CVE-2026-2742 Unauthorized session creation via reserved framework path access

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without ...

Security Bulletin: IBM Sterling Control Center is affected by vulnerabilities in spring-security-core (CVE-2025-41248)

Summary IBM Sterling Control Center is affected by a vulnerability CVE-2025-41248 of spring-security-core-6.4.5.jar. Vulnerability Details CVEID:CVE-2025-41248 DESCRIPTION: The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies...

Unauthorized Session Creation via Reserved Framework Path Access

An authentication bypass vulnerability exists in Vaadin applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, allowing unauthenticated users to trigger framework...

This Week in Spring - March 10th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring. As I write this, I am preparing for a trip to Rust, Germany, for one of the best Java conferences in Europe: JavaLand, along with its new companion event, DevLand. It should be fun. Will you be around? If so, say hi. We have ...

PT-2026-24206

Name of the Vulnerable Software and Affected Versions Vaadin versions 14.0.0 through 14.14.0 Vaadin versions 23.0.0 through 23.6.6 Vaadin versions 24.0.0 through 24.9.7 Vaadin versions 25.0.0 through 25.0.1 Description An authentication bypass issue exists in applications using Spring Security...

Security Bulletin: Vulnerability assertj-core, spring-security-crypto, werkzeug, urllib, libsodium, jersey-client, log4j, dmidecode-dmidecode, and aide affect IBM Cloud Object Storage Systems (FEB 2026)

Summary Vulnerability with assertj-core-3.27.3 CVE-2026-24400 , spring-security-crypto-6.4.4 CVE-2025-22234 , werkzeug-3.1.3-py3 CVE-2026-21860,CVE-2025-66221 , urllib3-2.5.0-py3CVE-2025-66418,CVE-2025-66471, CVE-2026-21441 , libsodiumCVE-2025-69277 jersey-client-2.25.1CVE-2025-12383 ,...

This Week in Spring - February 24th, 2026

Hi, Spring fans! Welcome to another awesome and oh-so-agentic week in Spring! We've got a ton to look into, and I've got even more to prepare for next week's DevNexus event in Atlanta, GA, so let's dive right into it! Be sure to say "hi" if you're going to be there, though! You've heard of Agent...

This Week in Spring - February 17th, 2026

Hi, Spring fans! Welcome to another rip-roaring installment of This Week in Spring! It's Lunar New Year or Chinese New Year for billions of people around the world and to those who celebrate, Happy Chinese/Lunar New Year 新年快乐! Or Happy Spring Festival 春节快乐! My favorite kind of festival! In honor ...

Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-7.0.1.13)

The version of AOS installed on the remote host is prior to 7.0.1.13. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-7.0.1.13 advisory. - Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forg...

com.foxinmy:easemob4j (>=1.1.0 <=1.1.3), com.foxinmy:umeng4j (>=1.1.0 <=1.1.3) +13 more potentially affected by CVE-2026-24819 via com.foxinmy:weixin4j-base (>=1.0 <=1.9.1)

com.foxinmy:weixin4j-base MAVEN version =1.0, =1.1.0, =1.1.0, =1.9.0, =1.4, =1.0, =1.9.0, =1.4, =1.0, =1.8.0, =1.0.9-RELEASE, =0.0.2, =0.0.3 - org.oxerr:spring-security-wechat-samples-helloworld =0.0.1 Source cves: CVE-2026-24819 Source advisory: SNYK:JAVA-COMFOXINMY-15128702...

Oracle Business Intelligence Publisher (January 2026 CPU)

The 7.6.0.0.0 and 8.2.0.0.0 versions of Oracle Business Intelligence Publisher installed on the remote host are affected by a vulnerability as referenced in the January 2026 CPU advisory. - Security-in-Depth issue in the Oracle BI Publisher product of Oracle Analytics component: Development...

be.personify.iam:personify-frontend (>=1.5.4.RELEASE <=1.5.7.RELEASE), ch.admin.bit.jeap:jeap-archrepo-instance (>=1.12.0 <=1.14.0) +1374 more potentially affected by CVE-2025-22234 via org.springframework.security:spring-security-core (=6.4.4)

org.springframework.security:spring-security-core MAVEN version =6.4.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-core and may be impacted: - be.personify.iam:personify-frontend =1.5.4.RELEASE, =1.12.0,...

GHSA-VQXH-445G-37FC Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

com.almis.awe:awe-annotation (>=4.10.11 <=4.11.2), com.almis.awe:awe-annotations-spring-boot-starter (>=4.10.11 <=4.11.2) +107 more potentially affected by CVE-2025-22234 via org.springframework.security:spring-security-core (=6.3.8)

org.springframework.security:spring-security-core MAVEN version =6.3.8 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-core and may be impacted: - com.almis.awe:awe-annotation =4.10.11, =4.10.11, =4.10.11,...

Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

Oracle WebCenter Sites (January 2026 CPU)

The 12.2.1.4.0 and 14.1.2.0.0 versions of WebCenter Sites installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory. - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware component: Core Apache Log4j. The...

Spring Security security vulnerabilities

Spring Security is a security framework developed by Spring, an open-source project, that includes authentication and authorization features. Spring Security has security vulnerabilities; these vulnerabilities stem from the timing attack mitigation measures in the DaoAuthenticationProvider being...

security-antipatterns-java

Security Anti-Patterns for Java AI coding agents write insecu...