CVE Daily
← All tags

Tag: Oracle JDK

All CVEs associated with "Oracle JDK". Page 5/43 • 5132 CVEs.

Subscribe CVEs: RSS for “Oracle JDK”  ·  RSS (High+Critical only)

About “Oracle JDK”

A curated feed of “Oracle JDK”-related CVEs appears below. We currently track 5132 CVEs for this tag (all time). In the last 365 days, 784 were published. Average CVSS is 6.7 (all time; 6.3 over 365d), and 48% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

In our taxonomy this topic maps to a MODERATE impact class. JDK and JVM updates affect TLS, serialization, and performance. Upgrade JDK or JRE, restart dependents, avoid unsupported builds, and consider key or cert rotation if needed. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-12-01
Medium

CVE-2025-13809

A vulnerability has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this issue is some unknown functionality of the file orion-ops-api/orion-ops-web/src/m…

CVSS: 6.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
High

CVE-2025-13808

A flaw has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this vulnerability is the function update of the file orion-ops-api/orion-ops-web/src/main/java…

CVSS: 7.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Medium

CVE-2025-13807

A vulnerability was detected in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected is the function MachineKeyController of the file orion-ops-api/orion-ops-web/src/main/java/…

CVSS: 4.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
High

CVE-2025-13806

A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main…

CVSS: 7.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Low

CVE-2025-13805

A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/im…

CVSS: 3.7 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2025-13804

A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-11-30
Medium

CVE-2025-13791

A vulnerability was identified in Scada-LTS up to 2.7.8.1. Affected is the function Common.getHomeDir of the file br/org/scadabr/vo/exporter/ZIPProjectManager.java of the component Project Import. Su…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-11-28
High

CVE-2025-12183

Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.

CVSS: 8.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
2025-11-27
Critical

CVE-2025-12140

The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. The application interprets the entered string of character…

CVSS: 9.3 CWE: CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') View on NVD
2025-11-26
High

CVE-2025-46175

Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java.

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2025-46174

Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2025-66021

OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-11-25
Medium

CVE-2025-13467

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDA…

CVSS: 5.5 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-11-20
Medium

CVE-2025-13435

A security vulnerability has been detected in Dreampie Resty up to 1.3.1.SNAPSHOT. This affects the function Request of the file /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java of…

CVSS: 5.6 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-11-19
High

CVE-2025-10703

Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Re…

CVSS: 8.6 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2025-64408

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causewa…

CVSS: 6.3 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-11-17
Medium

CVE-2025-13268

A flaw has been found in Dromara dataCompare up to 1.0.1. The affected element is the function DbConfig of the file src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.java…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2025-13266

A security vulnerability has been detected in wwwlike vlife up to 2.0.1. This issue affects the function create of the file vlife-base/src/main/java/cn/wwwlike/sys/api/SysFileApi.java of the componen…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-13265

A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2025-13262

A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file platform/web-client/src/main/java/lsfusion/http/cont…

CVSS: 7.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-13261

A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHan…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-11-16
Medium

CVE-2025-13246

A vulnerability was identified in shsuishang ShopSuite ModulithShop up to 45a99398cec3b7ad7ff9383694f0b53339f2d35a. Impacted is the function JwtAuthenticationFilter of the file src/main/java/com/suis…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-11-15
Medium

CVE-2025-13209

A weakness has been identified in bestfeng oa_git_free up to 9.5. This affects the function updateWriteBack of the file yimioa-oa9.5\server\c-flow\src\main\java\com\cloudweb\oa\controller\WorkflowPre…

CVSS: 6.3 CWE: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere View on NVD
2025-11-13
Medium

CVE-2025-11538

A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (…

CVSS: 6.8 CWE: CWE-1327 - Binding to an Unrestricted IP Address View on NVD
2025-11-11
Medium

CVE-2025-42919

Due to an Information Disclosure vulnerability in SAP NetWeaver Application Server Java, internal metadata files could be accessed via manipulated URLs. An unauthenticated attacker could exploit this…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-11-10
High

CVE-2025-64518

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1,…

CVSS: 7.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
High

CVE-2025-12925

A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/fore…

CVSS: 7.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2025-12924

A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. This issue affects the function GlobalResult of the file src/main/java/com/rymcu/forest/web/api/bank/Ban…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2025-11-07
Critical

CVE-2025-63690

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a paramet…

CVSS: 9.1 CWE: CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') View on NVD
Medium

CVE-2025-63687

An issue was discovered in rymcu forest thru commit f782e85 (2025-09-04) in function doBefore in file src/main/java/com/rymcu/forest/core/service/security/AuthorshipAspect.java, allowing authorized a…

CVSS: 6.5 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-11-06
Critical

CVE-2025-64164

Dataease is an open source data visualization analysis tool. In versions 2.10.14 and below, DataEase did not properly filter when establishing JDBC connections to Oracle, resulting in a risk of JNDI…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-11-05
Critical

CVE-2025-20354

A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with r…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2025-11-03
Medium

CVE-2025-12626

A security flaw has been discovered in jeecgboot jeewx-boot up to 641ab52c3e1845fec39996d7794c33fb40dad1dd. This affects the function getImgUrl of the file WxActGoldeneggsPrizesController.java. Perfo…

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Low

CVE-2025-12623

A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/co…

CVSS: 3.1 CWE: CWE-285 - Improper Authorization View on NVD
2025-10-30
Medium

CVE-2025-60319

PerfreeBlog v4.0.11 is vulnerable to Server-Side Request Forgery due to a missing authorization check in the uploadAttachByUrl API endpoint (AttachController.java).

CVSS: 6.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2025-10-29
Medium

CVE-2025-64135

Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an empty value, disabling a protection mechanism of the…

CVSS: 5.9 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
2025-10-27
Medium

CVE-2025-12305

A vulnerability was found in quequnlong shiyi-blog up to 1.2.1. This impacts an unknown function of the file src/main/java/com/mojian/controller/SysJobController.java of the component Job Handler. Th…

CVSS: 6.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2025-12304

A vulnerability has been found in dulaiduwang003 TIME-SEA-PLUS up to fb299162f18498dd9cf17da906886d80a077d53b. This affects the function alipayIsSucceed of the file PayController.java of the componen…

CVSS: 4.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Medium

CVE-2025-12297

A vulnerability was detected in atjiu pybbs up to 6.0.0. This affects an unknown function of the file UserApiController.java. The manipulation results in information disclosure. The attack may be lau…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-10-24
Medium

CVE-2025-12194

Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java L…

CVSS: 5.9 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2025-10-23
Medium

CVE-2025-34156

Tibbo AggreGate Network Manager < 6.40.05 exposes sensitive system information through an unauthenticated endpoint at /cwmp/happyaxis.jsp. The page discloses Java system properties, server path detai…

CVSS: 6.9 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
2025-10-22
Medium

CVE-2025-62710

Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils…

CVSS: 5.9 CWE: CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG) View on NVD
2025-10-21
Medium

CVE-2025-61881

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.28, 21.3-21.19 and 23.4-23.9. Difficult to exploit vulnerability allows unauthenti…

CVSS: 5.9 CWE: CWE-284 - Improper Access Control View on NVD
Low

CVE-2025-61755

Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.16 and 21.0.8. Difficult to exploi…

CVSS: 3.7 CWE: CWE-862 - Missing Authorization View on NVD
Low

CVE-2025-61748

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java…

CVSS: 3.7 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-53066

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2025-53057

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java S…

CVSS: 5.9 CWE: CWE-284 - Improper Access Control View on NVD
2025-10-20
High

CVE-2025-57738

Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provi…

CVSS: 7.2 CWE: CWE-653 - Improper Isolation or Compartmentalization View on NVD
2025-10-17
Medium

CVE-2024-31573

XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.

CVSS: 4.0 CWE: CWE-669 - Incorrect Resource Transfer Between Spheres View on NVD
High

CVE-2025-62420

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in…

CVSS: 8.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-10-14
Medium

CVE-2025-60537

Improper input validation in the component /kafka/ui/serdes/CustomSerdeLoader.java of kafka-ui v0.6.0 to v0.7.2 allows attackers to execute arbitrary code via supplying crafted data.

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2025-10-10
Critical

CVE-2025-60269

JEEWMS 20250820 is vulnerable to SQL Injection in the exportXls function located in the src/main/java/org/jeecgframework/web/cgreport/controller/excel/CgExportExcelController.java file.

CVSS: 9.4 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2025-10-09
Medium

CVE-2025-11551

A vulnerability was determined in code-projects Student Result Manager 1.0. This affects an unknown function of the file src/students/Database.java. This manipulation of the argument roll/name/gpa ca…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2025-10-08
Medium

CVE-2025-60828

WukongCRM-9.0-JAVA was discovered to contain a fastjson deserialization vulnerability via the /OaExamine/setOaExamine interface.

