Skip to main content

Java

3270 CVEs product

Monthly

CVE-2025-64518 Maven HIGH PATCH This Month

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-12925 MEDIUM POC This Week

A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java Authentication Bypass Forest
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-12924 MEDIUM POC This Month

A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224.java. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java Authentication Bypass Forest
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-63690 CRITICAL POC Act Now

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Java Tomcat Pig
NVD GitHub
CVSS 3.1
9.1
EPSS
1.3%
CVE-2025-63687 MEDIUM POC This Week

An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java Authentication Bypass Forest
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64164 HIGH POC PATCH This Week

Dataease is an open source data visualization analysis tool. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Oracle Java Dataease
NVD GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2025-20354 CRITICAL This Week

A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Cisco Authentication Bypass Java Unified Contact Center Express
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-12623 LOW Monitor

A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Java Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.1%
CVE-2025-12305 LOW POC Monitor

Remote code execution in Shiyi Blog up to version 1.2.1 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization in the Job Handler component (SysJobController.java). The CVSS score of 2.1 reflects required authenticated access and limited scope, but the combination of public exploit availability, demonstrated deserialization flaw, and network accessibility creates moderate operational risk despite the low severity rating.

Java Deserialization Shiyi Blog
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-12304 LOW Monitor

Improper authorization in TIME-SEA-PLUS PayController.java alipayIsSucceed function allows authenticated remote attackers to disclose sensitive information related to order status handling. The vulnerability affects versions up to commit fb299162f18498dd9cf17da906886d80a077d53b, with publicly available exploit code disclosed but low real-world exploitation probability (EPSS 0.03%). Attack requires valid user credentials and network access but does not enable privilege escalation or data modification.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-61748 LOW CISA Monitor

Unauthorized data modification in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows remote unauthenticated attackers to alter sensitive data through APIs and multiple protocols via difficult-to-exploit integrity bypass. Affected versions include Java SE 21.0.8 and 25, GraalVM for JDK 21.0.8, and GraalVM Enterprise Edition 21.3.15. The vulnerability carries a low EPSS score (0.03%, 10th percentile) and no active exploitation has been identified, indicating limited real-world priority despite network accessibility.

Authentication Bypass Oracle Java Graalvm Graalvm For Jdk +2
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-53066 HIGH PATCH CISA This Week

Unauthorized data access in Oracle Java SE JAXP component allows remote unauthenticated attackers to exfiltrate sensitive information from multiple Java platforms including Oracle Java SE (8u461 through 25), GraalVM for JDK (17.0.16, 21.0.8), and GraalVM Enterprise Edition (21.3.15). Exploitation requires no authentication, low complexity, and can occur through web services supplying malicious data to JAXP APIs or via sandboxed Java Web Start/applet deployments loading untrusted code. Oracle released patches in October 2025 Critical Patch Update with EPSS data unavailable at time of analysis. CVSS 7.5 reflects pure confidentiality impact with network attack vector.

Authentication Bypass Oracle Information Disclosure Java Graalvm +5
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53057 MEDIUM PATCH CISA This Month

Improper access control in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated remote attackers to create, delete, or modify critical data when APIs in the Security component are exposed via web services or similar mechanisms. The vulnerability affects Java 8u461 through 25 and carries a CVSS 5.9 with high integrity impact, though exploitation is difficult (AC:H) and no public exploit or active KEV status has been confirmed.

Authentication Bypass Oracle Java Graalvm Graalvm For Jdk +4
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-60828 MEDIUM POC This Month

Unauthenticated fastjson deserialization in WukongCRM 9.0 (Java edition) via the /OaExamine/setOaExamine HTTP endpoint allows remote attackers to supply attacker-controlled class references that the Alibaba fastjson library instantiates at runtime, enabling arbitrary Java gadget-chain execution. A public proof-of-concept is available on GitHub, lowering the exploitation bar considerably. While the assigned CVSS scores impact conservatively at I:L/A:L with no confidentiality loss, this is inconsistent with the well-documented RCE potential of fastjson deserialization gadget chains - the actual impact may be understated. No public exploit has been confirmed as actively exploited (not in CISA KEV).

Java Deserialization Wukong Crm
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-11406 LOW Monitor

Information disclosure in kaifangqian-base's SysUserController.getAllUsers endpoint allows authenticated remote attackers to retrieve sensitive user data. The vulnerability affects the function up to commit 7b3faecda13848b3ced6c17c7423b76c5b47b8ab and requires login credentials (PR:L in CVSS 4.0), limiting exposure to authenticated users. Public exploit code exists, but the low CVSS score (2.1) and minimal EPSS percentile (8%) suggest limited real-world exploitation despite public availability.

Information Disclosure Java
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11321 LOW Monitor

Authorization bypass in zhuimengshaonian wisdom-education up to version 1.0.4 allows authenticated remote attackers to manipulate the subjectId parameter in WrongBookController.java to access unauthorized resources. The vulnerability has a low CVSS score (2.1) due to limited confidentiality impact and requirement for prior authentication, but publicly available exploit code exists and the attack vector is entirely network-accessible.

Java Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11320 LOW Monitor

Unrestricted file upload in zhuimengshaonian wisdom-education up to version 1.0.4 allows authenticated remote attackers to upload arbitrary files via the uploadFile function in UploadController.java, potentially enabling remote code execution or system compromise. The vulnerability has publicly disclosed exploit code available. Despite a low CVSS score of 2.1 reflecting limited direct impact scope, the presence of public exploits and authentication bypass tags suggests practical exploitation risk in environments where attacker access is feasible.

Java Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-11289 LOW POC Monitor

Stored cross-site scripting (XSS) in westboy CicadasCMS Template Management Page allows high-privileged users to inject malicious scripts via the Save function in TemplateFileServiceImpl.java, affecting downstream users who interact with stored templates. The vulnerability requires high privileges and user interaction but carries CVSS 1.9 due to minimal integrity impact; however, publicly available exploit code exists, indicating real disclosure despite extremely low exploitation probability (EPSS 0.03%).

Java XSS Cicadascms
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-54086 LOW PATCH Monitor

CVE-2025-54086 is an excess permissions vulnerability in the Warehouse component of Absolute Secure Access prior to version 14.10. Attackers with access to the local file system can read the Java keystore file. The attack complexity is low, there are no attack requirements, the privileges required are low and no user interaction is required. Impact to confidentiality is low, there is no impact to integrity or availability.

Privilege Escalation Java
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-59407 CRITICAL POC Act Now

Hardcoded cryptographic key in Flock Safety DetectionProcessing app for ANPR. PoC available.

Information Disclosure Java Flock Safety Android
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-11226 Maven HIGH PATCH This Week

Arbitrary code execution in QOS.CH logback-core through 1.5.18 allows attackers with write access to a logback configuration file (or the ability to set environment variables) to execute Java code via the conditional configuration feature when the Janino library and Spring Framework are also on the classpath. No public exploit identified at time of analysis and EPSS is low (0.06%), but the issue is tagged as RCE in widely deployed Java logging infrastructure and a vendor patch is available.

RCE Java
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2025-59954 CRITICAL POC PATCH Act Now

Knowage is an open source analytics and business intelligence suite. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Java Code Injection Apache Knowage
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-59952 Maven HIGH PATCH This Month

MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Java Red Hat
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-57266 CRITICAL This Week

An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Java
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-11080 LOW Monitor

A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-5717 MEDIUM This Month

An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Java Api Control Plane Api Manager +2
NVD
CVSS 3.1
6.8
EPSS
0.3%
CVE-2025-59432 Maven MEDIUM PATCH This Month

SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Java Red Hat Suse
NVD GitHub
CVSS 4.0
6.6
EPSS
0.1%
CVE-2024-13990 CRITICAL This Week

MicroWorld eScan AV's update mechanism failed to ensure authenticity and integrity of updates: update packages were delivered and accepted without robust cryptographic verification. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Java
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-57644 CRITICAL This Week

Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java RCE SSRF Authentication Bypass Information Disclosure +1
NVD
CVSS 3.1
9.1
EPSS
0.6%
CVE-2025-10671 LOW Monitor

A vulnerability has been found in youth-is-as-pale-as-poetry e-learning 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-54467 Go MEDIUM PATCH This Month

