CVE Daily
← All tags

Tag: Hibernate ORM

All CVEs associated with "Hibernate ORM". Page 1/1 • 21 CVEs.

About “Hibernate ORM”

A curated feed of “Hibernate ORM”-related CVEs appears below. We currently track 21 CVEs for this tag (all time). In the last 365 days, 13 were published. Average CVSS is 7.2 (all time; 7.0 over 365d), and 52% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE-476 - NULL Pointer Dereference, CWE-772 - Missing Release of Resource after Effective Lifetime.

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: hibernate-orm

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
7.37.3.7-
7.27.2.17 Expired
7.17.1.29 Expired
7.07.0.10 Expired
6.66.6.52- Expired
6.56.5.3- Expired
6.46.4.10- Expired
6.36.3.2- Expired
6.26.2.52- Expired
6.16.1.7- Expired
6.06.0.2- Expired
5.65.6.15- Expired
5.55.5.9- Expired
5.45.4.33- Expired
5.35.3.38- Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Hibernate ORM”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-03-23
High

CVE-2026-4594

A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy of the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.…

CVSS: 7.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2026-4593

A flaw has been found in erupts erupt bis 1.13.3. Affected by this vulnerability is the function EruptDataQuery of the file erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java of the co…

CVSS: 6.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2026-02-14
Medium

CVE-2026-23128

In the Linux kernel, the following vulnerability has been resolved: arm64: Set __nocfi on swsusp_arch_resume() A DABT is reported[1] on an android based system when resume from hiberate. This happe…

CVSS: 5.5 CWE: N/A View on NVD
2026-02-04
Unknown

CVE-2026-23044

In the Linux kernel, the following vulnerability has been resolved: PM: hibernate: Fix crash when freeing invalid crypto compressor When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not…

CVSS: N/A CWE: N/A View on NVD
2026-01-26
Medium

CVE-2025-14969

A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking con…

CVSS: 4.3 CWE: CWE-772 - Missing Release of Resource after Effective Lifetime View on NVD
2026-01-23
High

CVE-2026-0603

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters i…

CVSS: 8.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2026-01-09
Medium

CVE-2025-67280

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive d…

CVSS: 5.4 CWE: CWE-564 - SQL Injection: Hibernate View on NVD
2025-12-16
Unknown

CVE-2025-68230

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix gpu page fault after hibernation on PF passthrough On PF passthrough environment, after hibernate and then resume…

CVSS: N/A CWE: N/A View on NVD
2025-11-07
High

CVE-2025-10968

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in GG Soft Software Services Inc. PaperWork allows Blind SQL I…

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2025-10-04
Medium

CVE-2025-39936

In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() When 9770b428b1a2 ("crypto: ccp - Move dev_i…

CVSS: 5.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2025-09-19
Medium

CVE-2025-39865

In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm =…

CVSS: 5.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2025-07-26
Critical

CVE-2025-54385

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to exec…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2025-06-12
Critical

CVE-2024-56158

XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-08-27
Critical

CVE-2024-7071

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in Brain Information Technologies Inc. Brain Low-Code allows S…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2023-02-20
Critical

CVE-2023-26093

Liima before 1.17.28 allows Hibernate query language (HQL) injection, related to colToSort in the deployment filter.

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2016-04-22
Medium

CVE-2016-1595

LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection att…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-09-30
Medium

CVE-2014-3558

ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (…

CVSS: 5.0 CWE: CWE-264 View on NVD
2010-09-07
High

CVE-2009-4997

gnome-power-manager 2.27.92 does not properly implement the lock_on_suspend and lock_on_hibernate settings for locking the screen when the suspend or hibernate button is pressed, which might make it…

CVSS: 7.2 CWE: CWE-264 View on NVD
High

CVE-2009-4996

Xfce4-session 4.5.91 in Xfce does not lock the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via…

CVSS: 7.2 CWE: CWE-264 View on NVD
High

CVE-2006-7240

gnome-power-manager 2.14.0 does not properly implement the lock_on_suspend and lock_on_hibernate settings for locking the screen when the suspend or hibernate button is pressed, which might make it e…

CVSS: 7.2 CWE: CWE-264 View on NVD
2010-09-03
High

CVE-2010-2532

lxsession-logout in lxsession in LXDE, as used on SUSE openSUSE 11.3 and other platforms, does not lock the screen when the Suspend or Hibernate button is pressed, which might make it easier for phys…

CVSS: 7.2 CWE: CWE-264 View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox