Skip to main content

Red Hat Jboss Enterprise Application Platform 7

4 CVEs product

Monthly

CVE-2025-12799 MEDIUM PATCH This Month

Cross-site scripting in Jastow - the JSP implementation layer embedded within Red Hat JBoss Enterprise Application Platform alongside Undertow - allows unauthenticated remote attackers to inject and execute malicious scripts when a specific combination of configurations permits unescaped characters to pass through URL processing. Affected deployments span JBoss EAP 7, EAP 8, the Expansion Pack, and linked products such as Red Hat Single Sign-On 7 that share this component. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Red Hat Jboss Enterprise Application Platform 7 Red Hat Jboss Enterprise Application Platform 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7 +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-28369 Maven CRITICAL GHSA Act Now

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.

Information Disclosure Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Build Of Apache Camel Hawtio 4 Red Hat Data Grid 8 +9
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28367 Maven CRITICAL GHSA Act Now

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.

Apache Google Authentication Bypass Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 +11
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-28368 Maven CRITICAL GHSA Act Now

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.

Authentication Bypass Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Build Of Apache Camel Hawtio 4 Red Hat Data Grid 8 +9
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-site scripting in Jastow - the JSP implementation layer embedded within Red Hat JBoss Enterprise Application Platform alongside Undertow - allows unauthenticated remote attackers to inject and execute malicious scripts when a specific combination of configurations permits unescaped characters to pass through URL processing. Affected deployments span JBoss EAP 7, EAP 8, the Expansion Pack, and linked products such as Red Hat Single Sign-On 7 that share this component. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Red Hat Jboss Enterprise Application Platform 7 Red Hat Jboss Enterprise Application Platform 8 +3
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.

Information Disclosure Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 +11
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.

Apache Google Authentication Bypass +13
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.

Authentication Bypass Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 +11
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy