Spring Cloud Config Server - Path Traversal

Spring Cloud 3.1.x 3.1.13, 4.1.x 4.1.9, 4.2.x 4.2.3, 4.3.x 4.3.2, and 5.0.x 5.0.2 contain a path traversal caused by profile parameter substitution in Config Server using native file system backend, letting attackers access files outside configured directories, exploit requires crafted request. i...

ai.hyacinth.framework:core-service-config-server (>=0.5.0 <=0.5.24), cloud.altemista.fwk.framework:cloud-altemistafwk-documentation (=3.1.0.RELEASE) +238 more potentially affected by CVE-2026-22739 via org.springframework.cloud:spring-cloud-config-server (>=1.1.0.RELEASE <=3.1.10)

org.springframework.cloud:spring-cloud-config-server MAVEN version =1.1.0.RELEASE, =0.5.0, =1.0.6.OSS, =0.0.1, =0.0.1, =2.0.0.RELEASE, =2.0.2.RELEASE, =0.0.1.RELEASE, =0.0.1-RELEASE, =1.1.1, =1.1.0-RELEASE, =1.0.0, =1.2.2-RC - com.feingto:feingto-config =2.3.3.RELEASE and more Source cves:...

com.mayhoo:config-server (=3.0.2), com.okta.spring.examples:okta-spring-boot-cloud-config-example (>=3.0.3 <=3.0.8) +9 more potentially affected by CVE-2026-22739 via org.springframework.cloud:spring-cloud-config-server (>=4.0.0 <=4.1.7)

org.springframework.cloud:spring-cloud-config-server MAVEN version =4.0.0, =3.0.3, =0.5, =0.0.1, =1.2.1-rc1, =7.0.0, =7.0.0, =4.0.0, =3.0.0, =3.1.6 Source cves: CVE-2026-22739 Source advisory: OSV:GHSA-3QWQ-Q9VM-5J42...

com.brihaspathee.artemis:config-server (>=0.0.1 <=1.0.2), com.brihaspathee.sapphire:config-server (>=1.0.0 <=1.0.7) +6 more potentially affected by CVE-2026-22739 via org.springframework.cloud:spring-cloud-config-server (>=4.2.0 <=4.2.4)

org.springframework.cloud:spring-cloud-config-server MAVEN version =4.2.0, =0.0.1, =1.0.0, =3.0.9, =0.1.41-Beta, =7.2.0, =7.2.0, =4.2.0, =3.2.0, =3.2.3 Source cves: CVE-2026-22739 Source advisory: OSV:GHSA-3QWQ-Q9VM-5J42...

io.github.ilyaslabs.foodstack:configserver (=0.0.1), io.github.ilyaslabs:spring-boot-microservice-config-server (=1.0.0) +7 more potentially affected by CVE-2026-22739 via org.springframework.cloud:spring-cloud-config-server (>=4.3.0 <=4.3.1)

org.springframework.cloud:spring-cloud-config-server MAVEN version =4.3.0, =1.0.1, =7.3.0, =7.3.0, =26.01.01, =2.3.0, =4.3.0, =3.3.0, =3.3.1 Source cves: CVE-2026-22739 Source advisory: OSV:GHSA-3QWQ-Q9VM-5J42...

CVE-2026-22739

creationtimestamp| type| source ---|---|--- 2026-03-24 01:30:58+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mhrgha7cwp2s 2026-03-24 03:06:44+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhrlsidflx2i 2026-03-24 14:20:13+00:00| seen|...

com.brihaspathee.artemis:config-server (>=0.0.1 <=1.0.2), com.brihaspathee.sapphire:config-server (>=1.0.0 <=1.0.7) +17 more potentially affected by CVE-2026-22739 via org.springframework.cloud:spring-cloud-config-server (>=4.0.0 <=4.3.1)

org.springframework.cloud:spring-cloud-config-server MAVEN version =4.0.0, =0.0.1, =1.0.0, =3.0.3, =0.5, =0.0.1, =0.1.41-Beta, =1.0.1, =1.2.1-rc1, =7.0.0, =7.0.0, =26.01.01, =26.05.07 - org.octopusden.cloud.config-server:config-server =2.0.4 and more Source cves: CVE-2026-22739 Source advisory:...

org.apereo.cas:cas-server-support-configuration-cloud-amqp (>=8.0.0-RC1 <=8.0.0-RC2), org.apereo.cas:cas-server-webapp-init-config-server (>=8.0.0-RC1 <=8.0.0-RC2) +3 more potentially affected by CVE-2026-22739 via org.springframework.cloud:spring-cloud-config-server (>=5.0.0-M1 <=5.0.1)

org.springframework.cloud:spring-cloud-config-server MAVEN version =5.0.0-M1, =8.0.0-RC1, =8.0.0-RC1, =5.0.0, =5.0.0, =5.0.1 Source cves: CVE-2026-22739 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKCLOUD-15762281...

CVE-2021-22739

Information Exposure vulnerability exists in homeLYnk Wiser For KNX and spaceLYnk V2.60 and prior which could cause a device to be compromised when it is first configured...

Linux Distros Unpatched Vulnerability : CVE-2022-22739

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR 91.5,...

CVE-2025-22739

Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through = 4.2.7.5...

CVE-2025-22739

creationtimestamp| type| source ---|---|--- 2025-03-27 22:36:54+00:00| seen| https://t.me/DarkWebInformerCVEAlerts/9241 2025-03-28 01:01:21+00:00| seen| https://t.me/cvedetector/21354...

CVE-2025-22739

Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through = 4.2.7.5...

CVE-2025-22739

CVE-2025-22739 affects LearnPress (WordPress LMS Plugin) up to version 4.2.7.5 and is a Missing Authorization vulnerability. The CVSS 3.1 score is 5.3 (Medium). Connected data confirm a patch exists for LearnPress, i.e., the issue has been addressed in a later release. Action: upgrade LearnPress ...

GPT Academic path traversal vulnerability (CNVD-2025-22739)

GPT Academic is an interface that provides pragmatic interactions for LLM grand language models such as GPT/GLM. GPT Academic suffers from a path traversal vulnerability that stems from an unverified 7z file extraction, which can be exploited by an attacker to perform arbitrary file writes, leadi...

SUSE CVE-2022-22739

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR 91.5, Firefox 96, and Thunderbird 91.5...

CVE-2023-22739

creationtimestamp| type| source ---|---|--- 2023-01-27 00:43:57+00:00| seen| https://t.me/cibsecurity/56988...

CVE-2023-22739

CVE-2023-22739 affects Discourse. Versions prior to 3.0.1 (stable) and 3.1.0.beta2 (beta/tests-passed) are vulnerable to unbounded draft data, enabling a malicious user to create an arbitrarily large draft and cause the instance to crawl. Root cause: Allocation of Resources Without Limits or Thro...

CVE-2023-22739 Discourse subject to Allocation of Resources Without Limits or Throttling

Discourse is an open source platform for community discussion. Versions prior to 3.0.1 stable, 3.1.0.beta2 beta, and 3.1.0.beta2 tests-passed are subject to Allocation of Resources Without Limits or Throttling. As there is no limit on data contained in a draft, a malicious user can create an...

CVE-2022-22739

Malicious websites could have tricked users into accepting launching a program to handle an external URL protocol. This vulnerability affects Firefox ESR 91.5, Firefox 96, and Thunderbird 91.5...