Lucene search
K

458 matches found

Nuclei
Nuclei
•added 6 days ago•164 views

Apache Shiro 1.2.4 Cookie RememberME - Deserial Remote Code Execution Vulnerability

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. id: CVE-2016-4437 info: name: Apache Shiro 1.2.4 Cookie RememberME -...

9.8CVSS7.5AI score0.93143EPSS
Exploits9References5
Tenable Nessus
Tenable Nessus
•added 2026/06/28 12:0 a.m.•10 views

Linux Distros Unpatched Vulnerability : CVE-2026-56130

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Remember me cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the...

2CVSS5.8AI score0.00224EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
•added 2026/06/28 12:0 a.m.•5 views

Linux Distros Unpatched Vulnerability : CVE-2026-56091

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This...

8.2CVSS5.8AI score0.00422EPSS
Exploits0References3
NVD
NVD
•added 2026/06/25 9:16 a.m.•11 views

CVE-2026-56130

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...

2CVSS0.00224EPSS
Exploits0References2
CVE
CVE
•added 2026/06/25 8:45 a.m.•21 views

CVE-2026-56091

CVE-2026-56091 involves Apache Shiro when used with the shiro-guice module in a web servlet context. A specially crafted HTTP request may cause an authentication bypass. Affected: all Apache Shiro versions through 2.x; 3.0.0-alpha-1 is affected when using shiro-guice in this context. Remediation:...

8.2CVSS5.9AI score0.00422EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
•added 2026/06/25 8:45 a.m.•8 views

CVE-2026-56091

When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://vulners.com/cve/CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the shiro-guice module...

8.2CVSS5.9AI score0.00422EPSS
Exploits0References2Affected Software1
EUVD
EUVD
•added 2026/06/25 8:45 a.m.•12 views

EUVD-2026-39230

When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://vulners.com/cve/CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the shiro-guice module...

9.8CVSS5.9AI score0.24163EPSS
Exploits1References1
Cvelist
Cvelist
•added 2026/06/25 8:44 a.m.•25 views

CVE-2026-56130 Apache Shiro: Remember-me cookie isn't checked for expiry on the server

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...

2CVSS0.00224EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
•added 2026/06/25 8:44 a.m.•6 views

CVE-2026-56130

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...

2CVSS5.9AI score0.00224EPSS
Exploits0References2Affected Software1
EUVD
EUVD
•added 2026/06/25 8:44 a.m.•8 views

EUVD-2026-39229

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...

2CVSS5.9AI score0.00224EPSS
Exploits0References1
CVE
CVE
•added 2026/06/25 8:44 a.m.•12 views

CVE-2026-56130

The CVE concerns Apache Shiro’s RememberMe functionality: the server does not verify the RememberMe cookie’s age, allowing reuse of a valid cookie beyond its expiration. Affected versions are Apache Shiro 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe is enabled. The underlying impact...

2CVSS5.9AI score0.00224EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
•added 2026/06/20 12:0 a.m.•7 views

Linux Distros Unpatched Vulnerability : CVE-2026-49268

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is...

9.1CVSS6AI score0.00494EPSS
Exploits0References3
Debian CVE
Debian CVE
•added 2026/06/17 1:7 p.m.•6 views

CVE-2026-49268

A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate th...

9.1CVSS5.5AI score0.00494EPSS
Exploits0
RedhatCVE
RedhatCVE
•added 2026/06/05 7:45 p.m.•11 views

CVE-2026-48589

A flaw was found in Apache Shiro's Jakarta EE module. Insufficient validation of the HTTP Referer header, a client-controlled value, could allow an attacker to influence the redirect target after a user login. This vulnerability can be exploited to redirect users to malicious sites, potentially...

5.4CVSS5.8AI score0.00352EPSS
Exploits0References4
RedhatCVE
RedhatCVE
•added 2026/06/05 7:40 p.m.•8 views

CVE-2026-43828

A flaw was found in Apache Shiro. Default configurations of Apache Shiro send sensitive cookies, such as JSESSIONID and rememberMe, in HTTPS sessions without the 'Secure' attribute. This oversight could allow a remote attacker to intercept these cookies, potentially leading to information...

6.5CVSS5.8AI score0.00272EPSS
Exploits0References4
RedhatCVE
RedhatCVE
•added 2026/06/05 7:40 p.m.•10 views

CVE-2026-43827

A flaw was found in Apache Shiro. This vulnerability, known as session fixation, allows an attacker to hijack a user's session. This occurs because the system fails to invalidate an existing session or generate a new session identifier after a user successfully logs in. Consequently, a remote...

7.1CVSS5.8AI score0.00412EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
•added 2026/05/27 12:0 a.m.•17 views

Linux Distros Unpatched Vulnerability : CVE-2026-44598

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue...

5.4CVSS5.9AI score0.00383EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
•added 2026/05/26 12:0 a.m.•11 views

Linux Distros Unpatched Vulnerability : CVE-2026-43828

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, an...

6.5CVSS5.8AI score0.00272EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
•added 2026/05/26 12:0 a.m.•12 views

Linux Distros Unpatched Vulnerability : CVE-2026-48589

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Apache Shiro's Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validati...

5.4CVSS5.8AI score0.00352EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
•added 2026/05/26 12:0 a.m.•14 views

Linux Distros Unpatched Vulnerability : CVE-2026-43827

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are...

6.5CVSS5.8AI score0.00412EPSS
Exploits0References3
Rows per page
Query Builder