CVSS: 6.5 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-10-07
Medium

CVE-2025-11406

A security flaw has been discovered in kaifangqian kaifangqian-base up to 7b3faecda13848b3ced6c17c7423b76c5b47b8ab. This issue affects the function getAllUsers of the file kaifangqian-parent/kaifangq…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-10-06
Critical

CVE-2025-61778

Akka.NET is a .NET port of the Akka project from the Scala / Java community. In all versions of Akka.Remote from v1.2.0 to v1.5.51, TLS could be enabled via our `akka.remote.dot-netty.tcp` transport…

CVSS: 9.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
Critical

CVE-2023-49886

IBM Standards Processing Engine 10.0.1.10 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe java deserialization. By sending specially crafted input, an attac…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2025-11321

A vulnerability was detected in zhuimengshaonian wisdom-education up to 1.0.4. The affected element is an unknown function of the file src/main/java/com/education/api/controller/student/WrongBookCont…

CVSS: 4.3 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2025-11320

A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. Impacted is the function uploadFile of the file src/main/java/com/education/core/controller/UploadControll…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
2025-10-05
Low

CVE-2025-11289

A vulnerability was determined in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. The impacted element is the function Save of the file src/main/java/com/zhiliao/common/template/Te…

CVSS: 2.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-10-02
Low

CVE-2025-54086

CVE-2025-54086 is an excess permissions vulnerability in the Warehouse component of Absolute Secure Access prior to version 14.10. Attackers with access to the local file system can read the Java key…

CVSS: 3.3 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Critical

CVE-2025-59407

The Flock Safety DetectionProcessing com.flocksafety.android.objects application 6.35.33 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) bundles…

CVSS: 9.8 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2025-10-01
Medium

CVE-2025-11226

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by comprom…

CVSS: 5.9 CWE: CWE-20 - Improper Input Validation View on NVD
2025-09-30
Critical

CVE-2025-59954

Knowage is an open source analytics and business intelligence suite. Versions 8.1.26 and below are vulnerable to Remote Code Exection through using an unsafe org.apache.commons.jxpath.JXPathContext i…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2025-59952

MinIO Java SDK is a Simple Storage Service (aka S3) client to perform bucket and object operations to any Amazon S3 compatible object storage service. In minio-java versions prior to 8.6.0, XML tag v…

CVSS: 8.7 CWE: CWE-20 - Improper Input Validation View on NVD
2025-09-29
Critical

CVE-2025-57266

An issue was discovered in file AssistantController.java in ThriveX Blogging Framework 2.5.9 thru 3.1.3 allowing unauthenticated attackers to gain sensitive information such as API Keys via the /api/…

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
2025-09-27
Medium

CVE-2025-11080

A security vulnerability has been detected in zhuimengshaonian wisdom-education up to 1.0.4. This vulnerability affects the function selectStudentExamInfoList of the file src/main/java/com/education/…

CVSS: 4.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2025-09-23
Medium

CVE-2025-5717

An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2025-09-22
Medium

CVE-2025-59432

SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to version 3.2, a timing…

CVSS: 6.6 CWE: CWE-208 - Observable Timing Discrepancy View on NVD
Medium

CVE-2025-9541

The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS: 4.7 CWE: N/A View on NVD
Medium

CVE-2025-9540

The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS: 4.7 CWE: N/A View on NVD
2025-09-19
Critical

CVE-2024-13990

MicroWorld eScan AV's update mechanism failed to ensure authenticity and integrity of updates: update packages were delivered and accepted without robust cryptographic verification. As a result, an o…

CVSS: 9.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
Critical

CVE-2025-57644

Accela Automation Platform 22.2.3.0.230103 contains multiple vulnerabilities in the Test Script feature. An authenticated administrative user can execute arbitrary Java code on the server, resulting…

CVSS: 9.1 CWE: CWE-20 - Improper Input Validation View on NVD
2025-09-18
Low

CVE-2025-10671

A vulnerability has been found in youth-is-as-pale-as-poetry e-learning 1.0. Impacted is the function encryptSecret of the file e-learning-master\exam-api\src\main\java\com\yf\exam\ability\shiro\jwt\…

CVSS: 3.7 CWE: CWE-310 View on NVD
2025-09-17
Critical

CVE-2025-59340

jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible…

CVSS: 9.8 CWE: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine View on NVD
Medium

CVE-2025-54467

When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation the password will appear in the NeuVector security event log.

