cryptographic signatures by submitting empty signature sequences that are incorrectly accepted as valid by the draft CompositeVerifier implementation. This critical flaw (CVSS 4.0: 10.0) enables complete subversion of digital signature trust chains, potentially allowing authentication bypass, code signing forgery, and man-in-the-middle attacks against Java ap

Java Information Disclosure Bc Java
NVD GitHub VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Non-constant time comparison operations in the Legion of the Bouncy Castle BC-JAVA cryptographic library (core modules, versions 2.17.3 through 1.83) expose FrodoKEM private keys to timing side-channel attacks, enabling remote unauthenticated attackers to extract cryptographic secrets through statistical analysis of operation timing variations. CVSS 4.0 score of 10.0 reflects maximum confidentiality and integrity impact across system and subsequent contexts. EPSS probability is low (0.04%, 14th percentile) and no active exploitation is confirmed, but SSVC framework rates this as automatable with total technical impact. Vendor patch available in BC-JAVA 1.84.

Java Information Disclosure Bc Java
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

LDAP injection in Bouncy Castle BC-JAVA bcprov module (versions 1.49 through 1.83) allows remote unauthenticated attackers to manipulate LDAP queries via specially crafted input to LDAPStoreHelper.java, enabling complete compromise of confidentiality, integrity, and availability across security boundaries. This critical vulnerability (CVSS 10.0) affects a widely deployed cryptographic library used throughout the Java ecosystem. No active exploitation confirmed (not in CISA KEV), but the attack r

Java LDAP Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

GOST CTR block cipher in Bouncy Castle BC-JAVA processes only the first 255 blocks correctly, causing silent data corruption in encryption/decryption operations for longer messages. Affects BC-JAVA versions 1.59 through 1.83, with fix available in version 1.84. Local attack vector (CVSS AV:L) with critical CVSS 9.4 score reflects potential for both confidentiality and integrity compromise when applications process GOST-encrypted data streams exceeding 255 blocks (~4KB). No KEV listing or public

Java Information Disclosure Bc Java
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c

Information Disclosure RCE Apple +7
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting via code injection in SAP NetWeaver Application Server Java Web Dynpro allows unauthenticated remote attackers to inject arbitrary client-side code through crafted input, compromising user sessions and application data integrity when victims interact with the affected functionality. CVSS 6.1 (medium) reflects the requirement for user interaction and limited scope, but exploitation is straightforward with no authentication needed and low attack complexity.

SAP Code Injection RCE +1
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Java SSRF
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Shell command injection in NSA Emissary's Executrix.getCommand() allows authenticated users with place configuration authorship to achieve arbitrary OS command execution when any payload is processed. The framework constructs /bin/sh -c commands by directly substituting IN_FILE_ENDING and OUT_FILE_ENDING configuration values into temporary file paths without escaping or validation, despite implementing input sanitization for similar parameters (placeName). Vendor-released patch available (commit 1faf33f). CVSS 8.8 (high) reflects local attack vector requiring low privileges, but scope change to C indicates container/JVM breakout potential. No CISA KEV listing or public exploit identified at time of analysis, though detailed proof-of-concept exists in advisory including Docker-based reproduction and unit test.

Denial Of Service Command Injection Docker +2
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM This Month

Deserialization of untrusted data in Samsung Open Source Escargot JavaScript engine prior to commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 allows local attackers without privileges to trigger a denial of service condition via process abort. The vulnerability exploits unsafe deserialization of Java objects, resulting in application termination rather than code execution. No public exploit code or active exploitation has been identified at the time of analysis.

Deserialization Samsung Denial Of Service +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Improper authorization in perfree go-fastdfs-web up to version 1.3.7 allows remote unauthenticated attackers to access the doInstall interface in InstallController.java, potentially disclosing sensitive information or manipulating system configuration. The vulnerability has been publicly disclosed with exploit code available; however, the vendor has not responded to early disclosure notifications and no official patch has been released.

Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

Path traversal vulnerability in Quarkus OpenAPI Generator (Quarkiverse) versions prior to 2.16.0 and 2.15.0-lts allows unauthenticated remote attackers to write arbitrary files outside intended directories via malicious ZIP archives. The ApicurioCodegenWrapper.java unzip() method fails to validate file paths during extraction, enabling path traversal sequences (../../) to bypass output directory restrictions and achieve arbitrary file write with high integrity impact. No public exploit identified at time of analysis. Affects Java-based Quarkus extensions for REST client and server stub generation.

Java Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

Man-in-the-middle attacks are possible in Apache Log4j Core through 2.25.3 when SMTP, Socket, or Syslog appenders use TLS with the verifyHostName attribute configured in the <Ssl> element, because the attribute was silently ignored despite being available since version 2.12.0. This is a regression from an incomplete fix to CVE-2025-68161 that only addressed hostname verification via system property. An attacker with a certificate from a trusted CA can intercept TLS connections. Apache has released patched version 2.25.4 to correct this issue.

Apache Java Information Disclosure
NVD GitHub VulDB HeroDevs
EPSS 0% CVSS 7.5
HIGH PATCH This Week

SSL bundle configuration bypass in VMware Spring Cloud Gateway 4.2.0 allows unaneticated remote attackers to compromise integrity through forced fallback to default SSL settings. When administrators configure custom SSL bundles via spring.ssl.bundle property, the framework silently ignores this configuration and applies insecure defaults instead, enabling man-in-the-middle attacks against intended encrypted communications. Affects Spring Cloud Gateway 4.2.0 with no public exploit identified at time of analysis.

Information Disclosure Java
NVD HeroDevs
EPSS 0% CVSS 2.0
LOW Monitor

Improper neutralization of special elements in FreeMarker template processing within Sanluan PublicCMS up to version 6.202506.d allows high-privileged remote attackers to cause information disclosure through manipulation of the AbstractFreemarkerView.doRender function. The vulnerability has a CVSS score of 5.1 with publicly available exploit code, though exploitation requires administrative privileges (PR:H). CISA KEV status not confirmed; however, the disclosure of exploit code and vendor non-response indicate moderate real-world risk despite the high privilege requirement.

Information Disclosure Java
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

DNS rebinding in Model Context Protocol (MCP) Java SDK before v1.0.0 enables remote attackers to invoke arbitrary tool calls on local or network-private MCP servers via a victim's browser. The SDK failed to validate Origin headers per MCP specification requirements, violating mandatory server-side protections against cross-origin attacks. Exploitation requires social engineering (victim visits malicious site), but grants full tool invocation privileges as if the attacker were a locally authorized AI agent. Patch available in v1.0.0. No public exploit identified at time of analysis, but attack technique is well-understood (DNS rebinding). EPSS data not available; authentication requirements not confirmed from available data.

Nginx Information Disclosure Java
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

SQL injection in PowerJob 5.1.0 through 5.1.2 allows remote attackers to execute arbitrary SQL queries via the customQuery parameter in the detailPlus endpoint of InstanceController.java, potentially enabling unauthorized data access or modification. The vulnerability is remotely exploitable without authentication (CVSS 6.9, EPSS P), with a GitHub pull request indicating a fix is under review but not yet released as a patched version.

Java SQLi
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue

Deserialization RCE Java +5
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Buffer use-after-free in Apache Kafka Java producer client (versions ≤3.9.1, ≤4.0.1, ≤4.1.1) can silently route messages to incorrect topics when batch expiration races with in-flight network requests. CVSS 8.7 (High) with network-accessible attack vector and high complexity. CISA SSVC indicates no active exploitation, non-automatable attack, and partial technical impact. No public exploit identified at time of analysis. EPSS data not provided, but the combination of high CVSS, cross-scope impact (S:C), and dual confidentiality/integrity impact warrants prioritization for environments processing sensitive message streams.

Information Disclosure Memory Corruption Apache +5
NVD HeroDevs
EPSS 0% 4.8 CVSS 8.8
HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec(

Apache Java RCE +2
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated account creation bypass in megagao production_ssm v1.0 allows remote attackers to create super administrator accounts via direct API access to /user/insert endpoint. The UserController.java insert() method processes account creation requests without authentication enforcement (CVSS vector PR:N confirms unauthenticated access). Successful exploitation grants full administrative control, enabling attackers to compromise confidentiality, integrity, and availability of the entire application. No public exploit identified at time of analysis.

Authentication Bypass Java N A
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated super administrator account creation in MRCMS 3.1.2 allows remote attackers to bypass all access controls and add privileged accounts directly via UserController.save() method. The vulnerability exposes full system compromise through network-accessible endpoints requiring no prior authentication. CVSS 9.8 critical severity reflects unrestricted administrative takeover. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).

Authentication Bypass Java
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

NestJS Core's Server-Sent Events (SSE) stream handler fails to sanitize newline characters in message type and ID fields, allowing remote attackers to inject arbitrary SSE events, spoof event types, and corrupt client reconnection state. Affected versions prior to @nestjs/core@11.1.18 are vulnerable when developers map user-controlled data to SSE message type or id fields. This mirrors a vulnerability patched in Spring Framework and can lead to event spoofing, data injection with XSS potential, and reconnection state corruption if client applications render SSE data without additional sanitization.

XSS Java Red Hat
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Missing authentication in JeecgBoot 3.9.0 and 3.9.1 allows unauthenticated remote attackers to access the AI Chat Module functionality without credential verification. The vulnerability resides in JeecgBizToolsProvider.java within the jeecg-module-system component. Vendor-released patches are available via GitHub commits (b7c9aeba and 2c1cc88b) pending inclusion in the next official release. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) with no authentication required (PR:N) indicate trivial exploitation potential.

Authentication Bypass Java
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Path traversal in FedML-AI FedML up to version 0.8.9 allows authenticated remote attackers to read arbitrary files via manipulation of the dataSet argument in the MQTT Message Handler (FileUtils.java component). The vulnerability has a CVSS score of 4.3 and publicly available exploit code exists; however, it requires low-privilege authentication and provides only information disclosure without modification or availability impact. The vendor did not respond to early disclosure efforts.

Path Traversal Java
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Wahoo Fitness SYSTM App on Android up to version 7.2.1 exposes a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to manipulate app arguments and potentially inject malicious data or alter user profiles. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and has publicly available exploit code; however, the vendor has not responded to early disclosure notifications.

Google Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Noelse Individuals & Pro App for Android versions up to 2.1.7 uses a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to perform information disclosure and potential data injection attacks. The vulnerability requires local access and authenticated user privileges on the device, with publicly available exploit code demonstrating the attack. Despite early vendor notification, no patch or response has been provided.

Google Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

PropertyGuru AgentNet Singapore App versions up to 23.7.10 on Android expose hard-coded cryptographic keys (SEGMENT_ANDROID_WRITE_KEY and SEGMENT_TOS_WRITE_KEY) in the BuildConfig component, allowing local authenticated attackers to conduct information disclosure and data injection attacks. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and publicly available exploit code exists; however, the vendor has not responded to early disclosure efforts.

Google Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Align Technology My Invisalign App 3.12.4 on Android exposes a hard-coded cryptographic key in the BuildConfig.java component that can be extracted via manipulation of the CDAACCESS_TOKEN argument, allowing local attackers with limited user privileges to obtain sensitive credentials. The vulnerability carries a low CVSS score (1.9) due to local-only attack vector and minimal confidentiality impact, but publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Google Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Hard-coded cryptographic key in Rico's Só Vantagem Pra Investir Android app (version 4.58.32.12421 and earlier) allows local authenticated attackers to manipulate the SEGMENT_WRITE_KEY argument in br/com/rico/mobile/di/SegmentSettingsModule.java, enabling unauthorized data injection and user profile manipulation with low confidentiality impact. The vulnerability requires local access and authenticated privileges; publicly available exploit code exists, but the vendor has not responded to disclosure.

Google Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

UCC CampusConnect App for Android versions up to 14.3.5 expose hard-coded cryptographic keys in the BuildConfig.java file, allowing local attackers with limited privileges to access sensitive cryptographic material and potentially decrypt or forge authentication tokens. The vulnerability has a low CVSS score of 1.9 due to local-only attack vector and limited confidentiality impact, but publicly available exploit code exists, making it actionable for any user with app access on a shared device.

Information Disclosure Java Google
NVD VulDB
EPSS 0% CVSS 1.1
LOW POC Monitor

Hard-coded cryptographic keys in Shinrays Games Goods Triple App up to version 1.200 allow local authenticated users to decrypt sensitive data by manipulating AES_IV and AES_PASSWORD parameters in the jRwTX.java component. The vulnerability requires local access and elevated privileges but has low complexity once exploited; publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery (SSRF) in Appsmith Dashboard component allows unauthenticated remote attackers to manipulate the computeDisallowedHosts function in WebClientUtils.java, enabling unauthorized server-side requests. Affecting all versions through 1.97, this vulnerability carries moderate real-world risk (CVSS 6.9, EPSS P) with publicly available exploit code. Vendor released patched version 1.99 and responded professionally to early disclosure.

Java SSRF
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

SQL injection in shsuishang modulithshop allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the sidx/sort parameter in the ProductItemDao Interface listItem function, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability affects the rolling-release product across an unspecified version range; publicly available exploit code exists. CVSS 6.3 with exploitation probability noted (E:P), and a patch is available via upstream commit 42bcb9463425d1be906c3b290cf29885eb5a2324.

Java SQLi
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in AutohomeCorp frostmourne up to version 1.0 allows authenticated remote attackers to manipulate the Alarm Preview component via an unknown function in AlarmController.java, enabling arbitrary HTTP requests from the vulnerable server with potential to access internal resources, leak sensitive data, or interact with backend systems. Publicly available exploit code exists; CVSS 6.3 reflects moderate severity with low attack complexity and limited impact scope.

