This Week in Spring - March 17th, 2026

Hi, Spring fans! Welcome to another rip-roaring installment of This Week in Spring , which I'm posting ahead of my keynote at the amazing JavaOne 2026 event here in sunny San Francisco, California! I love Piotr's latest post on using local AI models with LM Studio and Spring AI Did you see the ne...

Spinnaker 代码问题漏洞

Spinnaker is an open-source continuous delivery platform developed by Spinnaker. It is used to release software changes with high speed and confidence. Spinnaker has a code vulnerability that stems from improper handling of underscores when Java URL objects are parsed, which may lead to bypassing...

TIBCO BPM Enterprise 安全漏洞

TIBCO BPM Enterprise is a business process management platform developed by TIBCO Corporation in the United States. This platform enables companies to drive digital transformation by making better decisions and taking faster, more informed actions. Version 4.x of TIBCO BPM Enterprise contains a...

CVE-2026-4284 taoofagi easegen-admin PPT File PPTUtil.java downloadFile server-side request forgery

A vulnerability was determined in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. This issue affects the function downloadFile of the file - yudao-module-digitalcourse/yudao-module-digitalcourse-biz/src/main/java/cn/iocoder/yudao/module/digitalcourse/util/PPTUtil.java of th...

Security Bulletin: Multiple security vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - January 2026 CPU affects IBM OpenPages

Summary IBM® SDK, Java™ Technology Edition is shipped as a supporting program of IBM OpenPages. Information about a security vulnerability affecting IBM SDK, Java Technology Edition Quarterly CPU - January 2026 has been published in multiple security bulletins. These products have addressed the...

Security Bulletin: Multiple security vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - October 2025 affects IBM OpenPages

Summary IBM® SDK, Java™ Technology Edition is shipped as a supporting program of IBM OpenPages. Information about a security vulnerability affecting IBM SDK, Java Technology Edition Quarterly CPU - Oct 2025 has been published in multiple security bulletins. These products have addressed the...

CVE-2026-4243 La Nacion App app.lanacion.activity BuildConfig.java credentials storage

A weakness has been identified in La Nacion App 10.2.25 on Android. This impacts an unknown function of the file source/app/lanacion/clublanacion/BuildConfig.java of the component app.lanacion.activity. Executing a manipulation of the argument APIKEYWEBSOCKETCV can lead to unprotected storage of...

CVE-2026-4242

CVE-2026-4242 affects the Android version of BabyChakra Pregnancy & Parenting App up to 5.4.3.0. The issue is located in the function of the file app/babychakra/babychakra/Configuration.java (component: app.babychakra.babychakra). Manipulating the SEGMENT_WRITE_KEY argument leads to unprotected s...

CVE-2026-4219

CVE-2026-4219 affects INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to version 1.0.2 on Android. The vulnerability concerns the file com/index/event/BuildConfig.java of the ae.index.apgcs component, where manipulating the arguments ACCESS_KEY and HASH_KEY can reveal hard-code...

PT-2026-25811

🚨 FRESH TOP THREAT ALERT 🚨 Critical RCE in Apache Tomcat March 16, 2026: CVE-2026-89102 – CVSS 9.8! Unauthenticated attackers can send one crafted request to trigger a deserialization flaw and execute arbitrary code on the server. Hits thousands of Java web apps worldwide. Remediation: Upgrade...

CodePhiliaX Chat2DB SQL注入漏洞

CodePhiliaX Chat2DB is an open-source AI-driven SQL client developed by CodePhiliaX. Versions of CodePhiliaX Chat2DB 0.3.7 and earlier contain a SQL injection vulnerability. This vulnerability arises from improper handling of parameters in the functions exportTable, exportTableColumnComment,...

java-1.8.0-openjdk: Fix of 5 CVEs

Upgrade to openjdk-shenandoah-jdk8u-shenandoah-jdk8u482-b08. That fixes following CVEs: - CVE-2025-53057: Security: enforce proper access control in certificate handling to prevent data tampering - CVE-2025-53066: JAXP: restrict data access in Path Factory processing to prevent information...

CLSA-2026-1773506438 java-1.8.0-openjdk: Fix of 5 CVEs

Upgrade to openjdk-shenandoah-jdk8u-shenandoah-jdk8u482-b08. That fixes following CVEs: - CVE-2025-53057: Security: enforce proper access control in certificate handling to prevent data tampering - CVE-2025-53066: JAXP: restrict data access in Path Factory processing to prevent information...

TencentOS Server 4: java-11-konajdk (TSSA-2026:0143)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0143 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

org.webjars.npm:actions__core (>=1.10.0 <=1.11.1), org.webjars.npm:actions__http-client (>=2.2.1 <=2.2.3) +14 more potentially affected by CVE-2026-1526 via org.webjars.npm:undici (>=4.12.2 <=5.29.0)

org.webjars.npm:undici MAVEN version =4.12.2, =1.10.0, =2.2.1, =0.1.16, =0.1.28 - org.webjars.npm:elasticelasticsearch =8.6.0 - org.webjars.npm:elastictransport =8.3.1 - org.webjars.npm:firebase =10.13.0 - org.webjars.npm:firebaseauth =1.7.7 - org.webjars.npm:firebaseauth-compat =0.5.12 -...

org.webjars.npm:actions__core (>=1.10.0 <=1.11.1), org.webjars.npm:actions__http-client (>=2.2.1 <=2.2.3) +14 more potentially affected by CVE-2026-1527 via org.webjars.npm:undici (>=4.12.2 <=5.29.0)

org.webjars.npm:undici MAVEN version =4.12.2, =1.10.0, =2.2.1, =0.1.16, =0.1.28 - org.webjars.npm:elasticelasticsearch =8.6.0 - org.webjars.npm:elastictransport =8.3.1 - org.webjars.npm:firebase =10.13.0 - org.webjars.npm:firebaseauth =1.7.7 - org.webjars.npm:firebaseauth-compat =0.5.12 -...

Security Bulletin: IBM Security Directory Suite is affected by multiple vulnerabilities (CVE-2025-48976, CVE-2025-36047, CVE-2025-53066, CVE-2025-53057)

Summary IBM Security Directory Suite is affected by WebSphere Liberty vulnerabilities CVE‑2025‑48976, CVE‑2025‑36047 and Java vulnerabilities CVE‑2025‑53066, CVE‑2025‑53057. These vulnerabilities have been addressed with an update. Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An...

CVE-2026-3968 AutohomeCorp frostmourne Oracle Nashorn JavaScript ExpressionRule.java scriptEngine.eval code injection

A vulnerability has been found in AutohomeCorp frostmourne up to 1.0. This affects the function scriptEngine.eval of the file ExpressionRule.java of the component Oracle Nashorn JavaScript Engine. Such manipulation of the argument EXPRESSION leads to code injection. The attack can be executed...

CVE-2026-3968

A vulnerability has been found in AutohomeCorp frostmourne up to 1.0. This affects the function scriptEngine.eval of the file ExpressionRule.java of the component Oracle Nashorn JavaScript Engine. Such manipulation of the argument EXPRESSION leads to code injection. The attack can be executed...

OSV-2026-384 Security exception in com.puppycrawl.tools.checkstyle.grammar.java.JavaLanguageParser.expr

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=491529466 Crash type: Security exception Crash state: com.puppycrawl.tools.checkstyle.grammar.java.JavaLanguageParser.expr java.base/java.nio.CharBuffer.wrap java.base/sun.nio.cs.StreamEncoder.implWrite...