Skip to main content

Pac4J

2 CVEs product

Monthly

CVE-2026-40458 Maven HIGH PATCH GHSA This Week

CSRF protection bypass in PAC4J authentication library allows remote attackers to forge state-changing requests without victim consent by exploiting hash collisions in Java's String.hashCode() function. Affects PAC4J 5.x before 5.7.10 and 6.x before 6.4.1, requiring victim interaction (visiting malicious site). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). CERT-PL disclosed the vulnerability with vendor patches now available.

CSRF Pac4J
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2019-10755 Maven MEDIUM PATCH This Month

The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Java Information Disclosure Apache Pac4J
NVD
CVSS 3.1
4.9
EPSS
1.1%
EPSS 0% CVSS 7.0
HIGH PATCH This Week

CSRF protection bypass in PAC4J authentication library allows remote attackers to forge state-changing requests without victim consent by exploiting hash collisions in Java's String.hashCode() function. Affects PAC4J 5.x before 5.7.10 and 6.x before 6.4.1, requiring victim interaction (visiting malicious site). EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). CERT-PL disclosed the vulnerability with vendor patches now available.

CSRF Pac4J
NVD
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Java Information Disclosure Apache +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy