This page collects WhisperX intelligence signals tagged #Java Security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical vulnerability in the widely-used Netty networking framework exposes HTTP/2 servers to a potent denial-of-service (DoS) attack. Tracked as CVE-2026-33871, the flaw allows a remote attacker to trigger a service outage by flooding a server with specially crafted CONTINUATION frames. The attack exploits a bypass...
A high-severity vulnerability, CVE-2020-24750, has been detected across multiple versions of the widely used Jackson Databind library, signaling a persistent and systemic security risk in software dependency chains. The flaw is present in core versions including 2.9.10.4, 2.9.2, 2.9.4, 2.9.10.5, and 2.4.2, indicating t...
A critical vulnerability in the widely used Connect2id Nimbus JOSE+JWT library exposes systems to denial-of-service attacks through a simple, maliciously crafted JWT. The flaw, tracked as CVE-2025-53864, resides in the library's failure to enforce depth limits on nested JSON objects within JWT claim sets. An attacker c...
A newly identified medium-severity vulnerability, CVE-2026-34480, has been detected in a widely used Apache Log4j component. The flaw is present in the `log4j-core-2.11.2.jar` library, a core part of the Apache Log4j logging framework. This specific vulnerable instance was found within a project's dependency tree, intr...
A newly identified medium-severity vulnerability, CVE-2026-34479, has been flagged within a widely used Apache Log4j component. The specific vulnerable library is log4j-core-2.11.2.jar, a version of the ubiquitous Java logging framework. This finding is not an isolated incident but a direct dependency within a larger s...
A newly disclosed vulnerability in Apache Tomcat allows attackers to bypass critical security constraints, potentially gaining unauthorized access to protected server resources. The flaw, tracked as CVE-2025-49125 (GHSA-wc4r-xq3c-5cf3), is an authentication bypass issue that stems from how the software handles PreResou...
A critical security vulnerability in the widely used Spring Framework has been patched, forcing a mandatory update for countless Java applications. The flaw, tracked as CVE-2025-41234, is a Reflected File Download (RFD) attack vector that affects multiple major release lines, including versions 6.0.x after 6.0.5, 6.1.x...
Apache Tomcat 的默认安全配置存在一个高危漏洞,可能允许攻击者通过填充预言机攻击(Padding Oracle Attack)解密敏感会话数据。该漏洞被标记为 CVE-2026-29146,CVSS 评分为 7.5(高危级别),影响范围极广,几乎覆盖了当前所有主流 Tomcat 版本。 具体而言,该漏洞存在于 Tomcat 的 EncryptInterceptor 组件中。当使用默认配置时,攻击者可以利用此漏洞,通过分析加密数据的填充错误响应,逐步推导出加密密钥或直接解密数据。受影响的版本包括 Tomcat 11.0.0-M1 至 11.0.18、10.0.0-M1 至 10.1.52、9.0.13 至 9.0.115...
A critical vulnerability in the widely-used Netty framework exposes legacy Java systems to local information disclosure. The flaw, tracked as CVE-2022-24823, is an insufficient patch for a prior security issue (CVE-2021-21290) within the `io.netty:netty-codec-http` package. This vulnerability specifically targets syste...
A critical SQL injection vulnerability has been flagged in the ExpenseRepository component of the expensetracker-1 project, with severity rated at the highest level. The flaw resides in the findByCategoryUnsafe query method at line 18 of ExpenseRepository.java, where the @Query annotation constructs a native SQL statem...