This page collects WhisperX intelligence signals tagged #Java. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical severity vulnerability, CVE-2013-7285, has been detected in the XStream library version 1.4.5.jar. XStream is a widely used Java library for serializing objects to XML and back. The vulnerability affects XStream API versions up to 1.4.6 and version 1.4.10. The core issue is that if the library's security fra...
A newly disclosed vulnerability in the HTTP/2 protocol, dubbed 'MadeYouReset,' has triggered a critical security update for a core Java networking library. The flaw, cataloged as CVE-2025-55163, is a logical vulnerability that enables a novel form of DDoS attack. It exploits malformed HTTP/2 control frames to bypass th...
A direct dependency scan has flagged the Apache Log4j library version 2.8.2 as containing two critical, actively exploitable vulnerabilities. The most severe, CVE-2021-44228, carries a maximum CVSS severity score of 10.0, indicating a flaw that is trivial to exploit and can lead to complete system compromise. The secon...
Java ロギングライブラリ「logback-core」の設定ファイル処理に、任意コード実行を可能にする権限昇格の脆弱性が確認された。CVE-2025-11226 として識別されるこの問題は、攻撃者が既存の設定ファイルを改ざんするか、悪意のある環境変数を注入することで、特定の条件下でアプリケーションの制御を奪う可能性を開く。深刻度は MEDIUM と評価されているが、Spring Framework と Janino ライブラリがクラスパス上に存在する環境では、リスクが顕在化する。 脆弱性は、QOS.CH が提供する logback-core のバージョン 1.5.18 までに影響する。攻撃が成立するには、攻撃者が設定ファイルへの...
A critical security flaw has been identified in the widely used Pebble Java templating engine, version 3.2.0. The vulnerability, rated with a severity score of 6.8 (Medium), is confirmed as reachable within the application's codebase, posing a direct risk of exploitation. This is not a theoretical threat; the vulnerabl...
A security scan has flagged a medium-severity vulnerability (CVSS 5.3) within the `alpine-common-2.2.0.jar` library, revealing a reachable security flaw in a widely used software component. The vulnerability originates from a transitive dependency, `commons-lang3-3.12.0.jar`, which is pulled in via the project's `/pom....
广泛使用的 Java JSON 处理库 `org.json:json` 的 20220924 版本被确认存在两个安全漏洞,其中最高严重性评级为 7.5(高危)。该漏洞直接存在于核心库文件 `json-20220924.jar` 中,意味着任何依赖此版本的项目都可能面临远程代码执行或拒绝服务攻击的风险。 漏洞详情显示,受影响的库是 Douglas Crockford 维护的 JSON-java 参考实现,这是一个在 Java 生态中被大量项目引用的轻量级数据交换格式库。扫描路径指向 Maven 本地仓库的标准位置,证实了该依赖的普遍性。库的功能包括 JSON 与 XML、HTTP 头、Cookies 的转换,这些功能若存在漏洞,可能...
A critical vulnerability in a widely used Java library allows attackers to execute arbitrary code on affected systems. The flaw, tracked as CVE-2025-67030, is a Directory Traversal vulnerability in the `extractFile` method of `org.codehaus.plexus.util.Expand` within the `plexus-utils` library. This vulnerability enable...
A critical security flaw in a library management system's API allows any attacker to bypass access controls and retrieve the entire dataset of borrow records simply by sending an invalid query parameter. The vulnerability, classified as HIGH severity, resides in the `BorrowController.java` file where a silent exception...
A critical security vulnerability in the widely used Jackson Core library allows attackers to bypass a key defense mechanism. The non-blocking (async) JSON parser fails to enforce the `maxNumberLength` constraint, a limit designed to prevent denial-of-service attacks. This flaw, tracked as GHSA-72hv-8253-57qq, means an...
Spring Boot 生态的核心依赖 `spring-boot-starter-web-2.7.1.jar` 被安全扫描工具检出存在 18 个安全漏洞,其中最高严重性评分为 9.8 分(CVSS v3),属于严重级别。这一发现直接指向了项目 `/pom.xml` 中引入的底层库 `spring-web-5.3.21.jar`,表明一个广泛使用的企业级开发框架组件存在显著的安全风险。 漏洞详情显示,受影响的库路径为 `/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.21/spring-web-5.3.21.jar`。该问题已在 GitHub 仓...
A critical vulnerability in a widely-used Java networking library opens systems to potential denial-of-service attacks. The flaw, tracked as CVE-2026-33871, resides in the `io.netty:netty-codec-http2` component, specifically version 4.1.130.Final. It is classified under CWE-770, indicating an "Allocation of Resources W...
A critical security flaw, designated CVE-2026-33870, has been disclosed in the widely-used `io.netty:netty-codec-http` library. The vulnerability, classified as an 'Inconsistent Interpretation of HTTP Requests' or HTTP request/response smuggling (CWE-444), allows attackers to bypass security controls and potentially po...
A critical vulnerability has been disclosed in a widely used Java networking library, exposing countless applications to potential denial-of-service attacks. The flaw, tracked as CVE-2026-33871, resides in the `io.netty:netty-codec-http2` component, specifically version 4.1.131.Final. It is classified under CWE-770, re...
A critical security vulnerability, designated CVE-2026-33870, has been disclosed in the widely used `io.netty:netty-codec-http` library. The flaw, classified as an 'Inconsistent Interpretation of HTTP Requests' or HTTP request/response smuggling (CWE-444), allows attackers to bypass security controls and potentially po...
Spring Boot 生态系统的核心依赖组件 `spring-boot-starter-web-3.1.0.jar` 被安全扫描工具检出存在 13 项安全漏洞,其中最高严重性评分为 8.1(高危)。关键点在于,这些漏洞被标记为“可被利用”(Reachable),这意味着攻击者有可能通过应用程序的特定路径触发这些漏洞,而不仅仅是存在于依赖树中。漏洞详情列表指向了底层依赖 `spring-webmvc-6.0.9.jar`,表明问题根源在于 Spring Framework 的 Web MVC 模块。 此次曝光的漏洞中,最严重的是 CVE-2024-22262,其 CVSS 评分为 8.1,被归类为高危漏洞。安全报告提供了详细的漏洞...
A critical security scan has flagged the widely used Spring Boot Actuator starter library, version 3.1.0, as containing three vulnerabilities, with the highest severity scoring 8.2 on the CVSS scale. This finding, reported via a GitHub issue, highlights a significant potential exposure in a core component designed to p...
A critical security vulnerability has been patched in the widely used Java testing library, AssertJ Core. The library's latest version, 3.27.7, addresses a dangerous XML External Entity (XXE) flaw present in the previous release, 3.27.6. This type of vulnerability allows attackers to potentially read sensitive files fr...
A critical out-of-bounds read vulnerability in the libpng library, tracked as CVE-2025-66293, exposes systems to potential data leakage. The flaw resides in libpng's simplified API and allows attackers to read up to 1012 bytes of memory beyond the bounds of a specific internal array. Crucially, this vulnerability can b...
A critical security flaw in the widely used Netty networking library opens the door for HTTP request smuggling attacks. The vulnerability, tracked as CVE-2026-33870, stems from an inconsistency in how the `netty-codec-http` component interprets HTTP requests. This weakness, classified under CWE-444, allows a malicious ...