Apache HugeGraph-Server <1.5.0 - Authentication Bypass

Apache HugeGraph-Server versions prior to 1.5.0 contain an authentication bypass vulnerability caused by assumed-immutable data. This flaw allows attackers to bypass authentication mechanisms without requiring specific privileges or user interaction. id: CVE-2024-43441 info: name: Apache...

Apache HugeGraph-Server - Remote Command Execution

Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution RC...

Exploit for Improper Access Control in Apache Hugegraph

CVE-2024-27348: Apache HugeGraph RCE Advanced Sandbox Bypass...

Apache HugeGraph-Server Deserialization Vulnerability

Apache HugeGraph-Server is a server-side process for graph databases from the Apache Foundation. Apache HugeGraph-Server suffers from a deserialization vulnerability that stems from insecure Hessian deserialization in the PD store, which can be exploited by an attacker to cause remote code...

Remote Code Execution (RCE)

org.apache.hugegraph, hg-pd-core is vulnerable to a Remote Code Execution. The vulnerability is due to insecure Hessian deserialization in the Raft cluster membership logic, where a malicious Raft node can send crafted objects that bypass type safety and trigger unsafe deserialization and attacke...

Apache HugeGraph-Server: RAFT and deserialization vulnerability

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...

org.apache.hugegraph:hg-pd-dist (=1.5.0), org.apache.hugegraph:hg-pd-service (=1.5.0) +1 more potentially affected by CVE-2025-26866 via org.apache.hugegraph:hg-pd-core (=1.5.0)

org.apache.hugegraph:hg-pd-core MAVEN version =1.5.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.hugegraph:hg-pd-core and may be impacted: - org.apache.hugegraph:hg-pd-dist =1.5.0 - org.apache.hugegraph:hg-pd-service =1.5.0 -...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via insecure Hessian deserialization in the PD store. An attacker can execute arbitrary code by sending maliciously crafted data from a compromised or rogue Raft node. Details Serialization is a process...

org.apache.hugegraph:hg-pd-dist (=1.5.0), org.apache.hugegraph:hg-pd-service (=1.5.0) +1 more potentially affected by CVE-2025-26866 via org.apache.hugegraph:hg-pd-core (=1.5.0)

org.apache.hugegraph:hg-pd-core MAVEN version =1.5.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.hugegraph:hg-pd-core and may be impacted: - org.apache.hugegraph:hg-pd-dist =1.5.0 - org.apache.hugegraph:hg-pd-service =1.5.0 -...

CVE-2025-26866 Apache HugeGraph-Server: RAFT and deserialization vulnerability

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...

CVE-2025-26866 Apache HugeGraph-Server: RAFT and deserialization vulnerability

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process...

CVE-2025-26866

CVE-2025-26866 affects Apache HugeGraph-Server (HugeGraph-Server PD store) via insecure Hessian deserialization and RAFT-related manipulation, enabling remote code execution. Multiple sources describe a server-side deserialization vulnerability stemming from Hessian deserialization, with the miti...

Apache HugeGraph-Server 安全漏洞

Apache HugeGraph-Server is a server-side process for graph databases from the Apache Foundation. Apache HugeGraph-Server suffers from a deserialization vulnerability that stems from insecure Hessian deserialization in the PD store, which can be exploited by an attacker to cause remote code...

PT-2025-50223

Name of the Vulnerable Software and Affected Versions Apache HugeGraph-Server versions prior to 1.7.0 Description A remote code execution issue exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict...

EUVD-2024-1128

Malicious code in bioql PyPI...

EUVD-2024-1138

Malicious code in bioql PyPI...

CVE-2024-43441

Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server. This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue...

📄 Apache HugeGraph Server 1.2.0 Remote Code Execution

Apache HugeGraph Server version 1.2.0 suffers from a remote code execution vulnerability. Exploit Title: Apache HugeGraph 1.2.0 Remote Code Execution Unauthenticated Exploit Author: Yesith Alvarez Vendor Homepage: https://hugegraph.apache.org/docs/download/download/ Version: Apache HugeGraph 1.0....

Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

Exploit Title: Apache HugeGraph Server 1.2.0 - Remote Code Execution RCE Exploit Author: Yesith Alvarez Vendor Homepage: https://hugegraph.apache.org/docs/download/download/ Version: Apache HugeGraph 1.0.0 - 1.2.0 CVE : CVE-2024–27348 from requests import Request, Session import sys import json d...

CVE-2024-27347

Server-Side Request Forgery SSRF vulnerability in Apache HugeGraph-Hubble.This issue affects Apache HugeGraph-Hubble: from 1.0.0 before 1.3.0. Users are recommended to upgrade to version 1.3.0, which fixes the issue...