EUVD-2025-15999

Malicious code in bioql PyPI...

EUVD-2022-4886

Malicious code in bioql PyPI...

EUVD-2022-5219

Malicious code in bioql PyPI...

A Bootiful Podcast: Dr. Kris De Volder on developer tooling for Spring developers and AI

Hi, Spring fans! In this installment we talk to Spring tooling legend Dr. Kris De Volder on tooling, AI, and so much more...

SUSE CVE-2025-11226

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program...

GHSA-25QH-J22F-PWP8 QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing

QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vulnerability allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting a malicious environment...

ai.acolite:openai-agent-sdk (>=0.1.0 <=0.4.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess-storage-jpa (>=0.1.0 <=0.2.0) +23062 more potentially affected by CVE-2025-11226 via ch.qos.logback:logback-core (>=1.4.0 <=1.5.18)

ch.qos.logback:logback-core MAVEN version =1.4.0, =0.1.0, =0.1.0, =0.2.0, =0.114.0, =0.103.0, =0.114.0, =0.2.0, =0.8.0, =0.9.0 - ai.djl.spring:djl-spring-boot-starter-autoconfigure =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-auto =0.26 -...

QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing

QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vulnerability allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting a malicious environment...

CVE-2025-11226

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program...

External Initialization of Trusted Variables or Data Stores

Overview ch.qos.logback:logback-core is a logback-core module. Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores via the conditional processing of the logback.xml configuration file when both the Janino library and Spring Framework are...

CVE-2025-11226

CVE-2025-11226: ACE vulnerability in QOS.CH logback-core up to 1.5.18 allows arbitrary code execution if an attacker can alter a logback configuration or inject a config via environment variable. Attack requires Janino and Spring Framework on the classpath and write access to a config file (or a ...

CVE-2025-11226 Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program...

CVE-2025-11226 Conditional processing of logback.xml configuration file, in conjuction with Spring Framework and Janino

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program...

CVE-2025-11226

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program...

QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing

QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vulnerability allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting a malicious environment...

PT-2025-40064

Name of the Vulnerable Software and Affected Versions logback-core versions up to and including 1.5.18 Description A flaw exists in the conditional configuration file processing within logback-core, potentially allowing an attacker to execute arbitrary code. This is possible by compromising an...

Security Bulletin: Vulnerabilities in Spring Cloud Gateway Server, Bouncy Castle, Reactor Netty HTTP Server, NPM and Apache Commons might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Spring Cloud Gateway Server, Bouncy Castle, Reactor Netty HTTP Server, NPM and Apache Commons. Vulnerabilities include forwarded headers from untrusted proxies, opening up a possibility of DNS poisoning,...

Security Bulletin: IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to Spring Web Unsafe Deserialization [CVE-2016-1000027]

Summary There is a vulnerability called potential remote code execution RCE in the Spring Web open source library used by IBM OpenPages for IBM Cloud Pak for Data. This vulnerability has been addressed. CVE-2016-1000027 Vulnerability Details CVEID:CVE-2016-1000027 DESCRIPTION: Pivotal Spring...

This Week in Spring: September 30th, 2025

Hi, Spring fans! As I write this I am about to board a flight for Colorado for the amazing Dev2Next conference! I'll be in Antwerp, Beglium for the amazing Devoxx event next week, and I'll be speaking at the Amsterdam JUG with James Ward on the Thursday after that, too! If you're around, be sure ...

Securing MCP Servers with Spring AI

Model Context Protocol, or MCP for short, has taken over the AI world. If you've been following our blog, you've probably read the introduction to the topic, Connect Your AI to Everything: Spring AI's MCP Boot Starters. The security aspects of MCP have been evolving fast, and the latest version o...