When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Java Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-10492 Maven HIGH PATCH CISA This Month

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Java Jasperreports Io Jasperreports Library +3
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2025-41243 Maven CRITICAL POC PATCH Act Now

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Java Spring
NVD
CVSS 3.1
10.0
EPSS
5.5%
CVE-2025-44034 HIGH POC This Week

SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the alph parameters in src/main/Java/cn/gson/oasys/controller/address/AddrController. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Java RCE SQLi Oa System
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-41249 Maven HIGH PATCH This Month

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Java Spring Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-41248 Maven HIGH PATCH This Month

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Java Spring Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-10473 LOW POC Monitor

A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-10394 LOW POC Monitor

A vulnerability has been found in fcba_zzm ics-park Smart Park Management System 2.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-10252 LOW Monitor

A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.

Deserialization Java
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2025-42944 CRITICAL This Week

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Deserialization SAP Java
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-42927 LOW Monitor

SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity. No vendor patch available.

Java Adobe OpenSSL SAP Information Disclosure
NVD
CVSS 3.1
3.4
EPSS
0.0%
CVE-2025-42926 MEDIUM PATCH This Month

SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Authentication Bypass SAP Java Netweaver Application Server Java
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-42925 MEDIUM Monitor

Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Java
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-42922 CRITICAL This Week

SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection Java
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-10080 LOW Monitor

A vulnerability has been found in running-elephant Datart up to 1.0.0-rc3. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2025-36100 MEDIUM PATCH This Month

IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0 Java and JMS. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required.

Information Disclosure IBM Java Mq
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-32322 HIGH This Week

In onCreate of MediaProjectionPermissionActivity.java , there is a possible way to grant a malicious app a token enabling unauthorized screen recording capabilities due to improper input validation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Java Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-40664 MEDIUM This Month

In setupAccessibilityServices of AccessibilityFragment.java , there is a possible way to hide an enabled accessibility service due to a logic error in the code. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Java Android Google
NVD
CVSS 3.1
6.2
EPSS
0.1%
CVE-2025-48535 HIGH PATCH This Week

In assertSafeToStartCustomActivity of AppRestrictionsFragment.java , there is a possible way to exploit a parcel mismatch resulting in a launch anywhere vulnerability due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Java Android Google
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-48529 MEDIUM PATCH This Month

In setRingtoneUri of VoicemailNotificationSettingsUtil.java , there is a possible cross user data leak due to a confused deputy. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Java Android Google
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-48526 MEDIUM PATCH This Month

In createMultiProfilePagerAdapter of ChooserActivity.java , there is a possible way for an app to launch the ChooserActivity in another profile due to improper input validation. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity.

Privilege Escalation Java Android Google
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-26454 HIGH PATCH This Month

In validateUriSchemeAndPermission of DisclaimersParserImpl.java , there is a possible way to access data from another user due to a confused deputy. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation Java Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-22441 HIGH This Month

In getContextForResourcesEnsuringCorrectCachedApkPaths of RemoteViews.java, there is a possible way to load arbitrary java code in a privileged context due to a confused deputy. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Java Android Google
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-32312 HIGH PATCH This Month

In createIntentsList of PackageParser.java , there is a possible way to bypass lazy bundle hardening, allowing modified data to be passed to the next process due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Java Android Google
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-26426 MEDIUM This Month

In BroadcastController.java of registerReceiverWithFeatureTraced, there is a possible way to receive broadcasts meant for the "android" package due to improper input validation. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Google Privilege Escalation Java Android
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-26420 MEDIUM PATCH Monitor

In multiple functions of GrantPermissionsActivity.java , there is a possible way to trick the user into granting the incorrect permission due to permission overload. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity.

