CVE-2026-9319

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security...

GHSA-XXWJ-CPV6-F4HC vulnerabilities

Vulnerabilities for packages: openjdk-8-openj9, openjdk-11-openj9, openjdk-21-openj9, openjdk-25-openj9, openjdk-17-openj9, openjdk-26-openj9...

GHSA-QJHJ-JG8G-7M6H vulnerabilities

Vulnerabilities for packages: openjdk-8-openj9, openjdk-11-openj9, openjdk-21-openj9, openjdk-25-openj9, openjdk-17-openj9, openjdk-26-openj9...

GHSA-G75F-42VW-M3XV vulnerabilities

Vulnerabilities for packages: openjdk-8-openj9, openjdk-11-openj9, openjdk-21-openj9, openjdk-25-openj9, openjdk-17-openj9, openjdk-26-openj9...

GHSA-32VR-5HXF-X93F vulnerabilities

Vulnerabilities for packages: openjdk-8-openj9, openjdk-11-openj9, openjdk-21-openj9, openjdk-25-openj9, openjdk-17-openj9, openjdk-26-openj9...

GHSA-CPW4-RFMM-H598 vulnerabilities

Vulnerabilities for packages: openjdk-8-openj9, openjdk-11-openj9, openjdk-21-openj9, openjdk-25-openj9, openjdk-17-openj9, openjdk-26-openj9...

CVE-2008-5348 vulnerabilities

Vulnerabilities for packages: openjdk-8-openj9, openjdk-11-openj9, openjdk-21-openj9, openjdk-25-openj9, openjdk-17-openj9, openjdk-26-openj9...

GHSA-9GRW-5H83-65P3 vulnerabilities

Vulnerabilities for packages: openjdk, openjdk-8-openj9, openjdk-11-openj9, openjdk-21-openj9, openjdk-25-openj9, openjdk-17-openj9, openjdk-26-openj9...

CVE-2026-6009

Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution RCE, potentially allowing code execution on the affected system...

CVE-2026-35229

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability...

CVE-2026-35568

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to 1.0.0, the java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, o...

MINI-JVM4-4MHJ-MJM6

Bulletin has no description...

Lost in Migration: Exposing Android Framework Vulnerabilities in Parallel Java-Kotlin Implementations

Android has adopted Kotlin alongside Java across apps and core system components. During this shift, we observe parallel implementations in the Android Open Source Project AOSP where the same component is implemented in both Java and Kotlin. In principle, their functional purposes are identical. ...

EUVD-2026-31998

epa4all-client: Unauthenticated REST API for Patient Record Writes...

CVE-2026-41207 netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDFexpand returns non-NULL on failure. The byte is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a...

MINI-JVM8-C8V6-W3W4

Bulletin has no description...

CVE-2026-50076 Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

CVE-2026-50076

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

SUSE CVE-2026-45682

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running...

SUSE CVE-2026-45683

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Java TLS ioctl probe reads user-controlled ioctl pointers with bpfproberead instead of bpfprobereaduser. An instrumented local process can therefore point OBI at kerne...