SSRF Java
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Server-side template injection in OpenOlat e-learning platform versions prior to 19.1.31, 20.1.18, and 20.2.5 enables authenticated users with Author role to execute arbitrary operating system commands via crafted Velocity directives in reminder email templates. Exploitation requires low-privilege authentication (PR:L) but is network-accessible (AV:N) with low complexity (AC:L), achieving full system compromise (C:H/I:H/A:H). The vulnerability leverages Java reflection through Velocity templates to instantiate ProcessBuilder and execute commands with Tomcat process privileges, often root in containerized environments. EPSS data not provided; no CISA KEV status confirmed; publicly available exploit code exists per GitHub security advisory disclosure.

Java Tomcat Ssti +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Hardcoded wildcard CORS headers (Access-Control-Allow-Origin: *) in the Model Context Protocol Java SDK transport layer enable cross-origin session hijacking, allowing attackers to extract session IDs from victim browsers and relay authenticated requests back to internal MCP servers. The vulnerability affects the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes in mcp-core; no public exploit code has been identified, though the attack requires user interaction (victim visiting attacker-controlled page). CVSS 6.1 reflects the combination of network-accessible vector, low attack complexity, and cross-origin impact, though practical exploitation depends on MCP server deployment architecture.

Java Cors Misconfiguration Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Server-Side Request Forgery (SSRF) in HAPI FHIR Validator HTTP service leaks authentication credentials for configured FHIR package registries to attacker-controlled domains. The unauthenticated `/loadIG` endpoint accepts arbitrary URLs, and a flawed `startsWith()` prefix matching logic in credential provider causes Bearer tokens, Basic auth, and API keys to be sent to domains like `packages.fhir.org.attacker.com` when legitimate servers like `packages.fhir.org` are configured. No public exploit identified at time of analysis, but EPSS score and detailed proof-of-concept in advisory indicate high weaponization potential. CVSS 9.3 (Critical) reflects scope change — stolen credentials compromise external FHIR registries and clinical data repositories beyond the vulnerable validator.

Java SSRF
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Server-side request forgery (SSRF) in FHIR Validator HTTP service allows unauthenticated remote attackers to probe internal network services and cloud metadata endpoints via the /loadIG endpoint, which accepts arbitrary URLs without hostname or domain validation. The vulnerability defaults to allowing all outbound requests, and redirect following bypasses even configured domain restrictions. With the explore=true default setting, each request amplifies reconnaissance capability through multiple outbound HTTP calls, enabling blind network topology mapping and metadata service access.

SSRF Java Microsoft
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Authentication credential theft in HAPI FHIR Core library allows network attackers to intercept Bearer tokens, Basic auth credentials, and API keys through malicious URL prefix matching. The vulnerable `ManagedWebAccessUtils.getServer()` method uses unsafe `String.startsWith()` checks without host boundary validation, causing credentials configured for `http://tx.fhir.org` to be dispatched to attacker-controlled domains like `http://tx.fhir.org.attacker.com` when HTTP redirects occur. Affects Maven packages `ca.uhn.hapi.fhir:org.hl7.fhir.core` and `ca.uhn.hapi.fhir:org.hl7.fhir.utilities`. CVSS 7.4 (High) reflects network attack vector with high attack complexity requiring redirect manipulation. EPSS data not available; no confirmed active exploitation (CISA KEV), but detailed proof-of-concept code demonstrates the exploit chain through both SimpleHTTPClient and OkHttp redirect paths.

Java Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

JAD Java Decompiler 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying overly long input that exceeds buffer. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Memory Corruption Java +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in mingSoft MCMS 5.5.0 allows authenticated remote attackers to manipulate the Web Content List Endpoint (ContentAction.java) and execute arbitrary database queries, potentially leading to unauthorized data disclosure, modification, or deletion. The vulnerability requires low-privilege authentication (CVSS PR:L) and has publicly available exploit code disclosed on GitHub, making it an active threat to deployed MCMS instances.

SQLi Java
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery in mingSoft MCMS versions through 5.5.0 enables remote unauthenticated attackers to force the application server to make arbitrary HTTP requests to internal or external systems via the catchimage parameter in the Editor Endpoint's catchImage function. Publicly available exploit code exists (GitHub POC published), increasing immediate risk. The CVSS score of 7.3 reflects network-based attack vector with no authentication required and impacts to confidentiality, integrity, and availability.

