Security Bulletin: IBM webMethods BPM is vulnerable to Out-of-bounds memory operations in org.lz4:lz4-java.

Summary IBM webMethods BPM uses lz4-java which is pulled in automatically as a dependency of webmethods event streaming library. Vulnerability Details CVEID:CVE-2025-12183 DESCRIPTION: Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of...

Apache Avro Java SDK 安全漏洞

The Apache Avro Java SDK is a data processing toolkit developed by the Apache Foundation. Versions of the Apache Avro Java SDK prior to 1.11.4 and 1.12.0 have security vulnerabilities. These vulnerabilities stem from improper control over the generation of specific record schema code from the...

Seroval security vulnerabilities

Seroval is a formatted Java library developed by Alexis H. Munsayac. Versions of Seroval 1.4.0 and earlier contain security vulnerabilities. These vulnerabilities arise from the possibility of exhausting memory or causing denial-of-service attacks when custom RegEx patterns are deserialized...

CVE-2025-69275 Spectrum outdated java library in class-path

Dependency on Vulnerable Third-Party Component vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows DOM-Based XSS.This issue affects DX NetOps Spectrum: 24.3.9 and earlier...

CVE-2025-69275 Spectrum outdated java library in class-path

Dependency on Vulnerable Third-Party Component vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows DOM-Based XSS.This issue affects DX NetOps Spectrum: 24.3.9 and earlier...

CVE-2025-69275

The CVE describes a dependency on a vulnerable third-party component in Broadcom DX NetOps Spectrum, affecting version 24.3.9 and earlier, on Windows and Linux. The underlying issue is DOM-Based XSS triggered by the vulnerable component in the product’s runtime environment. Impact is limited to t...

ai.pipestream.module:module-chunker (=0.1.1), ai.pipestream.module:module-echo (=0.1.1) +454 more potentially affected by CVE-2025-66560 via io.quarkus.vertx.utils:quarkus-vertx-utils (>=3.28.0.CR1 <=3.30.8)

io.quarkus.vertx.utils:quarkus-vertx-utils MAVEN version =3.28.0.CR1, =0.0.2, =0.1.1, =0.1.1, =0.2.0, =0.2.0, =0.1.1, =0.1.1, =0.1.7, =0.1.9 and more Source cves: CVE-2025-66560 Source advisory: SNYK:JAVA-IOQUARKUSVERTXUTILS-14897052...

ai.stainless:grails-tika (=0.1.0), au.com.turingg:turingg-files (=0.0.1) +488 more potentially affected by CVE-2025-68280 via org.apache.sis.core:sis-metadata (>=0.4 <=1.5)

org.apache.sis.core:sis-metadata MAVEN version =0.4, =1.1.0, =3.6.0, =3.6.1, =3.11.0, =3.19.0 - cloud.testload:jmeter-clickhouse-listener =2.00 and more Source cves: CVE-2025-68280 Source advisory: OSV:GHSA-JQMR-2PG9-VFX7...

Security Bulletin: Rational Performance Tester contains a vulnerability which could lead to potential remote code execution

Summary Due to the use of the Apache Xalan Java XLST library, Rational Performance Tester contains a vulnerability that could lead to potential remote code execution. Vulnerability Details CVEID:CVE-2022-34169 DESCRIPTION: The Apache Xalan Java XSLT library could allow a remote attacker to execut...

ba.sake:hepek-components_2.12 (>=0.7.0 <=0.8.0), ba.sake:hepek-components_2.13 (>=0.7.0 <=0.9.0) +323 more potentially affected by CVE-2026-0858 via net.sourceforge.plantuml:plantuml (>=1.2017.12 <=1.2025.7)

net.sourceforge.plantuml:plantuml MAVEN version =1.2017.12, =0.7.0, =0.7.0, =0.7.0, =0.7.0, =0.7.0, =0.7.0, =0.0.2, =0.0.1, =0.0.59, =0.0.46, =0.0.46, =1.4.0, =2.0.0-M4 and more Source cves: CVE-2026-0858 Source advisory: SNYK:JAVA-NETSOURCEFORGEPLANTUML-14552230...

ai.ylyue:yue-library-data-es (>=j8.2.2.0 <=j11.2.6.2), br.com.simpli:simpli-ws (>=1.2.1 <=2.2.0) +1032 more potentially affected by CVE-2025-68390 via org.elasticsearch:elasticsearch (>=7.0.0-alpha1 <=8.19.7)

org.elasticsearch:elasticsearch MAVEN version =7.0.0-alpha1, =j8.2.2.0, =1.2.1, =0.0.1-alpha, =5.3.0, =5.6.5, =5.3.0, =5.3.0, =5.3.0, =5.3.0, =6.2.0, =6.8.0, =6.4.0, =5.3.0, =5.3.0, =5.3.0, =5.4.0 and more Source cves: CVE-2025-68390 Source advisory: SNYK:JAVA-ORGELASTICSEARCH-14534841...

EUVD-2025-203944

Amazon S3 Encryption Client for Java has a Key Commitment Issue...

EUVD-2025-202630

Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to influence another...

Linux Distros Unpatched Vulnerability : CVE-2025-66566

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java- based decompressor implementations in lz4-java 1.10.0 and...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the decompression process when the output buffer is reused without being cleared. An attacker can access sensitive information from previous buffer contents by providing crafted...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the decompression process when the output buffer is reused without being cleared. An attacker can access sensitive information from previous buffer contents by providing crafted...

CVE-2025-66566

yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is...

africa.absa:inception-application (>=1.0.0 <=1.2.0), app.fmgp:scala-did-docs_3 (>=0.1.0-M16 <=0.1.0-M33) +2471 more potentially affected by CVE-2024-3884 via io.undertow:undertow-core (>=2.0.0.Alpha1 <=2.2.38.Final)

io.undertow:undertow-core MAVEN version =2.0.0.Alpha1, =1.0.0, =0.1.0-M16, =1.0.0, =1.0.1, =1.0.2, =1.0.0, =1.2.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1 and more Source cves: CVE-2024-3884 Source advisory: SNYK:JAVA-IOUNDERTOW-15053841...

ch.reportingsoft.birt:birt-runtime-bundle (>=4.19.0 <=4.20.0), cloud.wondrify:coffee-asset-pipeline (>=5.0.10 <=5.1.0-M4) +163 more potentially affected by CVE-2025-66453 via org.mozilla:rhino (=1.8.0)

org.mozilla:rhino MAVEN version =1.8.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.mozilla:rhino and may be impacted: - ch.reportingsoft.birt:birt-runtime-bundle =4.19.0, =5.0.10, =5.0.10, =5.0.10, =10.2.1, =8.0.0, =8.0.0, =5.0.6, =5.0.6, =5.0....

BIT-ACTIVEMQ-2021-21341 XStream can cause a Denial of Service

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of...