Privilege Escalation Java Android Google
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-7388 HIGH This Month

It was possible to perform Remote Command Execution (RCE) via Java RMI interface in the OpenEdge AdminServer, allowing authenticated users to inject and execute OS commands under the delegated. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection Java
NVD
CVSS 3.1
8.4
EPSS
0.2%
CVE-2025-9785 HIGH This Month

PaperCut Print Deploy is an optional component that integrates with PaperCut NG/MF which simplifies printer deployment and management. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Java
NVD
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-22439 HIGH This Week

In onLastAccessedStackLoaded of ActionHandler.java , there is a possible way to bypass storage restrictions across apps due to a missing permission check. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Java Android Google
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-22416 HIGH This Week

In onCreate of ChooserActivity.java , there is a possible way to view other users' images due to a confused deputy. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Java Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-9796 LOW POC PATCH Monitor

A vulnerability was found in thinkgem JeeSite up to 5.12.1. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Java XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2024-28988 CRITICAL PATCH Act Now

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Java Web Help Desk
NVD
CVSS 3.1
9.8
EPSS
8.9%
CVE-2025-9795 LOW POC Monitor

A vulnerability has been found in xujeff tianti 天梯 up to 2.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-44033 CRITICAL POC Act Now

SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the allDirector() method declaration in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java RCE SQLi Oa System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-9650 LOW Monitor

A vulnerability has been found in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-58059 Maven CRITICAL PATCH This Week

Valtimo is a platform for Business Process Automation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Information Disclosure Java
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-0082 MEDIUM This Month

In multiple functions of StatusHint.java and TelecomServiceImpl.java, there is a possible way to reveal images across users due to a confused deputy. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Java Android Google
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-9461 LOW Monitor

A weakness has been identified in diyhi bbs up to 6.8. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-9406 LOW POC Monitor

A weakness has been identified in xuhuisheng lemon up to 1.13.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-9340 Maven NONE PATCH

Out-of-bounds Write vulnerability in Legion of the Bouncy Castle Inc. Rated low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Java
NVD GitHub
EPSS
0.0%
CVE-2025-9341 Maven MEDIUM PATCH This Month

Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Java Red Hat
NVD GitHub
CVSS 4.0
5.9
EPSS
0.0%
CVE-2025-55371 MEDIUM POC This Month

Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java Jsherp
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-55370 HIGH POC This Week

Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java Jsherp
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-55368 HIGH POC This Week

Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java Jsherp
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-55367 MEDIUM POC This Month

Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java Jsherp
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-55366 MEDIUM POC This Month

Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Privilege Escalation Java Jsherp
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-9264 Maven LOW POC PATCH Monitor

A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-9263 Maven LOW POC PATCH Monitor

A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-9239 MEDIUM POC This Month

A vulnerability was identified in elunez eladmin up to 2.7. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Java Eladmin
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2024-39954 Maven MEDIUM This Month

java on windows\linux\mac os e.g. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Microsoft SSRF Eventmesh Windows +1
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-9148 LOW Monitor

A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-41242 Maven MEDIUM POC PATCH This Month

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Tomcat Java Path Traversal Apache Spring +1
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-9092 Maven LOW PATCH Monitor

Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Rated low severity (CVSS 1.0), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Java
NVD GitHub
CVSS 4.0
1.0
EPSS
0.0%
CVE-2025-8974 LOW POC Monitor

A vulnerability was determined in linlinjava litemall up to 1.8.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Java
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-8965 LOW POC Monitor

A vulnerability has been found in linlinjava litemall up to 1.8.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-8930 LOW POC Monitor

A vulnerability was found in code-projects Medical Store Management System 1.0.java of the component Update Company Page. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-8928 LOW POC Monitor

A vulnerability was identified in code-projects Medical Store Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-8916 Maven MEDIUM PATCH CISA This Month

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Java
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2025-8885 Maven MEDIUM PATCH This Month

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Java Red Hat Suse
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2025-8841 LOW POC Monitor

A vulnerability was identified in zlt2000 microservices-platform up to 6.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Month

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Java Red Hat
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC This Week

A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java Authentication Bypass Forest
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224.java. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java Authentication Bypass Forest
NVD GitHub VulDB
EPSS 1% CVSS 9.1
CRITICAL POC Act Now

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Java Tomcat +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Week

An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java Authentication Bypass Forest
NVD GitHub
EPSS 0% CVSS 8.9
HIGH POC PATCH This Week

Dataease is an open source data visualization analysis tool. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Oracle Java +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL This Week

A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Cisco Authentication Bypass +2
NVD
EPSS 0% CVSS 1.3
LOW Monitor

A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Java Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Remote code execution in Shiyi Blog up to version 1.2.1 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization in the Job Handler component (SysJobController.java). The CVSS score of 2.1 reflects required authenticated access and limited scope, but the combination of public exploit availability, demonstrated deserialization flaw, and network accessibility creates moderate operational risk despite the low severity rating.

Java Deserialization Shiyi Blog
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Improper authorization in TIME-SEA-PLUS PayController.java alipayIsSucceed function allows authenticated remote attackers to disclose sensitive information related to order status handling. The vulnerability affects versions up to commit fb299162f18498dd9cf17da906886d80a077d53b, with publicly available exploit code disclosed but low real-world exploitation probability (EPSS 0.03%). Attack requires valid user credentials and network access but does not enable privilege escalation or data modification.

Information Disclosure Java
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW Monitor

Unauthorized data modification in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows remote unauthenticated attackers to alter sensitive data through APIs and multiple protocols via difficult-to-exploit integrity bypass. Affected versions include Java SE 21.0.8 and 25, GraalVM for JDK 21.0.8, and GraalVM Enterprise Edition 21.3.15. The vulnerability carries a low EPSS score (0.03%, 10th percentile) and no active exploitation has been identified, indicating limited real-world priority despite network accessibility.

Authentication Bypass Oracle Java +4
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthorized data access in Oracle Java SE JAXP component allows remote unauthenticated attackers to exfiltrate sensitive information from multiple Java platforms including Oracle Java SE (8u461 through 25), GraalVM for JDK (17.0.16, 21.0.8), and GraalVM Enterprise Edition (21.3.15). Exploitation requires no authentication, low complexity, and can occur through web services supplying malicious data to JAXP APIs or via sandboxed Java Web Start/applet deployments loading untrusted code. Oracle released patches in October 2025 Critical Patch Update with EPSS data unavailable at time of analysis. CVSS 7.5 reflects pure confidentiality impact with network attack vector.

Authentication Bypass Oracle Information Disclosure +7
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Improper access control in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated remote attackers to create, delete, or modify critical data when APIs in the Security component are exposed via web services or similar mechanisms. The vulnerability affects Java 8u461 through 25 and carries a CVSS 5.9 with high integrity impact, though exploitation is difficult (AC:H) and no public exploit or active KEV status has been confirmed.

Authentication Bypass Oracle Java +6
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Unauthenticated fastjson deserialization in WukongCRM 9.0 (Java edition) via the /OaExamine/setOaExamine HTTP endpoint allows remote attackers to supply attacker-controlled class references that the Alibaba fastjson library instantiates at runtime, enabling arbitrary Java gadget-chain execution. A public proof-of-concept is available on GitHub, lowering the exploitation bar considerably. While the assigned CVSS scores impact conservatively at I:L/A:L with no confidentiality loss, this is inconsistent with the well-documented RCE potential of fastjson deserialization gadget chains - the actual impact may be understated. No public exploit has been confirmed as actively exploited (not in CISA KEV).

Java Deserialization Wukong Crm
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Information disclosure in kaifangqian-base's SysUserController.getAllUsers endpoint allows authenticated remote attackers to retrieve sensitive user data. The vulnerability affects the function up to commit 7b3faecda13848b3ced6c17c7423b76c5b47b8ab and requires login credentials (PR:L in CVSS 4.0), limiting exposure to authenticated users. Public exploit code exists, but the low CVSS score (2.1) and minimal EPSS percentile (8%) suggest limited real-world exploitation despite public availability.

Information Disclosure Java
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Authorization bypass in zhuimengshaonian wisdom-education up to version 1.0.4 allows authenticated remote attackers to manipulate the subjectId parameter in WrongBookController.java to access unauthorized resources. The vulnerability has a low CVSS score (2.1) due to limited confidentiality impact and requirement for prior authentication, but publicly available exploit code exists and the attack vector is entirely network-accessible.

Java Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW Monitor

Unrestricted file upload in zhuimengshaonian wisdom-education up to version 1.0.4 allows authenticated remote attackers to upload arbitrary files via the uploadFile function in UploadController.java, potentially enabling remote code execution or system compromise. The vulnerability has publicly disclosed exploit code available. Despite a low CVSS score of 2.1 reflecting limited direct impact scope, the presence of public exploits and authentication bypass tags suggests practical exploitation risk in environments where attacker access is feasible.

Java Authentication Bypass File Upload
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Stored cross-site scripting (XSS) in westboy CicadasCMS Template Management Page allows high-privileged users to inject malicious scripts via the Save function in TemplateFileServiceImpl.java, affecting downstream users who interact with stored templates. The vulnerability requires high privileges and user interaction but carries CVSS 1.9 due to minimal integrity impact; however, publicly available exploit code exists, indicating real disclosure despite extremely low exploitation probability (EPSS 0.03%).

Java XSS Cicadascms
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

CVE-2025-54086 is an excess permissions vulnerability in the Warehouse component of Absolute Secure Access prior to version 14.10. Attackers with access to the local file system can read the Java keystore file. The attack complexity is low, there are no attack requirements, the privileges required are low and no user interaction is required. Impact to confidentiality is low, there is no impact to integrity or availability.

Privilege Escalation Java
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Hardcoded cryptographic key in Flock Safety DetectionProcessing app for ANPR. PoC available.

Information Disclosure Java Flock Safety +1
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Arbitrary code execution in QOS.CH logback-core through 1.5.18 allows attackers with write access to a logback configuration file (or the ability to set environment variables) to execute Java code via the conditional configuration feature when the Janino library and Spring Framework are also on the classpath. No public exploit identified at time of analysis and EPSS is low (0.06%), but the issue is tagged as RCE in widely deployed Java logging infrastructure and a vendor patch is available.

RCE Java
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Knowage is an open source analytics and business intelligence suite. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Java Code Injection +2
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Month

MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Java Red Hat
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL This Week

An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Java
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Java +4
NVD
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Java Red Hat +1
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL This Week

MicroWorld eScan AV's update mechanism failed to ensure authenticity and integrity of updates: update packages were delivered and accepted without robust cryptographic verification. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Java
NVD
EPSS 1% CVSS 9.1
CRITICAL This Week

Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java RCE SSRF +3
NVD
EPSS 0% CVSS 2.9
LOW Monitor

A vulnerability has been found in youth-is-as-pale-as-poetry e-learning 1.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Java Suse
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Month

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Java +5
NVD
EPSS 5% CVSS 10.0
CRITICAL POC PATCH Act Now

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Java +1
NVD
EPSS 0% CVSS 8.0
HIGH POC This Week

SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the alph parameters in src/main/Java/cn/gson/oasys/controller/address/AddrController. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Java RCE SQLi +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Month

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Java Spring +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Month

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Java Spring +1
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java SQLi
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

A vulnerability has been found in fcba_zzm ics-park Smart Park Management System 2.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW Monitor

A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. Rated low severity (CVSS 2.3), this vulnerability is no authentication required. No vendor patch available.

Deserialization Java
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL This Week

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Deserialization SAP +1
NVD
EPSS 0% CVSS 3.4
LOW Monitor

SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would. Rated low severity (CVSS 3.4), this vulnerability is low attack complexity. No vendor patch available.

Java Adobe OpenSSL +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Authentication Bypass SAP Java +1
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure SAP Java
NVD
EPSS 0% CVSS 9.9
CRITICAL This Week

SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE SAP Code Injection +1
NVD
EPSS 0% CVSS 1.3
LOW Monitor

A vulnerability has been found in running-elephant Datart up to 1.0.0-rc3. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0 Java and JMS. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required.

Information Disclosure IBM Java +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In onCreate of MediaProjectionPermissionActivity.java , there is a possible way to grant a malicious app a token enabling unauthorized screen recording capabilities due to improper input validation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Java Android +1
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

In setupAccessibilityServices of AccessibilityFragment.java , there is a possible way to hide an enabled accessibility service due to a logic error in the code. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Java Android +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In assertSafeToStartCustomActivity of AppRestrictionsFragment.java , there is a possible way to exploit a parcel mismatch resulting in a launch anywhere vulnerability due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Java +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In setRingtoneUri of VoicemailNotificationSettingsUtil.java , there is a possible cross user data leak due to a confused deputy. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Java Android +1
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

In createMultiProfilePagerAdapter of ChooserActivity.java , there is a possible way for an app to launch the ChooserActivity in another profile due to improper input validation. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity.