Java SSRF
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Spring AI Redis vector store implementations expose sensitive data through unescaped TAG field filter injection in versions 1.0.0-1.0.4 and 1.1.0-1.1.3. Unauthenticated remote attackers can craft malicious filter expressions that bypass query boundaries in RediSearch TAG blocks, allowing extraction of unauthorized information from the vector database (CVSS 7.5 High, C:H). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given its low attack complexity (AC:L).

Java Redis Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cypher injection in Spring AI Neo4j vector store (versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3) allows unauthenticated remote attackers to access confidential data stored in Neo4j databases. The vulnerability exists in Neo4jVectorFilterExpressionConverter where user-controlled filter expression keys are embedded into Cypher property accessors without proper backtick escaping, enabling attackers to break out of the intended property context and execute arbitrary Cypher queries. CVSS score of 7.5 reflects high confidentiality impact with network accessibility and low attack complexity, though no public exploit has been identified at time of analysis.

Java SQLi
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Server-Side Request Forgery in Spring AI Bedrock Converse module enables unauthenticated remote attackers to force the application server to issue HTTP requests to arbitrary internal or external destinations by supplying malicious media URLs in multimodal messages. Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 are affected. The vulnerability carries a CVSS score of 8.6 with high confidentiality impact and changed scope, indicating potential access to internal network resources. No public exploit identified at time of analysis.

Java SSRF
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 allow unauthenticated remote code execution through Spring Expression Language (SpEL) injection in the SimpleVectorStore component when user-supplied input is incorporated into filter expression keys. This critical vulnerability (CVSS 9.8) enables attackers to execute arbitrary code without authentication on applications using SimpleVectorStore with untrusted filter input. No public exploit identified at time of analysis, though the attack complexity is low and requires no user interaction according to the CVSS vector (AV:N/AC:L/PR:N/UI:N).

Java RCE
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Netty HTTP/2 servers can be rendered unresponsive by remote attackers flooding CONTINUATION frames with zero-byte payloads, bypassing existing header size limits and exhausting CPU resources. The affected package is io.netty:netty-codec-http2 (tracked via GitHub Security Advisory GHSA-w9fj-cfpg-grvv). Authentication requirements are not confirmed from available data. No public exploit identified at time of analysis, though the technical details provided in the advisory enable straightforward reproduction. The low bandwidth requirement for this CPU-based denial of service makes it highly practical for disrupting services at scale.

Java Denial Of Service
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution is possible in DataDog's dd-trace-java agent versions prior to 1.60.3 when running on JDK 16 or earlier with exposed JMX/RMI ports. The vulnerability stems from unsafe deserialization in the RMI instrumentation's custom endpoint, allowing network-accessible attackers to execute arbitrary code if gadget-chain libraries exist on the classpath. Vendor-released patch: version 1.60.3. No public exploit identified at time of analysis, though the issue was responsibly disclosed through DataDog's bug bounty program by Mohamed Amine ait Ouchebou.

RCE Java Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

A deserialization vulnerability exists in the wvp-GB28181-pro project (a video streaming platform using GB28181 protocol) through version 2.7.4, specifically in the GenericFastJsonRedisSerializer implementation within the Redis configuration. The flaw allows unauthenticated remote attackers to exploit insecure deserialization through the API endpoint, potentially achieving code execution or data manipulation with low complexity. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, and the vendor has not responded to disclosure attempts.

Java Redis Deserialization
NVD VulDB GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

A deserialization vulnerability in OpenTelemetry Java instrumentation versions prior to 2.26.1 allows remote code execution when the RMI instrumentation endpoint processes untrusted data without serialization filters. The vulnerability affects applications using the OpenTelemetry Java agent with network-reachable RMI/JMX endpoints and gadget-chain-compatible libraries on the classpath. This was responsibly disclosed in coordination with Datadog, and a patch is available in version 2.26.1.

RCE Java Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Path traversal in JoyConDroid through version 1.0.93 allows unauthenticated remote attackers to access arbitrary files on affected systems through improper pathname validation in the UnzipUtil module. An attacker can exploit this vulnerability to read sensitive data and potentially modify files, achieving high integrity and availability impact. A patch is available for this high-severity vulnerability affecting Java and Joycondroid users.

Java Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

A deserialization of untrusted data vulnerability exists in DTStack chunjun versions prior to 1.16.1, specifically in the GsonUtil.java module within chunjun-core. An attacker can exploit this CWE-502 flaw to execute arbitrary code by crafting malicious serialized objects that are processed during deserialization. The vulnerability is reportedly patched as of version 1.16.1, with a patch available from the vendor via GitHub pull request #1939.