CVSS: 5.3 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2025-09-16
Critical

CVE-2025-10492

A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that us…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2025-44034

SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the alph parameters in src/main/Java/cn/gson/oasys/controller/address/AddrController

CVSS: 8.0 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2025-55118

Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: * Control-M/Agent 9.0.20: SSL/TLS configur…

CVSS: 8.9 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
Medium

CVE-2025-55117

A stack-based buffer overflow can be remotely triggered when formatting an error message in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases:…

CVSS: 5.3 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
Critical

CVE-2025-55113

If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versi…

CVSS: 9.0 CWE: CWE-158 - Improper Neutralization of Null Byte or NUL Character View on NVD
2025-09-15
Medium

CVE-2025-10473

A security flaw has been discovered in yangzongzhuan RuoYi up to 4.8.1. This impacts the function filterKeyword of the file /com/ruoyi/common/utils/sql/SqlUtil.java of the component Blacklist Handler…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Critical

CVE-2025-58748

Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12 the H2 data source implementation (H2.java) does not verify that a provided JDBC URL starts wi…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Critical

CVE-2025-58045

Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12, the patch introduced to mitigate DB2 JDBC deserialization remote code execution attacks only…

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2025-09-14
Medium

CVE-2025-10398

A security flaw has been discovered in fcba_zzm ics-park Smart Park Management System 2.0. This vulnerability affects unknown code of the file FileUploadUtils.java. The manipulation of the argument F…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2025-10394

A vulnerability has been found in fcba_zzm ics-park Smart Park Management System 2.0. Affected is an unknown function of the file ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/JobController.…

CVSS: 4.7 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2025-09-11
Low

CVE-2025-10252

A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. This affects an unknown part of the component Java RMI Registry Handler. This manipulation causes deserialization. The attack can only…

CVSS: 3.1 CWE: CWE-20 - Improper Input Validation View on NVD
2025-09-09
Critical

CVE-2025-42944

Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserializ…

CVSS: 10.0 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Low

CVE-2025-42927

SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would al…

CVSS: 3.4 CWE: N/A View on NVD
Medium

CVE-2025-42926

SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthe…

CVSS: 5.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-42925

Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a br…

CVSS: 4.3 CWE: CWE-341 - Predictable from Observable State View on NVD
Critical

CVE-2025-42922

SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compr…

CVSS: 9.9 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2025-09-08
Low

CVE-2025-10080

A vulnerability has been found in running-elephant Datart up to 1.0.0-rc3. Affected by this issue is the function getTokensecret of the file datart/security/src/main/java/datart/security/util/AESUtil…

CVSS: 3.1 CWE: CWE-320 View on NVD
2025-09-07
Medium

CVE-2025-36100

IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0  Java and JMS st…

CVSS: 5.1 CWE: CWE-260 - Password in Configuration File View on NVD
2025-09-04
High

CVE-2025-32322

In onCreate of MediaProjectionPermissionActivity.java , there is a possible way to grant a malicious app a token enabling unauthorized screen recording capabilities due to improper input validation.…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-26439

In getComponentName of AccessibilitySettingsUtils.java, there is a possible way to for a malicious Talkback service to be enabled instead of the system component due to a logic error in the code. Thi…

CVSS: 7.8 CWE: CWE-693 - Protection Mechanism Failure View on NVD
High

CVE-2025-26431

In setupAccessibilityServices of AccessibilityFragment.java, there is a possible way to hide an enabled accessibility service due to a logic error in the code. This could lead to local escalation of…

CVSS: 7.8 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Low

CVE-2025-26419

In initPhoneSwitch of SystemSettingsFragment.java, there is a possible FRP bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privi…

CVSS: 3.3 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
High

CVE-2025-22414

In FrpBypassAlertActivity of FrpBypassAlertActivity.java, there is a possible way to bypass FRP due to a missing permission check. This could lead to local escalation of privilege with no additional…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-40664

In setupAccessibilityServices of AccessibilityFragment.java , there is a possible way to hide an enabled accessibility service due to a logic error in the code. This could lead to local denial of ser…

CVSS: 6.2 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2025-48563

In onNullBinding of RemoteFillService.java, there is a possible background activity launch due to an insecure default value. This could lead to local escalation of privilege with no additional execut…

