CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

90 matches found

CVE-2026-41000

A flaw was found in Spring Web Services. The security interceptor in the affected component did not properly integrate replay cache mechanisms. This vulnerability could allow a remote attacker to bypass replay protections for security tokens, such as UsernameToken nonces and SAML one-time-use...

3.7CVSS5.8AI score0.00223EPSS

Exploits0References4

IBM Security Bulletins•added 2026/06/15 7:15 p.m.•8 views

Security Bulletin: IBM Sterling Connect:Direct Web Services is Affected by Multiple Vulnerabilities.

Summary spring-boot-3.5.13.jar is used by IBM Sterling Connect:Direct Web Services CVE-2026-40973, CVE-2026-40975, CVE-2026-40977. Vulnerability Details CVEID:CVE-2026-40973 DESCRIPTION: A local attacker on the same host as the application may be able to take control of the directory used by...

7.5CVSS5.5AI score0.00211EPSS

Exploits0Affected Software1

NVD•added 2026/06/11 7:16 a.m.•12 views

CVE-2026-40994

Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level...

8.2CVSS0.00229EPSS

Exploits0References1

CVE•added 2026/06/11 5:4 a.m.•21 views

CVE-2026-41000

The CVE-2026-41000 issue affects Spring Web Services where Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. This undermines protections against replay of UsernameToken nonces and creation timestamps, as well as Time...

3.7CVSS5.5AI score0.00223EPSS

Exploits0References1

EUVD•added 2026/06/11 5:4 a.m.•9 views

EUVD-2026-36206

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS1 v1.5 rsa-15 encrypted key material unless operators explicitly reconfigured the flag...

4.8CVSS5.4AI score0.00129EPSS

Exploits0References1

Snyk•added 2026/06/10 12:0 a.m.•6 views

Insecure Defaults

Overview Affected versions of this package are vulnerable to Insecure Defaults due to the Wss4jSecurityInterceptor class in Wss4jSecurityInterceptor.java initializing its bspCompliant flag to false, so inbound validation always calls RequestData.setDisableBSPEnforcementtrue and disables WSS4J's...

8.8CVSS5.4AI score0.00229EPSS

Exploits0References2

Spring Security Advisories•added 2026/06/10 12:0 a.m.•6 views

Wss4jSecurityInterceptor disables WS-I BSP validation by default

Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData , contradicting the intended secure default and published setter contract. Services that validate WS-Security on the network could...

8.2CVSS5.9AI score0.00229EPSS

Exploits0References1Affected Software1

IBM Security Bulletins•added 2026/06/08 7:3 p.m.•10 views

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a remote code execution vulnerability (CVE-2026-9319)

Summary IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is affected by a remote code execution vulnerability when using JAX-WS endpoints with WS-Security. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...

9CVSS6.3AI score0.00441EPSS

Exploits0Affected Software1

IBM Security Bulletins•added 2026/06/08 7:2 p.m.•9 views

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a remote code execution vulnerability (CVE-2026-9319)

Summary IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a remote code execution vulnerability when using JAX-WS endpoints with WS-Security. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...

9CVSS6.3AI score0.00441EPSS

Exploits0Affected Software1

EUVD•added 2026/06/01 5:59 p.m.•10 views

EUVD-2026-33737

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security...

9CVSS6.5AI score0.00441EPSS

Exploits0References1

Cvelist•added 2026/06/01 5:59 p.m.•68 views

CVE-2026-9319 IBM WebSphere Application Server is affected by a remote code execution vulnerability

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security...

9CVSS0.00441EPSS

Exploits0References1

CNNVD•added 2026/06/01 12:0 a.m.•7 views

IBM WebSphere Application Server 代码问题漏洞

IBM WebSphere Application Server is an application server product developed by IBM. It serves as a platform for JavaEE and web services applications and forms the foundation of the IBM WebSphere software suite. Versions 9.0 and 8.5 of IBM WebSphere Application Server contained code vulnerabilitie...

9CVSS5.9AI score0.00441EPSS

Exploits0References1

EUVD•added 2026/03/20 2:24 a.m.•5 views

EUVD-2026-13486

Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware component: REST WebServices and Oracle Web Services Manager product of Oracle Fusion Middleware component: Web Services Security. Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable...

9.8CVSS5.8AI score0.01008EPSS

Exploits1References1

EUVD•added 2025/10/07 12:30 a.m.•6 views

EUVD-2020-23250

Malware in sbrugna...

5.9CVSS6AI score0.00752EPSS

Exploits1References4

EUVD•added 2025/10/07 12:30 a.m.•8 views

EUVD-2008-2545

Malware in sbrugna...

5CVSS6.4AI score0.01639EPSS

Exploits0References7