Deserialization Java
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Spring Cloud Config Server contains a path traversal vulnerability when using the native file system backend, allowing unauthenticated remote attackers to access arbitrary files outside configured search directories by manipulating the profile parameter in requests. This affects Spring Cloud versions 3.1.X before 3.1.13, 4.1.X before 4.1.9, 4.2.X before 4.2.3, 4.3.X before 4.3.2, and 5.0.X before 5.0.2. With a CVSS score of 8.6 indicating high confidentiality impact with some integrity and availability impact, and network-based attack vector requiring no authentication, this represents a significant information disclosure risk for exposed Config Server instances.

Java Path Traversal
NVD HeroDevs VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in the Stream Proxy Query Handler component of wvp-GB28181-pro up to version 2.7.4 allows authenticated remote attackers to execute arbitrary SQL queries and potentially read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The affected Java application processes unsanitized input in the selectAll function without proper parameterized queries.

SQLi Java
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in Erupt up to version 1.13.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through the sort.field parameter in the HQL query builder. Public exploit code exists for this vulnerability, and no patch is currently available. Affected Java applications using vulnerable versions of Erupt are at risk of data exfiltration and manipulation.

SQLi Java
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Erupt's MCP Tool Interface allows authenticated attackers to manipulate database queries through the EruptDataQuery component, potentially exposing or modifying sensitive data. The vulnerability affects Java-based Erupt deployments version 1.13.3 and has public exploit code available. No patch is currently available from the vendor, who has not responded to disclosure efforts.

Java SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

An unrestricted file upload vulnerability exists in CodePhiliaX Chat2DB versions up to 0.3.7 in the JDBC Driver Upload functionality, allowing authenticated attackers to upload arbitrary files to the server. The vulnerability affects the JdbcDriverController.java component and has a CVSS score of 6.3 (medium severity) with a public proof-of-concept exploit available, though the vendor has not responded to disclosure attempts.

Java File Upload
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A Stored Cross-Site Scripting (XSS) vulnerability exists in atjiu pybbs 6.0.0 within the CommentApiController.java file's create function, allowing authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing comments. The vulnerability requires user interaction (UI:R per CVSS vector) but carries a low CVSS score of 3.5 due to low impact scope; however, a public proof-of-concept exploit is available and the vulnerability has been disclosed, increasing real-world exploitation risk despite the low severity rating.

Java XSS
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in atjiu pybbs 6.0.0 within the TopicApiController.java create function that allows authenticated attackers to inject malicious scripts into topic creation requests. The vulnerability affects all versions of the pybbs application matching the CPE cpe:2.3:a:atjiu:pybbs:*:*:*:*:*:*:*:*, and while the CVSS score of 3.5 is low, a publicly available proof-of-concept exploit has been disclosed, indicating active research and potential real-world exploitation risk.

XSS Java
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The Micronaut Framework contains an infinite loop vulnerability in its form-urlencoded body binding mechanism that occurs when array indices are processed in descending order, allowing remote attackers to trigger denial of service through CPU exhaustion and out-of-memory conditions. Versions prior to 4.10.16 and 3.10.5 are affected, with the vulnerability exploitable by sending crafted indexed form parameters without authentication. No public exploit code has been confirmed, but the issue is straightforward to trigger and has been patched in the referenced versions.

Java Denial Of Service Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

DataEase versions 2.10.19 and below contain a locale-dependent validation bypass vulnerability that allows attackers to smuggle dangerous JDBC parameters past security filters. The flaw stems from inconsistent locale handling where DataEase's validation uses the JVM default locale while H2 JDBC always uses English locale, causing Turkish locale environments to misinterpret malicious parameters like 'iNIT' (bypassing blacklist as 'İNIT' while H2 executes it as 'INIT'). This has been confirmed as exploitable in real deployment scenarios and enables authenticated attackers with low privileges to achieve high-impact code execution or data access, though there is no evidence yet of active exploitation or public proof-of-concept.

Java Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Spring Framework applications using Java scripting engines (JRuby, Jython) for template views in Spring MVC or Spring WebFlux can leak sensitive file contents from outside intended directories through path traversal. Affected versions include 7.0.0-7.0.5, 6.2.0-6.2.16, 6.1.0-6.1.25, and 5.3.0-5.3.46, with no patch currently available. An unauthenticated remote attacker can read arbitrary files on the system with confidentiality impact.

Java Path Traversal
NVD HeroDevs VulDB
EPSS 0% CVSS 2.6
LOW PATCH Monitor

CVE-2026-22735 is a security vulnerability (CVSS 2.6). Remediation should follow standard vulnerability management procedures.