Privilege Escalation Java Android +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Month

In validateUriSchemeAndPermission of DisclaimersParserImpl.java , there is a possible way to access data from another user due to a confused deputy. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation Java Android +1
NVD
EPSS 0% CVSS 7.3
HIGH This Month

In getContextForResourcesEnsuringCorrectCachedApkPaths of RemoteViews.java, there is a possible way to load arbitrary java code in a privileged context due to a confused deputy. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Java Android +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Month

In createIntentsList of PackageParser.java , there is a possible way to bypass lazy bundle hardening, allowing modified data to be passed to the next process due to unsafe deserialization. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Java +2
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

In BroadcastController.java of registerReceiverWithFeatureTraced, there is a possible way to receive broadcasts meant for the "android" package due to improper input validation. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Google Privilege Escalation Java +1
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH Monitor

In multiple functions of GrantPermissionsActivity.java , there is a possible way to trick the user into granting the incorrect permission due to permission overload. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity.

Privilege Escalation Java Android +1
NVD
EPSS 0% CVSS 8.4
HIGH This Month

It was possible to perform Remote Command Execution (RCE) via Java RMI interface in the OpenEdge AdminServer, allowing authenticated users to inject and execute OS commands under the delegated. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection Java
NVD
EPSS 0% CVSS 7.7
HIGH This Month

PaperCut Print Deploy is an optional component that integrates with PaperCut NG/MF which simplifies printer deployment and management. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Java
NVD
EPSS 0% CVSS 7.3
HIGH This Week

In onLastAccessedStackLoaded of ActionHandler.java , there is a possible way to bypass storage restrictions across apps due to a missing permission check. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Java +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In onCreate of ChooserActivity.java , there is a possible way to view other users' images due to a confused deputy. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Java Android +1
NVD
EPSS 0% CVSS 2.0
LOW POC PATCH Monitor

A vulnerability was found in thinkgem JeeSite up to 5.12.1. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Java XSS
NVD GitHub VulDB
EPSS 9% CVSS 9.8
CRITICAL PATCH Act Now

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

RCE Deserialization Java +1
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability has been found in xujeff tianti 天梯 up to 2.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the allDirector() method declaration in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java RCE SQLi +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability has been found in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Java
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH This Week

Valtimo is a platform for Business Process Automation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Information Disclosure Java
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

In multiple functions of StatusHint.java and TelecomServiceImpl.java, there is a possible way to reveal images across users due to a confused deputy. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Java Android +1
NVD
EPSS 0% CVSS 2.1
LOW Monitor

A weakness has been identified in diyhi bbs up to 6.8. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A weakness has been identified in xuhuisheng lemon up to 1.13.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java
NVD GitHub VulDB
EPSS 0%
NONE PATCH

Out-of-bounds Write vulnerability in Legion of the Bouncy Castle Inc. Rated low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Java
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Java Red Hat
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java Jsherp
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java Jsherp
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java Jsherp
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java Jsherp
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Privilege Escalation Java +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Java
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability was identified in elunez eladmin up to 2.7. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Java Eladmin
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

java on windows\linux\mac os e.g. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Microsoft SSRF +3
NVD
EPSS 0% CVSS 2.1
LOW Monitor

A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java SQLi
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Tomcat Java Path Traversal +3
NVD GitHub
EPSS 0% CVSS 1.0
LOW PATCH Monitor

Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Rated low severity (CVSS 1.0), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Java
NVD GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

A vulnerability was determined in linlinjava litemall up to 1.8.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Java
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability has been found in linlinjava litemall up to 1.8.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was found in code-projects Medical Store Management System 1.0.java of the component Update Company Page. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java SQLi
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was identified in code-projects Medical Store Management System 1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Java SQLi
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Java
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Java Red Hat +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was identified in zlt2000 microservices-platform up to 6.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass File Upload Java
NVD GitHub VulDB
Prev Page 8 of 37 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy