Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

@asyncapi/server-api (>=0.16.0 <=0.16.23) potentially affected by unknown CVE via @asyncapi/java-spring-template (=1.6.0)

@asyncapi/java-spring-template NPM version =1.6.0 is affected by a known vulnerability. The following packages have a transitive dependency on @asyncapi/java-spring-template and may be impacted: - @asyncapi/server-api =0.16.0, =0.16.23 Source cves: unknown CVE Source advisory:...

Use of Hard-coded Cryptographic Key

Overview Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the password encryption process. An attacker can recover original cleartext password values by accessing the internal database content, as the encryption key is hard-coded and publicly known. Note:...

org.apache.syncope.core.am:syncope-core-am-logic (>=4.0.0 <=4.0.2), org.apache.syncope.core.am:syncope-core-am-rest-cxf (>=4.0.0 <=4.0.2) +33 more potentially affected by CVE-2025-65998 via org.apache.syncope.core:syncope-core-spring (>=4.0.0-M0 <=4.0.2)

org.apache.syncope.core:syncope-core-spring MAVEN version =4.0.0-M0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.2 and more Source cves: CVE-2025-65998 Source advisory: SNYK:JA...

org.apache.syncope.core.am:syncope-core-am-logic (>=3.0.0 <=3.0.14), org.apache.syncope.core.am:syncope-core-am-rest-cxf (>=3.0.0 <=3.0.14) +30 more potentially affected by CVE-2025-65998 via org.apache.syncope.core:syncope-core-spring (>=3.0.0-M0 <=3.0.14)

org.apache.syncope.core:syncope-core-spring MAVEN version =3.0.0-M0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.14 and more Source cves: CVE-2025-65998https://vulners.com/c...

@asyncapi/server-api (>=0.16.0 <=0.16.23) potentially affected by unknown CVE via @asyncapi/java-spring-cloud-stream-template (=0.13.4)

@asyncapi/java-spring-cloud-stream-template NPM version =0.13.4 is affected by a known vulnerability. The following packages have a transitive dependency on @asyncapi/java-spring-cloud-stream-template and may be impacted: - @asyncapi/server-api =0.16.0, =0.16.23 Source cves: unknown CVE Source...

EUVD-2025-198738

Malicious code in @asyncapi/java-spring-cloud-stream-template npm...

EUVD-2025-198770

Malicious code in @asyncapi/java-spring-template npm...

@asyncapi/server-api (>=0.16.0 <=0.16.23) potentially affected by unknown CVE via @asyncapi/java-spring-template (=1.6.0)

@asyncapi/java-spring-template NPM version =1.6.0 is affected by a known vulnerability. The following packages have a transitive dependency on @asyncapi/java-spring-template and may be impacted: - @asyncapi/server-api =0.16.0, =0.16.23 Source cves: unknown CVE Source advisory: OSV:MAL-2025-190716...

Spring Framework 5.3.x < 5.3.46 / 6.1.x < 6.1.24 / 6.2.x < 6.2.12 STOMP CSRF (CVE-2025-41254)

The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.46, 6.1.x prior to 6.1.24, or 6.2.x prior to 6.2.12. It is, therefore, affected by a STOMP CSRF vulnerability: - STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to...

A Bootiful Podcast: The legendary Sébastien Deleuze on all that's new and nice in Spring Framework 7

Hi, Spring fans! Happy Spring Boot 4.0 release day! Make sure to get the bits on the Spring Initializr you know - start.spring.io! This release is packed with new features, a lot of which comes from Spring Framework 7. To help break it down for us this week, we’re joined by none other than the...

ysoserial

ysoserial !GitHub releasehttps://img.shields.io/github/do...

Security Bulletin: IBM OpenPages fixes multiple Spring vulnerabilities

Summary Multiple vulnerabilities on Spring library with have been addressed in the latest IBM OpenPages fixpack for 9.0 and 9.1 Vulnerability Details CVEID:CVE-2025-41249 DESCRIPTION: The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type...

Security Bulletin: Logback-Core ≤1.5.18 Conditional Config Processing Flaw Enables ACE via Malicious Config or Env Variable

Summary ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before...

This Week in Spring - November 18th, 2025

This Week in Spring - November 18th, 2025 Hi, Spring fans! I'm thrilled to be in New York City for an exciting week of joint presentations on Spring AI + Bedrock and Spring Boot with the legendary James Ward. First up: we'll present a workshop at the AI Native Dev Conf today, then speak at the...

OpenTelemetry with Spring Boot

This is a new blog post in the Road to GA series, and this time we're taking a look at OpenTelemetry with Spring Boot. Introduction In modern cloud native architectures, observability is no longer optional; it is a fundamental requirement. You want to understand what your application is doing via...

io.github.wwwlike:vlife-boot-starter-web (>=1.0.4 <=1.0.7), io.github.wwwlike:vlife-core (>=1.0.4 <=1.0.7) +2 more potentially affected by CVE-2025-13266 via io.github.wwwlike:vlife-base (>=1.0.4 <=1.0.7)

io.github.wwwlike:vlife-base MAVEN version =1.0.4, =1.0.4, =1.0.4, =1.0.4, =1.0.2, =1.0.7 Source cves: CVE-2025-13266 Source advisory: OSV:GHSA-CG6M-9276-QPJJ...

ch.admin.bit.jeap:jeap-archrepo-docgen (>=2.10.0 <=3.1.1), ch.admin.bit.jeap:jeap-archrepo-importer-openapi (>=1.10.0 <=3.1.1) +8 more potentially affected by CVE-2025-12967 via software.amazon.jdbc:aws-advanced-jdbc-wrapper (>=2.3.7 <=2.5.6)

software.amazon.jdbc:aws-advanced-jdbc-wrapper MAVEN version =2.3.7, =2.10.0, =1.10.0, =1.15.0, =1.10.0, =1.10.0, =1.10.0, =1.10.0, =17.16.0, =2.0.0, =2.0.8 - org.keycloak.tests:keycloak-tests-base =26.6.0 Source cves: CVE-2025-12967 Source advisory: SNYK:JAVA-SOFTWAREAMAZONJDBC-14038281...

Null-safe applications with Spring Boot 4

This is a new blog post in the Road to GA series, this time sharing an update on the status of the null-safety support across the Spring portfolio, as a follow-up of my previous related blog post Null Safety in Spring applications with JSpecify and NullAway and related Spring I/O talk. Are we...

Spring gRPC Next Steps for 1.0.0

This is a new blog post in the Road to GA series, this time updating everyone on the plans to integrate Spring gRPC with Spring Boot 4. The original plan was to move the autoconfiguration from Spring gRPC into Spring Boot in time for the 4.0 release. Unfortunately we haven't been able to find the...