Java Information Disclosure
NVD HeroDevs VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

This is an authentication bypass vulnerability in Spring Boot applications using Spring Security with Actuator endpoints. When an authenticated application endpoint is declared under the CloudFoundry Actuator path, attackers can bypass authentication requirements and gain unauthorized access to protected resources. The vulnerability affects multiple versions of Spring Security from 2.7.0 through 4.0.3 and carries a high CVSS score of 8.2, though no active exploitation or proof-of-concept has been reported.

Authentication Bypass Java
NVD VulDB HeroDevs
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Spring Security fails to properly write HTTP response headers in servlet applications across multiple versions (5.7.0-5.7.21, 5.8.0-5.8.23, 6.3.0-6.3.14, 6.4.0-6.4.14, 6.5.0-6.5.8, 7.0.0-7.0.3), allowing attackers to bypass security controls that rely on these headers such as HSTS, X-Frame-Options, or CSP policies. This header omission could enable various attacks including clickjacking, man-in-the-middle attacks, or other exploits depending on which protections are intended. No patch is currently available for this critical vulnerability.

Java Information Disclosure
NVD VulDB HeroDevs GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Spring Boot Actuator endpoints can be bypassed for authentication when application endpoints are configured under Health Group paths in versions 4.0 before 4.0.3, 3.5 before 3.5.11, and 3.4 before 3.4.15. An unauthenticated attacker can exploit this path-based misconfiguration to gain unauthorized access to protected resources with high confidence in authentication bypass and partial information disclosure. No patch is currently available.

Authentication Bypass Java
NVD VulDB HeroDevs
EPSS 0% CVSS 4.5
MEDIUM PATCH This Month

JRuby's BCrypt implementation suffers from a signed integer overflow when the cost parameter is set to 31, causing the key-strengthening loop to execute zero iterations and reducing password hashing to a negligible computational cost. Applications using bcrypt-ruby with cost=31 generate seemingly valid hashes that verify correctly but provide virtually no protection against brute-force attacks. No patch is currently available for this vulnerability.

Java Integer Overflow Buffer Overflow +2
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

An XML External Entity (XXE) vulnerability in the XMLUtils.java component of Slovensko.Digital Autogram allows remote unauthenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and read local files from the filesystem. The vulnerability affects Autogram software and can be exploited when a victim visits a specially crafted website that sends malicious XML to the application's local HTTP server /sign endpoint. A blog post detailing exploitation research is publicly available, increasing the likelihood of exploitation attempts.

XXE Java Authentication Bypass +2
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

A security vulnerability in version 5.1.1 and (CVSS 2.3) that allows users. Remediation should follow standard vulnerability management procedures.

Java Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available.

Jenkins Path Traversal Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Spring AI's AbstractFilterExpressionConverter fails to properly escape user-controlled input in JSONPath queries, allowing authenticated attackers to inject arbitrary expressions and bypass access controls in vector store implementations. This impacts applications relying on the converter for multi-tenant isolation, role-based access, or metadata-based document filtering, enabling attackers to access unauthorized documents. No patch is currently available.

Java Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter component allows authenticated attackers to bypass metadata-based access controls and execute arbitrary SQL commands due to missing input sanitization. VMware Spring AI versions 1.0.x prior to 1.0.4 and 1.1.x prior to 1.1.3 are affected. With a CVSS score of 8.8, this vulnerability enables attackers with low-level privileges to compromise confidentiality, integrity, and availability of the database system through network-based attacks with low complexity.

Java SQLi
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Unauthenticated attackers can gain unauthorized access to TIBCO BPM Enterprise 4.x through a misconfigured Java Management Extensions (JMX) interface, potentially allowing full system compromise. This vulnerability affects the availability, integrity, and confidentiality of affected systems with no patch currently available.

Java Authentication Bypass
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

A vulnerability was identified in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433.

Path Traversal Java
NVD VulDB
EPSS 0% CVSS 2.0
LOW Monitor

The PPT File Handler in taoofagi easegen-admin contains a server-side request forgery vulnerability in the downloadFile function that allows authenticated remote attackers to manipulate file URLs and access arbitrary network resources. Public exploit code exists for this vulnerability, and the vendor has not provided patches or updates despite notification. The flaw affects Java-based deployments using the affected rolling release version.

SSRF Java
NVD VulDB
EPSS 0% CVSS 1.1
LOW Monitor

A weakness has been identified in La Nacion App 10.2.25 on Android.

