CVE-2026-33728 dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution

dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access ...

CVE-2026-33701

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and...

OpenTelemetry Instrumentation for Java 代码问题漏洞

OpenTelemetry Instrumentation for Java is an open-source Java proxy JAR developed by OpenTelemetry. There were code-related vulnerabilities in versions of OpenTelemetry Instrumentation for Java prior to 2.26.1. These vulnerabilities stemmed from the fact that custom endpoints registered by RMI...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the RMI integration. An attacker can execute arbitrary code with the privileges of the user running the instrumented JVM by sending specially crafted serialized data to a network-exposed JMX or RMI...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the RMI integration. An attacker can execute arbitrary code with the privileges of the user running the instrumented JVM by sending specially crafted serialized data to a network-exposed JMX or RMI...

splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. Al...

PT-2026-28514

Name of the Vulnerable Software and Affected Versions dd-trace-java versions 0.40.0 through prior to 1.60.2 Description dd-trace-java is a Datadog APM client for Java. The RMI instrumentation in affected versions registered a custom endpoint that deserialized incoming data without applying...

GHSA-XW7X-H9FJ-P2C7 OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. Al...

org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability

A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration...

org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability

A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration...

org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability

A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration...

ROS-20260216-73-0029

A vulnerability in the RMI component of the Oracle Java SE software platform, Oracle GraalVM for JDK and Oracle GraalVM Enterprise Edition virtual machines is related to an operation exceeding buffer boundaries in memory. Exploitation of the vulnerability could allow an attacker acting remotely t...

ROS-20260216-73-0030

A vulnerability in the RMI component of the Oracle Java SE software platform, Oracle GraalVM for JDK and Oracle GraalVM Enterprise Edition virtual machines is related to an operation exceeding buffer boundaries in memory. Exploitation of the vulnerability could allow an attacker acting remotely t...

ROS-20260216-73-0027

A vulnerability in the RMI component of the Oracle Java SE software platform, Oracle GraalVM for JDK and Oracle GraalVM Enterprise Edition virtual machines is related to an operation exceeding buffer boundaries in memory. Exploitation of the vulnerability could allow an attacker acting remotely t...

SUSE-SU-2026:0504-1 Security update for java-1_8_0-openjdk

This update for java-180-openjdk fixes the following issues: - CVE-2026-21925: Fixed a vulnerability in the Oracle Java SE component RMI. bsc1257034 - CVE-2026-21932: Fixed a vulnerability in the Oracle Java SE component AWT and JavaFX. bsc1257036 - CVE-2026-21933: Fixed a vulnerability in the...

Alibaba Cloud Linux 3 : 0034: java-17-openjdk (ALINUX3-SA-2026:0034)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2026:0034 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-64720: LIBPNG is a reference...

Security update for java-1_8_0-openjdk

This update for java-180-openjdk fixes the following issues: CVE-2026-21925: Fixed a vulnerability in the Oracle Java SE component RMI. bsc1257034 CVE-2026-21932: Fixed a vulnerability in the Oracle Java SE component AWT and JavaFX. bsc1257036 CVE-2026-21933: Fixed a vulnerability in the Oracle...

SUSE-SU-2026:0441-1 Security update for java-1_8_0-openjdk

This update for java-180-openjdk fixes the following issues: - CVE-2026-21925: Fixed a vulnerability in the Oracle Java SE component RMI. bsc1257034 - CVE-2026-21932: Fixed a vulnerability in the Oracle Java SE component AWT and JavaFX. bsc1257036 - CVE-2026-21933: Fixed a vulnerability in the...

SUSE SLES15 / openSUSE 15 Security Update : java-1_8_0-ibm (SUSE-SU-2026:0390-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0390-1 advisory. Security fixes: - CVE-2026-21925: Fixed Oracle Java SE component RMI bsc1257034 - CVE-2026-21932: Fixed Oracle Java S...

SUSE-SU-2026:0390-1 Security update for java-1_8_0-ibm

This update for java-180-ibm fixes the following issues: Security fixes: - CVE-2026-21925: Fixed Oracle Java SE component RMI bsc1257034 - CVE-2026-21932: Fixed Oracle Java SE component AWT and JavaFX bsc1257036 - CVE-2026-21933: Fixed Oracle Java SE component Networking bsc1257037 -...