CVE Daily
← All tags

Tag: Oracle JDK

All CVEs associated with "Oracle JDK". Page 7/43 • 5132 CVEs.

Subscribe CVEs: RSS for “Oracle JDK”  ·  RSS (High+Critical only)

About “Oracle JDK”

A curated feed of “Oracle JDK”-related CVEs appears below. We currently track 5132 CVEs for this tag (all time). In the last 365 days, 784 were published. Average CVSS is 6.7 (all time; 6.3 over 365d), and 48% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

In our taxonomy this topic maps to a MODERATE impact class. JDK and JVM updates affect TLS, serialization, and performance. Upgrade JDK or JRE, restart dependents, avoid unsupported builds, and consider key or cert rotation if needed. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-07-18
Medium

CVE-2025-7788

A vulnerability has been found in Xuxueli xxl-job up to 3.1.1 and classified as critical. Affected by this vulnerability is the function commandJobHandler of the file src\main\java\com\xxl\job\execut…

CVSS: 6.3 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2025-7787

A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\…

CVSS: 6.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2025-7785

A vulnerability classified as problematic was found in thinkgem JeeSite up to 5.12.0. This vulnerability affects the function sso of the file src/main/java/com/jeesite/modules/sys/web/SsoController.j…

CVSS: 4.3 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2025-07-17
Medium

CVE-2025-7763

A vulnerability, which was classified as problematic, was found in thinkgem JeeSite up to 5.12.0. Affected is the function select of the file src/main/java/com/jeesite/modules/cms/web/SiteController.…

CVSS: 4.3 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2025-7759

A vulnerability was identified in thinkgem JeeSite up to 5.12.0. This vulnerability affects unknown code of the file modules/core/src/main/java/com/jeesite/common/ueditor/ActionEnter.java of the comp…

CVSS: 6.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2025-07-15
Medium

CVE-2025-30761

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf an…

CVSS: 5.9 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2025-50106

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u4…

CVSS: 8.1 CWE: N/A View on NVD
High

CVE-2025-50069

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.27 and 21.3-21.18. Easily exploitable vulnerability allows low privileged attacker…

CVSS: 7.7 CWE: CWE-269 - Improper Privilege Management View on NVD
Low

CVE-2025-50065

Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Native Image). The supported version that is affected is Oracle GraalVM for JDK: 24.0.1. Difficult to exploit vulne…

CVSS: 3.7 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2025-50063

Vulnerability in Oracle Java SE (component: Install). The supported version that is affected is Oracle Java SE: 8u451. Easily exploitable vulnerability allows low privileged attacker with logon to…

CVSS: 7.3 CWE: N/A View on NVD
High

CVE-2025-50059

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java…

CVSS: 8.6 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2025-30754

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8…

CVSS: 4.8 CWE: CWE-284 - Improper Access Control View on NVD
Low

CVE-2025-30752

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler). The supported version that is affected is Oracle Java SE: 24.0.1; Oracle GraalVM for JDK…

CVSS: 3.7 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2025-30749

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u4…

CVSS: 8.1 CWE: N/A View on NVD
Critical

CVE-2025-53890

pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows unauthenticated remote attackers to execute…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2025-07-14
High

CVE-2025-53689

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade…

CVSS: 8.8 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
Medium

CVE-2025-7566

A vulnerability has been found in jshERP up to 3.5 and classified as critical. This vulnerability affects the function exportExcelByParam of the file /src/main/java/com/jsh/erp/controller/SystemConfi…

CVSS: 4.7 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-7552

A vulnerability was found in Dromara Northstar up to 7.3.5. It has been rated as critical. Affected by this issue is the function preHandle of the file northstar-main/src/main/java/org/dromara/norths…

CVSS: 6.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2025-07-08
Low

CVE-2025-42978

The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard…

CVSS: 3.5 CWE: CWE-940 - Improper Verification of Source of a Communication Channel View on NVD
Critical

CVE-2025-42966

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted seria…

CVSS: 9.1 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Critical

CVE-2025-42963

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can l…

CVSS: 9.1 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-07-07
Medium

CVE-2025-7108

A vulnerability classified as critical was found in risesoft-y9 Digital-Infrastructure up to 9.6.7. Affected by this vulnerability is the function deleteFile of the file /Digital-Infrastructure-9.6.7…

CVSS: 5.4 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-07-06
High

CVE-2025-27446

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate p…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2025-07-02
Critical

CVE-2025-34067

An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjs…

CVSS: 10.0 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-07-01
Medium

CVE-2025-53103

JUnit is a testing framework for Java and the JVM. From version 5.12.0 to 5.13.1, JUnit's support for writing Open Test Reporting XML files can leak Git credentials. The impact depends on the level o…

CVSS: 5.8 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2025-06-30
Medium

CVE-2025-6925

A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /src/main/java/org/dromara/demo/contr…

CVSS: 5.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2025-26074

Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2025-06-29
High

CVE-2025-5878

A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper…

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
2025-06-28
Medium

CVE-2025-53393

In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics.

CVSS: 6.0 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-06-27
Medium

CVE-2025-6768

A vulnerability classified as critical has been found in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. Affected is the function findAllHosByCondition of the file HospitalService…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2025-6767

A vulnerability was found in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. It has been rated as critical. This issue affects the function findDoctorByCondition of the file Docto…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2025-6766

A vulnerability was found in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. It has been declared as critical. This vulnerability affects the function getOfficeName of the file Of…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2025-6753

A vulnerability was found in huija bicycleSharingServer 1.0 and classified as critical. This issue affects the function selectAdminByNameLike of the file AdminController.java. The manipulation leads…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2025-6749

A vulnerability classified as critical was found in huija bicycleSharingServer up to 7b8a3ba48ad618604abd4797d2e7cf3b5ac7625a. Affected by this vulnerability is the function searchAdminMessageShow of…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2025-6738

A vulnerability, which was classified as critical, has been found in huija bicycleSharingServer up to 7b8a3ba48ad618604abd4797d2e7cf3b5ac7625a. Affected by this issue is the function userDao.selectUs…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2025-06-26
Critical

CVE-2025-49003

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "ı" becomes "I" w…

CVSS: 9.8 CWE: CWE-153 - Improper Neutralization of Substitution Characters View on NVD
2025-06-24
Critical

CVE-2025-2566

Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the serve…

CVSS: 9.3 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2025-6552

A vulnerability was found in java-aodeng Hope-Boot 1.0.0. It has been classified as problematic. Affected is the function doLogin of the file /src/main/java/com/hope/controller/WebController.java of…

CVSS: 4.3 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Low

CVE-2025-6551

A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The ma…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2025-34039

A code injection vulnerability exists in Yonyou UFIDA NC v6.5 and prior due to the exposure of the BeanShell testing servlet (bsh.servlet.BshServlet) without proper access controls. The servlet allow…

CVSS: 10.0 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-6534

A vulnerability, which was classified as problematic, was found in xxyopen/201206030 novel-plus up to 5.1.3. This affects the function remove of the file novel-admin/src/main/java/com/java2nb/common/…

CVSS: 4.2 CWE: CWE-99 - Improper Control of Resource Identifiers ('Resource Injection') View on NVD
Medium

CVE-2025-6533

A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/c…

CVSS: 5.6 CWE: CWE-287 - Improper Authentication View on NVD
2025-06-23
Medium

CVE-2025-49574

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.1, 3.20.2, and 3.15.6, there is a potential data leak when duplicating a duplicat…

CVSS: 6.4 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
Medium

CVE-2025-6517

A vulnerability was found in Dromara MaxKey up to 4.1.7 and classified as critical. This issue affects the function Add of the file maxkey-webs\maxkey-web-mgt\src\main\java\org\dromara\maxkey\web\app…

CVSS: 6.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Low

CVE-2025-6509

A vulnerability was found in seaswalker spring-analysis up to 4379cce848af96997a9d7ef91d594aa129be8d71. It has been declared as problematic. Affected by this vulnerability is the function echo of the…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-06-22
Medium

CVE-2025-6466

A vulnerability was found in ageerle ruoyi-ai 2.0.0 and classified as critical. Affected by this issue is the function speechToTextTranscriptionsV2/upload of the file ruoyi-modules/ruoyi-system/src/m…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2025-6453

A vulnerability classified as critical has been found in diyhi bbs 6.8. Affected is the function Add of the file /src/main/java/cms/web/action/template/ForumManageAction.java of the component API. Th…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-06-19
Medium

CVE-2025-24291

The Versa Director SD-WAN orchestration platform provides functionality to upload various types of files. However, the Java code handling file uploads contains an argument injection vulnerability. By…

CVSS: 6.1 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2025-06-16
Medium

CVE-2025-25264

An unauthenticated remote attacker can trick an admin to visit a website containing malicious java script code. The current overly permissive CORS policy allows the attacker to obtain any files from…

CVSS: 6.5 CWE: CWE-942 - Permissive Cross-domain Security Policy with Untrusted Domains View on NVD
Medium

CVE-2025-6109

A vulnerability was found in javahongxi whatsmars 2021.4.0. It has been rated as problematic. Affected by this issue is the function initialize of the file /whatsmars-archetypes/whatsmars-initializr/…

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-6108

A vulnerability was found in hansonwang99 Spring-Boot-In-Action up to 807fd37643aa774b94fd004cc3adbd29ca17e9aa. It has been declared as critical. Affected by this vulnerability is the function waterm…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-6106

A vulnerability was found in WuKongOpenSource WukongCRM 9.0 and classified as problematic. This issue affects some unknown processing of the file AdminRoleController.java. The manipulation leads to c…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2025-6105

A vulnerability has been found in jflyfox jfinal_cms 5.0.1 and classified as problematic. This vulnerability affects unknown code of the file HOME.java. The manipulation of the argument Logout leads…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2025-06-10
High

CVE-2024-29198

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoi…

CVSS: 7.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
High

CVE-2025-27818

A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connect…

CVSS: 8.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-06-09
Low

CVE-2025-5887

A vulnerability was found in jsnjfz WebStack-Guns 1.0. It has been classified as problematic. Affected is an unknown function of the file UserMgrController.java of the component File Upload. The mani…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2025-5879

A vulnerability, which was classified as problematic, was found in WuKongOpenSource WukongCRM 9.0. This affects an unknown part of the file AdminSysConfigController.java of the component File Upload.…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-06-05
Medium

CVE-2025-5680

A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/…

CVSS: 6.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2025-5679

A vulnerability classified as critical has been found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected is the function parseStrByFreeMarker of the file /src/main/java/…

CVSS: 6.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2025-49009

Para is a multitenant backend server/framework for object persistence and retrieval. A vulnerability that exists in versions prior to 1.50.8 in `FacebookAuthFilter.java` results in a full request URL…

CVSS: 6.2 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2025-06-04
Low

CVE-2025-20276

A vulnerability in the web-based management interface of Cisco Unified CCX could allow an authenticated, remote attacker to execute arbitrary code on an affected device. To exploit this vulnerability…

CVSS: 3.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2025-20275

A vulnerability in the file opening process of Cisco Unified Contact Center Express (Unified CCX) Editor could allow an unauthenticated attacker to execute arbitrary code on an affected device.&nbsp;…

CVSS: 5.3 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2025-5545

A vulnerability classified as problematic has been found in aaluoxiang oa_system up to 5b445a6227b51cee287bd0c7c33ed94b801a82a5. This affects the function image of the file src/main/java/cn/gson/oasy…

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-06-03
Medium

CVE-2025-5544

A vulnerability was found in aaluoxiang oa_system up to 5b445a6227b51cee287bd0c7c33ed94b801a82a5. It has been rated as problematic. Affected by this issue is the function image of the file src/main/j…

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Low

CVE-2025-5523

A vulnerability classified as problematic has been found in enilu web-flash 1.0. This affects the function fileService.upload of the file src/main/java/cn/enilu/flash/api/controller/FileController/up…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-35036

Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow a…

CVSS: 7.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2025-46548

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API…

CVSS: 6.5 CWE: CWE-287 - Improper Authentication View on NVD
2025-05-28
High

CVE-2025-48734

Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of J…

CVSS: 8.8 CWE: CWE-284 - Improper Access Control View on NVD
2025-05-27
Medium

CVE-2025-23393

A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in  spacewalk-java allows execution of arbitrary Javascript code on users machines.This issue affects Con…

CVSS: 5.2 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
2025-05-26
Medium

CVE-2025-23392

A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in spacewalk-java allows execution of arbitrary Javascript code on target systems.This issue affects Cont…

CVSS: 5.2 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
Medium

CVE-2025-5171

A vulnerability, which was classified as critical, has been found in llisoft MTA Maita Training System 4.5. This issue affects the function this.fileService.download of the file com\llisoft\controlle…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2025-5170

A vulnerability classified as critical was found in llisoft MTA Maita Training System 4.5. This vulnerability affects the function AdminShitiListRequestVo of the file com\llisoft\controller\admin\shi…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2025-05-21
Medium

CVE-2025-5033

A vulnerability classified as problematic was found in XiaoBingby TeaCMS 2.0.2. Affected by this vulnerability is an unknown functionality of the file src/main/java/me/teacms/controller/admin/UserMan…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2025-46822

OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient path trav…

CVSS: 7.7 CWE: CWE-36 - Absolute Path Traversal View on NVD
2025-05-18
Medium

CVE-2025-4893

A vulnerability classified as critical has been found in jammy928 CoinExchange_CryptoExchange_Java up to 8adf508b996020d3efbeeb2473d7235bd01436fa. This affects the function uploadLocalImage of the fi…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-05-17
Low

CVE-2025-4839

A vulnerability has been found in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /paicoding-core/src/…

CVSS: 3.1 CWE: CWE-346 - Origin Validation Error View on NVD
Medium

CVE-2025-4838

A vulnerability, which was classified as problematic, was found in kanwangzjm Funiture up to 71ca0fb0658b3d839d9e049ac36429207f05329b. Affected is the function doPost of the file /funiture-master/src…

CVSS: 4.3 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2025-05-16
Medium

CVE-2025-4768

A vulnerability classified as critical has been found in feng_ha_ha/megagao ssm-erp and production_ssm 1.0. This affects the function uploadPicture of the file PictureServiceImpl.java. The manipulati…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
2025-05-14
Medium

CVE-2025-29691

A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the userName parameter at /log…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-29690

A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the outtype parameter at /addr…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-29689

A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the password parameter at /mai…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-29688

A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at /dayman…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-29686

A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at /inform…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2025-4641

Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization…

CVSS: 9.3 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2025-05-13
High

CVE-2025-32917

Privilege escalation in jar_signature agent plugin in Checkmk versions <2.4.0b7 (beta), <2.3.0p32, <2.2.0p42, and 2.1.0p49 (EOL) allow user with write access to JAVA_HOME/bin directory to escalate pr…

CVSS: 8.8 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Critical

CVE-2025-30012

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specifi…

CVSS: 10.0 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2025-30011

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an mal…

CVSS: 5.3 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
Medium

CVE-2025-30010

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a mal…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2025-30009

he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute mali…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-05-11
Low

CVE-2025-4542

A vulnerability, which was classified as problematic, has been found in Freeebird Hotel 酒店管理系统 API up to 1.2. Affected by this issue is some unknown functionality of the file /src/main/java/cn/mafang…

CVSS: 3.1 CWE: CWE-346 - Origin Validation Error View on NVD
Medium

CVE-2025-4530

A vulnerability was found in feng_ha_ha/megagao ssm-erp and production_ssm 1.0. It has been declared as problematic. Affected by this vulnerability is the function handleFileDownload of the file File…

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-05-10
Medium

CVE-2025-4511

A vulnerability was found in vector4wang spring-boot-quick up to 20250422. It has been rated as critical. This issue affects the function ResponseEntity of the file /spring-boot-quick-master/quick-im…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Low

CVE-2025-4495

A vulnerability has been found in JAdmin-JAVA JAdmin 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /memoAjax/save. The manipulation of the…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-05-09
High

CVE-2025-4494

A vulnerability, which was classified as critical, was found in JAdmin-JAVA JAdmin 1.0. Affected is the function toLogin of the file NoNeedLoginController.java of the component Admin Backend. The man…

CVSS: 7.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2025-46392

Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when l…

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2025-05-07
High

CVE-2025-30147

Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native…

CVSS: 8.7 CWE: CWE-325 - Missing Cryptographic Step View on NVD
2025-05-06
Medium

CVE-2025-4333

A vulnerability was found in feng_ha_ha/megagao ssm-erp and production_ssm up to 0.0.1. It has been classified as critical. This affects the function uploadFile of the file src/main/java/com/megagao/…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
Low

CVE-2025-4328

A vulnerability was found in fp2952 spring-cloud-base up to 7f050dc6db9afab82c5ce1d41cd74ed255ec9bfa. It has been declared as problematic. Affected by this vulnerability is the function sendBack of t…

CVSS: 3.5 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2025-05-05
Medium

CVE-2025-4260

A vulnerability was found in zhangyanbo2007 youkefu up to 4.2.0 and classified as problematic. Affected by this issue is the function impsave of the file m\web\handler\admin\system\TemplateController…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2025-4259

A vulnerability has been found in newbee-mall 1.0 and classified as critical. Affected by this vulnerability is the function Upload of the file ltd/newbee/mall/controller/common/UploadController.java…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2025-4258

A vulnerability, which was classified as critical, was found in zhangyanbo2007 youkefu up to 4.2.0. Affected is the function Upload of the file \youkefu-master\src\main\java\com\ukefu\webim\web\handl…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
2025-05-01
Medium

CVE-2025-4178

A vulnerability was found in xiaowei1118 java_server up to 11a5bac8f4ba1c17e4bc1b27cad6d24868500e3a on Windows and classified as critical. This issue affects some unknown processing of the file /src/…

CVSS: 5.4 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2025-4175

A vulnerability, which was classified as critical, was found in AlanBinu007 Spring-Boot-Advanced-Projects up to 3.1.3. This affects the function uploadUserProfileImage of the file /Spring-Boot-Advanc…

CVSS: 6.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-04-28
Medium

CVE-2025-4036

A vulnerability was found in 201206030 Novel 3.5.0 and classified as critical. This issue affects the function updateBookChapter of the file src/main/java/io/github/xxyopen/novel/controller/author/Au…

CVSS: 6.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Medium

CVE-2023-42404

OneVision Workspace before WS23.1 SR1 (build w31.040) allows arbitrary Java EL execution.

CVSS: 4.9 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2025-4019

A vulnerability, which was classified as critical, was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. Affected is the function genCode of the file novel-admin/src/main/j…

CVSS: 7.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2025-4018

A vulnerability, which was classified as critical, has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This issue affects the function addCrawlSource of the file nov…

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2025-4017

A vulnerability classified as problematic was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This vulnerability affects the function list of the file nnovel-admin/src/ma…

CVSS: 4.3 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Medium

CVE-2025-4016

A vulnerability classified as critical has been found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. This affects the function deleteIndex of the file novel-admin/src/main/jav…

CVSS: 5.4 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Medium

CVE-2025-4015

A vulnerability was found in 20120630 Novel-Plus up to 0e156c04b4b7ce0563bef6c97af4476fcda8f160. It has been rated as critical. Affected by this issue is the function list of the file novel-system/sr…

CVSS: 5.3 CWE: CWE-287 - Improper Authentication View on NVD
2025-04-27
Medium

CVE-2025-3986

A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repositor…

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Low

CVE-2025-3985

A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main…

CVSS: 2.7 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2025-3984

A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\j…

CVSS: 5.0 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2025-04-21
Medium

CVE-2025-3843

A vulnerability was found in panhainan DS-Java 1.0. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to lau…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2025-3842

A vulnerability was found in panhainan DS-Java 1.0 and classified as critical. This issue affects the function uploadUserPic.action of the file src/com/phn/action/FileUpload.java. The manipulation of…

CVSS: 6.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2025-04-20
Medium

CVE-2025-3830

A vulnerability was found in kuangstudy KuangSimpleBBS 1.0. It has been declared as critical. Affected by this vulnerability is the function fileUpload of the file src/main/java/com/kuang/controller/…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
2025-04-19
Medium

CVE-2025-3807

A vulnerability, which was classified as critical, was found in zhenfeng13 My-BBS 1.0. This affects the function Upload of the file src/main/java/com/my/bbs/controller/common/UploadController.java of…

CVSS: 6.3 CWE: CWE-284 - Improper Access Control View on NVD
2025-04-17
Low

CVE-2025-43708

VisiCut 2.1 allows stack consumption via an XML document with nested set elements, as demonstrated by a java.util.HashMap StackOverflowError when reference='../../../set/set[2]' is used, aka an "inse…

CVSS: 3.3 CWE: CWE-674 - Uncontrolled Recursion View on NVD
2025-04-15
Critical

CVE-2025-24297

Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.

CVSS: 9.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2025-30736

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.26, 21.3-21.17 and 23.4-23.7. Difficult to exploit vulnerability allows unauthenti…

CVSS: 7.4 CWE: CWE-284 - Improper Access Control View on NVD