Java Authentication Bypass Google
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Java URL parsing in Spinnaker's clouddriver and Orca components fails to properly validate URLs containing underscores, allowing authenticated attackers to bypass URL sanitation controls and potentially execute arbitrary code or access unauthorized resources. This vulnerability affects both the clouddriver artifact handling and Orca fromUrl expression evaluation in versions prior to 2025.2.4, 2025.3.1, 2025.4.1, and 2026.0.0. Patched versions are available, and affected deployments can temporarily disable the vulnerable components as a workaround.

SSRF Java
NVD GitHub VulDB
EPSS 0% CVSS 1.1
LOW POC Monitor

A security vulnerability in A security flaw (CVSS 2.5). Risk factors: public PoC available.

Google Information Disclosure Java
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

A hard-coded credentials vulnerability exists in the INDEX Conferences & Exhibitions Organization YWF BPOF APGCS Android application (versions up to 1.0.2) where attackers can manipulate ACCESS_KEY and HASH_KEY arguments in the BuildConfig.java component to extract embedded credentials. The vulnerability requires local execution on the device and grants only confidentiality impact (CWE-798: Use of Hard-Coded Credentials), but the existence of a published exploit and vendor non-responsiveness elevate practical risk despite the low CVSS score of 3.3.

Google Authentication Bypass Java
NVD VulDB
EPSS 0% CVSS 1.1
LOW POC Monitor

A local information disclosure vulnerability exists in myAEDES App versions up to 1.18.4 on Android, stemming from improper handling of the AUTH_KEY argument in the EngageBayUtils.java component. An authenticated local attacker with high complexity can manipulate this parameter to disclose sensitive information, though the attack requires local device access and significant technical effort. A public proof-of-concept exploit is now available, and the vendor has not responded to early disclosure attempts.

Information Disclosure Java Google
NVD VulDB
EPSS 0% CVSS 1.1
LOW POC Monitor

A key management error exists in the XREAL Nebula App (Android) up to version 3.2.1, specifically in the CloudStoragePlugin.java component where accessKey, secretAccessKey, and securityToken arguments are improperly handled. An attacker with local access and moderate privileges can manipulate these credentials to bypass authentication controls, resulting in unauthorized information disclosure. A proof-of-concept has been publicly disclosed, though the vulnerability requires high complexity to exploit and the vendor has not responded to early notification.

Java Google Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in FlowCI flow-core-x up to version 1.23.01 allows authenticated remote attackers to conduct SSRF attacks through the SMTP Host Handler configuration function. Public exploit code exists for this vulnerability and the vendor has not released a patch. An attacker with valid credentials can manipulate the system to make arbitrary outbound requests from the affected server.

Java SSRF
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

An unrestricted file upload vulnerability exists in the glowxq-oj online judge system that allows remote attackers without authentication to upload malicious files through the SysFileController Upload function. A proof-of-concept exploit is publicly available, and while not currently in CISA's KEV catalog, the vulnerability poses moderate risk with a CVSS score of 7.3 and publicly disclosed exploitation code.

Java File Upload
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Server-side request forgery in Glowxq OJ's test case upload functionality (ProblemCaseController.java) allows unauthenticated remote attackers to make arbitrary network requests from the affected server. Public exploit code is available and the vulnerability remains unpatched, with the vendor unresponsive to disclosure attempts.

Java SSRF
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

CodePhiliaX Chat2DB versions up to 0.3.7 contain a SQL injection vulnerability in the Database Export Handler component (DMDBManage.java) affecting multiple export functions. An authenticated attacker with low privileges can remotely exploit this vulnerability to execute arbitrary SQL commands, potentially compromising data confidentiality, integrity, and availability. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts.

SQLi Java
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

AutohomeCorp's frostmourne application (version 1.0 and earlier) allows attackers to inject malicious code through the EXPRESSION parameter in the ExpressionRule.java component, which uses Oracle's Nashorn JavaScript engine without proper input validation. This vulnerability affects users of frostmourne and can be exploited remotely by unauthenticated attackers to execute arbitrary code on affected systems. The vendor has not responded to disclosure attempts, leaving users vulnerable to potential system compromise.

Java Information Disclosure Oracle
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Unsafe deserialization in Alfresco Activiti up to versions 7.19 and 8.8.0 allows authenticated remote attackers to achieve arbitrary code execution through the Process Variable Serialization System component. An attacker with valid credentials can manipulate serialized objects during deserialization to execute malicious code on the affected system. Public exploit code is available and no patch has been released by the vendor.

Java Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Server-side request forgery in wvp-GB28181-pro up to version 2.7.4-20260107 allows authenticated attackers to manipulate the MediaServer.streamIp parameter in the IP Address Handler component, enabling arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to the disclosure.

Java SSRF
NVD GitHub VulDB
Prev Page 5 of 37 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy