CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/05/27 2:12 a.m.•9 views

CVE-2026-42797

Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related...

Snyk•added 2026/05/25 5:0 p.m.•1 views

Improper Isolation or Compartmentalization

Overview Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the GroovyInterceptor initialization of classes via GroovySandbox. An administrator user with the Implementations entitlement can execute arbitrary code by creating a malicious Groovy class...

8.6CVSS6.3AI score0.0007EPSS

Snyk•added 2026/05/25 4:59 p.m.•1 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure in JexlContextBuilder. An administrator user with entitlements for Derived Schemas and User read can access other users' passwordHistory, securityAnswer, token, tokenExpireTime, and cipherAlgorithm values via...

5.1CVSS5.8AI score0.00061EPSS

NVD•added 2026/05/25 4:16 p.m.•14 views

CVE-2026-42797

4.9CVSS0.00061EPSS

NVD•added 2026/05/25 4:16 p.m.•11 views

CVE-2026-42782

7.2CVSS0.0007EPSS

Cvelist•added 2026/05/25 3:0 p.m.•19 views

CVE-2026-42797 Apache Syncope: JexlContextBuilder Information Disclosure

0.00061EPSS

EUVD•added 2026/05/25 3:0 p.m.•7 views

EUVD-2026-31702

5.8AI score0.00061EPSS

CVE•added 2026/05/25 3:0 p.m.•9 views

CVE-2026-42797

CVE-2026-42797 (Apache Syncope) exposes a data-query related information disclosure via a misconfigured JEXL expression. An administrator with entitlements for Derived Schemas can craft a malicious JEXL expression that, if the requester also has User-read privileges, may access security-sensitive...

ATTACKERKB•added 2026/05/25 3:0 p.m.•7 views

CVE-2026-42797

5.8AI score0.00061EPSS

Vulnrichment•added 2026/05/25 3:0 p.m.•8 views

CVE-2026-42797 Apache Syncope: JexlContextBuilder Information Disclosure

5.8AI score0.00061EPSS

Cvelist•added 2026/05/25 2:58 p.m.•17 views

CVE-2026-42782 Apache Syncope: Post-auth RCE via Groovy static

0.0007EPSS

Vulnrichment•added 2026/05/25 2:58 p.m.•5 views

CVE-2026-42782 Apache Syncope: Post-auth RCE via Groovy static

6AI score0.0007EPSS

CVE•added 2026/05/25 2:58 p.m.•15 views

CVE-2026-42782

CVE-2026-42782 affects Apache Syncope 3.0–3.0.16, 4.0–4.0.5, and 4.1.0, caused by improper isolation that lets an administrator with sufficient entitlements load a malicious Groovy class whose static initializer reaches a non-sandboxed execution path. Remediation is to upgrade to 4.0.6 or 4.1.1, ...

7.2CVSS6AI score0.0007EPSS

ATTACKERKB•added 2026/05/25 2:58 p.m.•8 views

CVE-2026-42782

6AI score0.0007EPSS

EUVD•added 2026/05/25 2:58 p.m.•8 views

EUVD-2026-31696

6AI score0.0007EPSS

CNNVD•added 2026/05/25 12:0 a.m.•2 views

Apache Syncope 安全漏洞

Apache Syncope is the United States Apache Apache Foundation's set of open source digital identity management system for use in enterprise environments. The system supports identity management, role configuration, and more. A security vulnerability exists in Apache Syncope versions 3.0 through...

7.2CVSS5.9AI score0.0007EPSS

CNNVD•added 2026/05/25 12:0 a.m.•3 views

Apache Syncope 安全漏洞

Positive Technologies•added 2026/05/25 12:0 a.m.•7 views

Exploits0References3

PT-2026-43079

Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.16 Apache Syncope versions 4.0 through 4.0.5 Apache Syncope version 4.1.0 Description An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL Java Expression Language...