Security Bulletin: MongoDB Enterprised Advanced affected by: Observable Timing Discrepancy (CVE-2026-22746)

Summary There are vulnerabilities in spring-security-core-6.5.9.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2026-22746. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-22746 DESCRIPTION: Vulnerability in Spring Spring Security. If an application is...

ai.langsa:ccaas-starter (>=cloud-0.1 <=cloud-0.3), ai.langsa:pom-ccaas-langsa (=0.1) +5144 more potentially affected by CVE-2026-22746 via org.springframework.security:spring-security-core (>=6.0.0 <=6.5.1)

org.springframework.security:spring-security-core MAVEN version =6.0.0, =cloud-0.1, =0.5.2, =0.5.0, =0.0.1, =55.v51410e712e0c, =7.0.0, =2.0.0, =1.5.1.RELEASE, =1.0.0, =1.0.0, =1.2.1 and more Source cves: CVE-2026-22746 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176...

CVE-2026-22746

creationtimestamp| type| source ---|---|--- 2026-04-22 08:43:26+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mk345awimj2n 2026-04-22 12:45:24+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3mk3jnvyvfq2h...

br.com.archbase:archbase-annotation-processor (>=2.0.0 <=2.1.18), br.com.archbase:archbase-app-framework (>=2.0.0 <=2.1.18) +1589 more potentially affected by CVE-2026-22746 via org.springframework.security:spring-security-core (>=6.5.0 <=6.5.1)

org.springframework.security:spring-security-core MAVEN version =6.5.0, =2.0.0, =2.0.0, =2.0.0, =2.0.1, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.1.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.1.18 and more Source cves: CVE-2026-22746 Source advisory: OSV:GHSA-VXF7-QJ7Q-83FH...

au.csiro.pathling:fhir-server (>=5.3.1 <=6.4.2), au.org.consumerdatastandards:data-holder (>=2.3.0 <=2.4.1) +2123 more potentially affected by CVE-2026-22746 via org.springframework.security:spring-security-core (>=5.7.0 <=5.7.2)

org.springframework.security:spring-security-core MAVEN version =5.7.0, =5.3.1, =2.3.0, =2.4.1 - au.org.consumerdatastandards:mock-data-holder-java =2.6.0 - be.jidoka:jdk-keycloak-admin =1.3.0 - br.com.m4rc310:br-com-m4rc310-graphql =1.0.1 - br.com.m4rc310:br-com-m4rc310-libs =1.0.1 -...

be.jidoka:jdk-keycloak-admin (=2.5.0), br.com.consultdg:database-module (>=1.0.1 <=1.0.10) +1147 more potentially affected by CVE-2026-22746 via org.springframework.security:spring-security-core (>=6.4.0 <=6.4.13)

org.springframework.security:spring-security-core MAVEN version =6.4.0, =1.0.1, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.5 and more Source cves: CVE-2026-22746 Source advisory: OSV:GHSA-VXF7-QJ7Q-83FH...

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +1085 more potentially affected by CVE-2026-22746 via org.springframework.security:spring-security-core (>=7.0.0 <=7.0.4)

org.springframework.security:spring-security-core MAVEN version =7.0.0, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

CVE-2026-22746

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

CVE-2026-22746

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

Linux Distros Unpatched Vulnerability : CVE-2022-22746

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.This bug only affec...

CVE-2025-22746

creationtimestamp| type| source ---|---|--- 2025-01-15 16:16:39+00:00| seen| https://bsky.app/profile/cve-notifications.bsky.social/post/3lfs62d7fqq2r 2025-01-15 16:25:01+00:00| seen| https://infosec.exchange/users/cve/statuses/113833299202244513...

CVE-2025-22746 WordPress HireHive Job Plugin plugin <= 2.9.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in zartis HireHive Job Plugin zartis-job-plugin allows Stored XSS.This issue affects HireHive Job Plugin: from n/a through = 2.9.0...

CVE-2025-22746 WordPress HireHive Job Plugin plugin <= 2.9.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in zartis HireHive Job Plugin zartis-job-plugin allows Stored XSS.This issue affects HireHive Job Plugin: from n/a through = 2.9.0...

CVE-2025-22746

CVE-2025-22746: Stored XSS in HireHive Job Plugin (WordPress). Affected: HireHive Job Plugin versions up to 2.9.0. CVSS v3.1 base score 6.5 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L). Patch status in provided sources is Unpatched; no remediation version details are provided. Monitor for updates.

SUSE CVE-2022-22746

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.This bug only affects Firefox for Windows. Other operating systems are unaffected.. This vulnerability affects Firefox ESR 91.5, Firefox 96, and Thunderbird...

CVE-2023-22746

CKAN is an open-source DMS data management system for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the .env file...

CVE-2023-22746

CVE-2023-22746 affects CKAN Docker-based deployments where a default, shared secret key is used across multiple instances unless overridden in the container’s .env. The vulnerability allows forging authentication requests between CKAN instances when the default secret key is not customized. Affec...

UBUNTU-CVE-2022-22746

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.This bug only affects Firefox for Windows. Other operating systems are unaffected.. This vulnerability affects Firefox ESR 91.5, Firefox 96, and Thunderbird...

CVE-2022-22746

A race condition could have allowed bypassing the fullscreen notification which could have lead to a fullscreen window spoof being unnoticed.This bug only affects Firefox for Windows. Other operating systems are unaffected.. This vulnerability affects Firefox ESR 91.5, Firefox 96, and Thunderbird...

CVE-2022-22746

CVE-2022-22746 describes a race condition that could bypass the fullscreen notification, potentially enabling a fullscreen window spoof in Firefox on Windows. The vulnerability affects Firefox ESR &lt; 91.5, Firefox &lt; 96, and Thunderbird