Security Bulletin: Due to use of jackrabbit-spi-commons IBM webMethods BPM is vulnerable to loading privileges using unsecured document build

Summary IBM webMethods BPM is using jackrabbit-spi-commons which is affected by a known vulnerability CVE-2025-53689. This security bulletin provides guidance on addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-58782 DESCRIPTION: Deserialization of Untrusted Data vulnerability i...

Atlassian Confluence 7.13 < 9.2.11 / 9.3.1 < 10.1.0 (CONFSERVER-101827)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101827 advisory. - Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit 2.23.2 due to usage of an unsecured document build t...

XXE (XML External Entity Injection) org.apache.jackrabbit:jackrabbit-spi-commons Dependency in Confluence Data Center and Server

This High severity XXE XML External Entity Injection vulnerability was introduced in versions 7.13 of Confluence Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H allows an...

Deserialization Of Untrusted Data

Apache Jackrabbit Core and Apache Jackrabbit JCR Commons are vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to the acceptance of untrusted JNDI URIs for JCR lookup, which allows an attacker to inject malicious JNDI references that trigger deserialization of untrusted...

EUVD-2021-2430

Malware in sbrugna...

EUVD-2025-21327

Malicious code in bioql PyPI...

EUVD-2022-3363

Malicious code in bioql PyPI...

EUVD-2025-27118

Malicious code in bioql PyPI...

EUVD-2023-2127

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-58782

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0...

com.adobe.cq.commerce:cq-commerce-hybris-impl (>=5.6.100 <=6.4.4), com.adobe.cq.media:cq-media-publishing-dps-integration (=5.6.16) +119 more potentially affected by CVE-2025-58782 via org.apache.jackrabbit:jackrabbit-core (>=1.2.1 <=2.22.1)

org.apache.jackrabbit:jackrabbit-core MAVEN version =1.2.1, =5.6.100, =2.0.6, =1.0.10, =1.0.8, =2.0.5, =2.0.0, =0.0.1, =2.1.1, =2.5.0, =2.1.1, =2.5.0, =2.1.1, =4.3.5 and more Source cves: CVE-2025-58782 Source advisory: OSV:GHSA-CXVC-G8F2-4GMM...

biz.netcentric.aem.sysenvtools:apply-system-env-install-hook (>=1.2.0 <=1.2.3), biz.netcentric.aem.sysenvtools:system-env-change-listener (>=1.2.0 <=1.2.3) +409 more potentially affected by CVE-2025-58782 via org.apache.jackrabbit:jackrabbit-jcr-commons (>=2.0-beta1 <=2.22.1)

org.apache.jackrabbit:jackrabbit-jcr-commons MAVEN version =2.0-beta1, =1.2.0, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =1.8.0, =2.0.0, =2.5.0, =2.5.4, =2.5.4, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.4.1 - com.adobe.ac...

be.hobbiton.maven:linux-packaging-maven-plugin (>=1.0.0 <=1.1.2), biz.netcentric.aem.sysenvtools:apply-system-env-install-hook (>=1.2.0 <=1.2.3) +1030 more potentially affected by CVE-2025-58782 via org.apache.jackrabbit:jackrabbit-jcr-commons (>=1.1.1 <=2.22.1)

org.apache.jackrabbit:jackrabbit-jcr-commons MAVEN version =1.1.1, =1.0.0, =1.2.0, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =1.8.0, =2.0.0, =2.5.0, =2.5.4, =2.5.4, =1.0.0, =1.0.0, =1.0.0, =1.4.0 - biz.netcentric.filevault.validator:aem-...

Deserialization of Untrusted Data

Overview org.apache.jackrabbit:jackrabbit-jcr-commons is a fully conforming implementation of the Content Repository for Java Technology API. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the JCR lookup functionality. An attacker can execute arbitrary...

Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data

There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup fr...

com.adobe.cq.commerce:cq-commerce-hybris-impl (>=5.6.100 <=6.4.4), com.adobe.cq.media:cq-media-publishing-dps-integration (=5.6.16) +93 more potentially affected by CVE-2025-58782 via org.apache.jackrabbit:jackrabbit-core (>=2.0-beta1 <=2.22.1)

org.apache.jackrabbit:jackrabbit-core MAVEN version =2.0-beta1, =5.6.100, =2.0.6, =1.0.10, =1.0.8, =2.0.5, =2.0.0, =0.0.1, =2.1.1, =2.5.0, =2.1.1, =2.5.0, =2.1.1, =4.3.5 and more Source cves: CVE-2025-58782 Source advisory: SNYK:JAVA-ORGAPACHEJACKRABBIT-12578562...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the JCR lookup functionality. An attacker can execute arbitrary code by injecting malicious JNDI references that are deserialized when untrusted JNDI URIs are accepted. JNDI URIs are can be...

GHSA-CXVC-G8F2-4GMM Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data

There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup fr...

DEBIAN-CVE-2025-58782

Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from...

CVE-2025-58782

Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from...