CVE Daily – Hibernate ORM (High+Critical)

[High] CVE-2026-4594 – A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this is...

Mon, 23 Mar 2026 18:16:26 +0000

High CVE-2026-4594

A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy of the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java. Such manipulation of the argument sort.field leads to sql injection hibernate. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The ven…

CVSS: 7.3 · CWE: CWE-89

View on NVD

[High] CVE-2026-0603 – A flaw was found in Hibernate. A remote attacker with low privileges could explo...

Fri, 23 Jan 2026 07:15:53 +0000

High CVE-2026-0603

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the app…

CVSS: 8.3 · CWE: CWE-89

View on NVD

[High] CVE-2025-10968 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti...

Fri, 07 Nov 2025 13:15:38 +0000

High CVE-2025-10968

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in GG Soft Software Services Inc. PaperWork allows Blind SQL Injection, SQL Injection.This issue affects PaperWork: from 6.1.0.9390 before 6.1.0.9398.

CVSS: 8.8 · CWE: CWE-89

View on NVD

[Critical] CVE-2025-54385 – XWiki Platform is a generic wiki platform offering runtime services for applicat...

Sat, 26 Jul 2025 04:16:06 +0000

Critical CVE-2025-54385

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforc…

CVSS: 9.8 · CWE: CWE-20

View on NVD

[Critical] CVE-2024-56158 – XWiki is a generic wiki platform. It's possible to execute any SQL query in Orac...

Thu, 12 Jun 2025 15:15:38 +0000

Critical CVE-2024-56158

XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.

CVSS: 9.8 · CWE: CWE-89

View on NVD

[Critical] CVE-2024-7071 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti...

Tue, 27 Aug 2024 14:15:20 +0000

Critical CVE-2024-7071

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in Brain Information Technologies Inc. Brain Low-Code allows SQL Injection. This issue affects Brain Low-Code: before 2.1.0.

CVSS: 9.8 · CWE: CWE-89

View on NVD

[Critical] CVE-2023-26093 – Liima before 1.17.28 allows Hibernate query language (HQL) injection, related to...

Mon, 20 Feb 2023 05:15:11 +0000

Critical CVE-2023-26093

Liima before 1.17.28 allows Hibernate query language (HQL) injection, related to colToSort in the deployment filter.

CVSS: 9.8 · CWE: CWE-89

View on NVD

[High] CVE-2009-4997 – gnome-power-manager 2.27.92 does not properly implement the lock_on_suspend and ...

Tue, 07 Sep 2010 18:00:01 +0000

High CVE-2009-4997

gnome-power-manager 2.27.92 does not properly implement the lock_on_suspend and lock_on_hibernate settings for locking the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. NOTE: this issue exists because of a regression that followed a gnome-p…

CVSS: 7.2 · CWE: CWE-264

View on NVD

[High] CVE-2009-4996 – Xfce4-session 4.5.91 in Xfce does not lock the screen when the suspend or hibern...

Tue, 07 Sep 2010 18:00:01 +0000

High CVE-2009-4996

Xfce4-session 4.5.91 in Xfce does not lock the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. NOTE: there is no general agreement that this is a vulnerability, because separate control over locking can be an equally secure, or more secure, b…

CVSS: 7.2 · CWE: CWE-264

View on NVD

[High] CVE-2006-7240 – gnome-power-manager 2.14.0 does not properly implement the lock_on_suspend and l...

Tue, 07 Sep 2010 18:00:01 +0000

High CVE-2006-7240

gnome-power-manager 2.14.0 does not properly implement the lock_on_suspend and lock_on_hibernate settings for locking the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532.

CVSS: 7.2 · CWE: CWE-264

View on NVD

[High] CVE-2010-2532 – lxsession-logout in lxsession in LXDE, as used on SUSE openSUSE 11.3 and other p...

Fri, 03 Sep 2010 20:00:03 +0000

High CVE-2010-2532

lxsession-logout in lxsession in LXDE, as used on SUSE openSUSE 11.3 and other platforms, does not lock the screen when the Suspend or Hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action. NOTE: there is no general agreement that this is a vulnerability, because separate control over locking can be an equally…

CVSS: 7.2 · CWE: CWE-264

View on NVD