CVSS: 7.8 CWE: CWE-453 - Insecure Default Variable Initialization View on NVD
Medium

CVE-2025-48562

In writeContent of RemotePrintDocument.java, there is a possible information disclosure due to a logic error. This could lead to local information disclosure with no additional execution privileges n…

CVSS: 5.0 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
Medium

CVE-2025-48559

In multiple functions of AppOpsService.java, there is a possible add a large amount of app ops due to improper input validation. This could lead to local denial of service with no additional executio…

CVSS: 5.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-48558

In multiple functions of BatteryService.java, there is a possible way to hijack implicit intent intended for system app due to Implicit intent hijacking. This could lead to local escalation of privil…

CVSS: 7.8 CWE: CWE-927 - Use of Implicit Intent for Sensitive Communication View on NVD
High

CVE-2025-48556

In multiple methods of NotificationChannel.java, there is a possible desynchronization from persistence due to improper input validation. This could lead to local escalation of privilege with no addi…

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2025-48554

In handlePackagesChanged of DevicePolicyManagerService.java, there is a possible persistent denial of service due to a logic error in the code. This could lead to local denial of service with no addi…

CVSS: 6.1 CWE: CWE-693 - Protection Mechanism Failure View on NVD
High

CVE-2025-48553

In handlePackagesChanged of DevicePolicyManagerService.java, there is a possible DoS of a device admin due to a logic error in the code. This could lead to local escalation of privilege with no addit…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2025-48552

In saveGlobalProxyLocked of DevicePolicyManagerService.java, there is a possible way to desync from persistence due to a logic error in the code. This could lead to local escalation of privilege with…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2025-48550

In testGrantSlicePermission of SliceManagerTest.java, there is a possible permanent denial of service due to a path traversal error. This could lead to local denial of service with no additional exec…

CVSS: 5.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2025-48548

In multiple functions of AppOpsControllerImpl.java, there is a possible way to record audio without displaying the privacy indicator due to a race condition. This could lead to local escalation of pr…

CVSS: 7.3 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2025-48546

In checkPermissions of SafeActivityOptions.java, there is a possible background activity launch due to a logic error in the code. This could lead to local escalation of privilege with no additional e…

CVSS: 7.8 CWE: CWE-693 - Protection Mechanism Failure View on NVD
High

CVE-2025-48545

In isSystemUid of AccountManagerService.java, there is a possible way for an app to access privileged APIs due to a confused deputy. This could lead to local privilege escalation with no additional e…

CVSS: 7.1 CWE: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy') View on NVD
Medium

CVE-2025-48542

In multiple functions of AccountManagerService.java, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with no additional executio…

CVSS: 5.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2025-48541

In onCreate of FaceSettings.java, there is a possible way to remove biometric unlock across user profiles due to improper input validation. This could lead to local escalation of privilege with no ad…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2025-48538

In setApplicationHiddenSettingAsUser of PackageManagerService.java, there is a possible way to hide a system critical package due to improper input validation. This could lead to local denial of serv…

CVSS: 5.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-48535

In assertSafeToStartCustomActivity of AppRestrictionsFragment.java , there is a possible way to exploit a parcel mismatch resulting in a launch anywhere vulnerability due to unsafe deserialization. T…

CVSS: 7.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2025-48534

In getDefaultCBRPackageName of CellBroadcastHandler.java, there is a possible escalation of privilege due to a logic error in the code. This could lead to local denial of service with System executio…

CVSS: 8.8 CWE: CWE-693 - Protection Mechanism Failure View on NVD
High

CVE-2025-48532

In markMediaAsFavorite of MediaProvider.java, there is a possible way to bypass the WRITE_EXTERNAL_STORAGE permission due to a confused deputy. This could lead to local escalation of privilege with n…

CVSS: 7.3 CWE: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy') View on NVD
Medium

CVE-2025-48529

In setRingtoneUri of VoicemailNotificationSettingsUtil.java , there is a possible cross user data leak due to a confused deputy. This could lead to local information disclosure with no additional exe…

CVSS: 5.5 CWE: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy') View on NVD
Medium

CVE-2025-48526

In createMultiProfilePagerAdapter of ChooserActivity.java , there is a possible way for an app to launch the ChooserActivity in another profile due to improper input validation. This could lead to lo…

CVSS: 4.0 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD