CVE-2026-50076

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

CVE-2026-35568

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to 1.0.0, the java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, o...

CVE-2026-50076

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

PT-2026-46269

Name of the Vulnerable Software and Affected Versions Apache Fory fory-core versions prior to 1.1.0 Description Deserialization of untrusted data in the Java replace-resolve path on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks. B...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Service Registry and Repository due to April 2026 CPU

Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition, used by WebSphere Service Registry and Repository. These issues were disclosed as part of the IBM Java SDK updates in April 2026. These issues are also addressed by WebSphere Application Server shipped with WebSphere...

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to multiple vulnerabilities due to IBM Java SDK

Summary There are multiple vulnerabilities in IBM Java SDK, Java Technology Edition used by IBM App Connect Enterprise and IBM Integration Bus for z/OS . Vulnerability Details CVEID:CVE-2026-22016 DESCRIPTION: Easily exploitable vulnerability allows unauthenticated attacker with network access vi...

io.debezium:debezium-platform-conductor (>=3.5.0.CR1 <=3.6.0.Beta1), io.jenkins.plugins:jobcacher-oras-storage (>=8.vc4686b_899f53 <=144.vb_727c9b_7d229) +9 more potentially affected by unknown CVE via land.oras:oras-java-sdk (>=0.2.0 <=0.6.1)

land.oras:oras-java-sdk MAVEN version =0.2.0, =3.5.0.CR1, =8.vc4686b899f53, =0.2.0-4.vc50576b371f6, =7.v5b3e89ff2fca, =8.v5d229eba22c5, =5.v2bc0b458b8b2, =0.0.1, =0.0.1, =0.2.0, =0.2.0, =0.1.0, =0.1.1 Source cves: unknown CVE Source advisory: OSV:GHSA-XM96-GFJX-JCRC...

CVE-2026-33117 Azure SDK for Java Security Feature Bypass Vulnerability

...

BIT-HYPERLEDGER-FABRIC-ORDERER-2026-41586 ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject and exposes deSerializeChannel which call ObjectInputStream.readObject on untrusted byte arrays without...

CVE-2026-7411

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an...

CVE-2026-7412

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

Security Bulletin: Vulnerability in Apache Avro Java SDK affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.

Summary Potential vulnerability in Apache Avro Java SDK has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...

ai.rev.speechtotext:revai-java-sdk-speechtotext (>=1.0.0 <=1.4.0), ai.rev:revai-java-sdk (>=2.1.0 <=2.5.0) +13 more potentially affected by CVE-2026-3505 via org.bouncycastle:bcpg-jdk15 (>=1.45 <=1.46)

org.bouncycastle:bcpg-jdk15 MAVEN version =1.45, =1.0.0, =2.1.0, =1.0.Alpha1, =0.0.1, =1.2-2, =1.3-2, =1.2-2, =1.2-2, =0.0.2, =1.0, =1.1 Source cves: CVE-2026-3505 Source advisory: OSV:GHSA-CJ8J-37RH-8475...

org.apache.avro/avro: Apache Avro Java SDK: Code injection on Java generated code

A code injection flaw has been discovered in Apache Avro. This vulnerability manifests when generating specific records from untrusted Avro schemas...

Security Bulletin: IBM i is Affected by Security Control Bypass and Uncontrolled Resource Consumption Vulnerabilities in IBM Java SDK and IBM Java Runtime [CVE-2026-21925, CVE-2026-21933, CVE-2026-21932, CVE-2026-21945]

Summary IBM SDK Java Technology Edition and IBM Runtime Environment Java used by IBM i to support the building and running of Java applications are vulnerable to denial-of-service CVE-2026-21945 and bypassing security controls to read and change data CVE-2026-21932, CVE-2026-21933, CVE-2026-21925...

Security Bulletin: IBM Operations Analytics – Log Analysis is affected by a security feature bypass due to Azure SDK for Java

Summary Azure SDK for Java is used by IBM Operations Analytics – Log Analysis as part of secure, asynchronous messaging and event streaming over AMQP Advanced Message Queuing Protocol. CVE‑2020‑16971. Vulnerability Details CVEID:CVE-2020-16971 DESCRIPTION: Azure SDK for Java Security Feature Bypa...

PT-2026-31030

Name of the Vulnerable Software and Affected Versions MCP Java SDK versions prior to 1.0.0 Description The MCP Java SDK contains a DNS rebinding vulnerability. This allows an attacker to access a locally or network-private MCP server via a victim's browser. An attacker can then make any tool call...

MCP Java SDK 访问控制错误漏洞

The MCP Java SDK is an open-source standard protocol SDK developed by Model Context Protocol, designed for integrating AI models and tools with Java applications. Versions of the MCP Java SDK prior to 1.0.0 contained a access control vulnerability, which originated from a DNS rebinding...

CVE-2026-34237

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 0.83.0, 1.0.1, and 1.1.1...

CVE-2026-34237 MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 0.83.0, 1.0.1, and 1.1.1...