97 matches found
CVE-2026-9762 IBM® Data Server driver for JDBC and SQLJ is vulnerable to remote code execution when jdbc url is under user control
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution when jdbc url is under user control...
CVE-2026-9762 IBM® Data Server driver for JDBC and SQLJ is vulnerable to remote code execution when jdbc url is under user control
IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to remote code execution when jdbc url is under user control...
Security Bulletin: IBM® Data Server driver for JDBC and SQLJ is vulnerable to remote code execution when jdbc url is under user control (CVE-2026-9762)
Summary IBM® Db2® is vulnerable to remote code execution when jdbc url is under user control. Vulnerability Details CVEID:CVE-2026-9762 DESCRIPTION: IBM Data Server Driver for JDBC and SQLJ is vulnerable to remote code execution when jdbc url is under user control. CWE:CWE-94: Improper Control of...
CVE-2026-12787
A vulnerability was found in zhilink 智互联深圳科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. This affects an unknown part of the component testConnection Endpoint. The manipulation of the argument jdbcUrl results in deserialization. The attack may be performed from remote. The exploit has...
EUVD-2026-38151
A vulnerability was found in zhilink 智互联深圳科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. This affects an unknown part of the component testConnection Endpoint. The manipulation of the argument jdbcUrl results in deserialization. The attack may be performed from remote. The exploit has...
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Overview Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the processing of JDBC connection URL parameters. An attacker can execute arbitrary code by supplying a crafted connection URL that causes the loading...
CVE-2026-32939
DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase without specifying an explicit Locale, causing its security...
CVE-2025-13268
A flaw has been found in Dromara dataCompare up to 1.0.1. The affected element is the function DbConfig of the file src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.java of the component JDBC URL Handler. Executing manipulation can lead to injection. The attack can b...
CVE-2025-13268 Dromara dataCompare JDBC URL DbconfigServiceImpl.java DbConfig injection
A flaw has been found in Dromara dataCompare up to 1.0.1. The affected element is the function DbConfig of the file src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.java of the component JDBC URL Handler. Executing manipulation can lead to injection. The attack can b...
EUVD-2023-1486
Malicious code in bioql PyPI...
EUVD-2024-46058
Malicious code in bioql PyPI...
EUVD-2024-54846
Malicious code in bioql PyPI...
EUVD-2022-3476
Malicious code in bioql PyPI...
EUVD-2024-52643
Malicious code in bioql PyPI...
EUVD-2025-9898
Malicious code in bioql PyPI...
CVE-2025-58748
CVE-2025-58748 affects DataEase up to version 2.10.12, where the H2 data source (H2.java) does not validate that a JDBC URL starts with jdbc:h2 . This enables a crafted configuration to substitute the Amazon Redshift driver and leverage socketFactory/socketFactoryArg to trigger a remote XML resou...
PT-2025-37721
Name of the Vulnerable Software and Affected Versions: Dataease versions prior to 2.10.13 Description: Dataease is an open source data analytics and visualization platform. The H2 data source implementation H2.java lacks validation to ensure that a provided JDBC URL begins with jdbc:h2. This allo...
BIT-NIFI-2023-34468 Apache NiFi: Potential Code Injection with Database Services using H2
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC...
CVE-2024-52279
Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue...
CVE-2024-52279
CVE-2024-52279 affects Apache Zeppelin (0.11.1 before 0.12.0). The issue is an improper input validation in the JDBC URL handling that did not account for URL-encoded input, enabling an attack via a malicious JDBC connection string and potentially leading to arbitrary file read. The evidence link...