Maven vulnerabilities | Corgea Advisories

CRITICAL 9.1

Maven

CVE-2025-66614

Apache Tomcat - Client certificate verification bypass

Feb 17, 2026

CRITICAL 9.1

Maven

CVE-2026-40982

Spring Cloud Config vulnerable to Path Traversal

May 7, 2026

CRITICAL 9.8

Maven

CVE-2026-33728

dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution

Mar 26, 2026

CRITICAL 9.8

Maven

CVE-2024-55875

http4k has a potential XXE (XML External Entity Injection) vulnerability

Dec 12, 2024

CRITICAL 9.8

Maven

CVE-2019-17571

Deserialization of Untrusted Data in Log4j

Jan 6, 2020

CRITICAL 9.8

Maven

CVE-2026-45083

Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy

May 13, 2026

CRITICAL 9.8

Maven

CVE-2009-3555

Apache Tomcat affected by vulnerability in TLS and SSL protocol

May 2, 2022

CRITICAL 9.8

Maven

CVE-2022-23305

SQL Injection in Log4j 1.2.x

Jan 21, 2022

CRITICAL 9.6

Maven

CVE-2026-2587

GlassFish's gadget handler is vulnerable to RCE

May 19, 2026

CRITICAL 9.1

Maven

CVE-2026-2586

GlassFish's Administration Console is Vulnerable to RCE

May 19, 2026

CRITICAL 9.8

Maven

CVE-2026-47323

Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering

May 19, 2026

CRITICAL 9.1

Maven

CVE-2026-33117

Security feature bypass vulnerability in Azure Key Vault Keys library for Java

May 12, 2026

CRITICAL 9.8

Maven

CVE-2026-46562

Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override

May 27, 2026

CRITICAL 9.1

Maven

CVE-2026-46621

Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection

May 27, 2026

CRITICAL 9.1

Maven

CVE-2026-44632

Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`

May 27, 2026

CRITICAL 9.9

Maven

CVE-2026-40453

Apache Camel has an incomplete fix for CVE-2025-27636

Apr 27, 2026

CRITICAL 9.1

Maven

CVE-2026-43515

Apache Tomcat - Security constraints not correctly applied

May 12, 2026

CRITICAL 9.8

Maven

CVE-2026-27446

Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions

Mar 4, 2026

CRITICAL 9.1

Maven

CVE-2026-29145

Apache Tomcat: CLIENT_CERT authentication does not fail as expected

Apr 9, 2026

CRITICAL 9.8

Maven

CVE-2026-41293

Apache Tomcat - HTTP/2 request headers not validated

May 12, 2026

CRITICAL 9.8

Maven

CVE-2026-43512

Apache Tomcat - Digest authenticator will authenticate any unknown user

May 12, 2026

CRITICAL 9.8

Maven KEV

CVE-2020-1938

Improper Privilege Management in Tomcat

Jun 15, 2020

CRITICAL 9.1

Maven

CVE-2026-41258

OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange

May 4, 2026

CRITICAL 9.1

Maven

CVE-2026-42555

Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users

May 6, 2026

CRITICAL 9.1

Maven

CVE-2026-40976

Spring Boot's default security filter chain has no authorization rule with Actuator but without Health

Apr 28, 2026

CRITICAL 9.8

Maven

CVE-2026-41635

Apache MINA vulnerable to Deserialization of Untrusted Data

Apr 27, 2026

CRITICAL 9.0

Maven

CVE-2026-41901

Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns

May 4, 2026

CRITICAL 9.0

Maven

CVE-2026-44221

ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases

May 5, 2026

CRITICAL 9.6

Maven

CVE-2025-55754

Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences

Oct 27, 2025

CRITICAL 9.8

Maven

CVE-2026-22738

Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key

Mar 27, 2026

CRITICAL 9.1

Maven

CVE-2026-27478

Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation

May 11, 2026

CRITICAL 10.0

Maven

CVE-2026-7411

Eclipse BaSyx Java Server SDK vulnerable to Path Traversal

May 5, 2026

CRITICAL 9.1

Maven

CVE-2026-40010

Apache Wicket has a Session Fixation issue

May 6, 2026

CRITICAL 9.1

Maven

CVE-2026-40682

Apache OpenNLP DictionaryEntryPersistor Vulnerable to XML External Entity (XXE) via Unsanitized Dictionary Parsing

May 4, 2026

CRITICAL 9.8

Maven

CVE-2026-42027

Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest

May 4, 2026

CRITICAL 9.9

Maven

CVE-2026-42812

Apache Polaris has an Improper Input Validation issue

May 4, 2026

CRITICAL 9.9

Maven

CVE-2026-42810

Apache Polaris has an Improper Input Validation Issue

May 4, 2026

CRITICAL 9.9

Maven

CVE-2026-42811

Apache Polaris has an Improper Input Validation issue

May 4, 2026

CRITICAL 9.9

Maven

CVE-2026-42809

Apache Polaris has an Improper Input Validation Issue

May 4, 2026

CRITICAL 9.8

Maven

CVE-2026-42779

Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)

May 1, 2026

CRITICAL 9.8

Maven

CVE-2026-42778

Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix)

May 1, 2026

CRITICAL 10.0

Maven

CVE-2026-36767

Shopizer has a path traversal issue

Apr 30, 2026

CRITICAL 9.8

Maven

CVE-2026-41409

Apache MINA Vulnerable to Deserialization of Untrusted Data (CVE-2024-52046 Incomplete Fix)

Apr 27, 2026

CRITICAL 9.0

Maven

CVE-2026-42523

Jenkins GitHub Plugin has an XSS vulnerability

Apr 29, 2026

CRITICAL 9.8

Maven

CVE-2020-9546

jackson-databind mishandles the interaction between serialization gadgets and typing

Apr 23, 2020

CRITICAL 9.4

Maven

CVE-2026-33454

Apache Camel's Camel-Mail component is vulnerable to Camel message header injection

Apr 27, 2026

CRITICAL 9.0

Maven

CVE-2026-40478

Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf

Apr 15, 2026

CRITICAL 9.9

Maven

CVE-2026-32604

Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths

Apr 21, 2026

CRITICAL 9.0

Maven

CVE-2026-40477

Improper restriction of the scope of accessible objects in Thymeleaf expressions

Apr 15, 2026

CRITICAL 9.9

Maven

CVE-2026-39842

Expression Injection in OpenRemote

Apr 14, 2026

CRITICAL 9.9

Maven

CVE-2026-32613

Spinnaker: RCE via expression parsing due to unrestricted context handling

Apr 21, 2026

CRITICAL 10.0

Maven

CVE-2026-33453

Apache camel-coap allows header injection that can lead to remote code execution

Apr 27, 2026

CRITICAL 9.8

Maven KEV

CVE-2012-0391

Apache Struts Remote Java Code Execution

May 4, 2022

CRITICAL 9.0

Maven

CVE-2025-66024

XWiki Blog Application home page vulnerable to Stored XSS via Post Title

Mar 4, 2026

CRITICAL 9.8

Maven

CVE-2024-26579

Apache Inlong Deserialization of Untrusted Data vulnerability

May 8, 2024

CRITICAL 9.1

Maven

CVE-2026-33557

Apache Kafka does not validate JWT tokens in its OAUTHBEARER authentication implementation

Apr 20, 2026

CRITICAL 9.8

Maven

CVE-2024-46983

SOFA Hessian Remote Command Execution (RCE) Vulnerability

Sep 19, 2024

CRITICAL 9.8

Maven

CVE-2022-0239

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Jan 21, 2022

CRITICAL 9.1

Maven

CVE-2021-26291

Origin Validation Error in Apache Maven

Jun 16, 2021

CRITICAL 9.1

Maven

CVE-2026-35580

Emissary has GitHub Actions Shell Injection via Workflow Inputs

Apr 8, 2026

Know every threat before it ships

Apache Tomcat - Client certificate verification bypass

Spring Cloud Config vulnerable to Path Traversal

dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution

http4k has a potential XXE (XML External Entity Injection) vulnerability

Deserialization of Untrusted Data in Log4j

Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy

Apache Tomcat affected by vulnerability in TLS and SSL protocol

SQL Injection in Log4j 1.2.x

GlassFish's gadget handler is vulnerable to RCE

GlassFish's Administration Console is Vulnerable to RCE

Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering

Security feature bypass vulnerability in Azure Key Vault Keys library for Java

Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override

Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection

Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`

Apache Camel has an incomplete fix for CVE-2025-27636

Apache Tomcat - Security constraints not correctly applied

Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions

Apache Tomcat: CLIENT_CERT authentication does not fail as expected

Apache Tomcat - HTTP/2 request headers not validated

Apache Tomcat - Digest authenticator will authenticate any unknown user

Improper Privilege Management in Tomcat

OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange

Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users

Spring Boot's default security filter chain has no authorization rule with Actuator but without Health

Apache MINA vulnerable to Deserialization of Untrusted Data

Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns

ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases

Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences

Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key

Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation

Eclipse BaSyx Java Server SDK vulnerable to Path Traversal

Apache Wicket has a Session Fixation issue

Apache OpenNLP DictionaryEntryPersistor Vulnerable to XML External Entity (XXE) via Unsanitized Dictionary Parsing

Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest

Apache Polaris has an Improper Input Validation issue

Apache Polaris has an Improper Input Validation Issue

Apache Polaris has an Improper Input Validation issue

Apache Polaris has an Improper Input Validation Issue

Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)

Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix)

Shopizer has a path traversal issue

Apache MINA Vulnerable to Deserialization of Untrusted Data (CVE-2024-52046 Incomplete Fix)

Jenkins GitHub Plugin has an XSS vulnerability

jackson-databind mishandles the interaction between serialization gadgets and typing

Apache Camel's Camel-Mail component is vulnerable to Camel message header injection

Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf

Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths

Improper restriction of the scope of accessible objects in Thymeleaf expressions

Expression Injection in OpenRemote

Spinnaker: RCE via expression parsing due to unrestricted context handling

Apache camel-coap allows header injection that can lead to remote code execution

Apache Struts Remote Java Code Execution

XWiki Blog Application home page vulnerable to Stored XSS via Post Title

Apache Inlong Deserialization of Untrusted Data vulnerability

Apache Kafka does not validate JWT tokens in its OAUTHBEARER authentication implementation

SOFA Hessian Remote Command Execution (RCE) Vulnerability

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Origin Validation Error in Apache Maven

Emissary has GitHub Actions Shell Injection via Workflow Inputs

Start Securing