Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

59972 matches found

OSV
OSVadded 2026/05/25 9:16 p.m.2 views

UBUNTU-CVE-2026-44598

With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended t...

5.4CVSS5.9AI score0.00119EPSS
Exploits0References5
UbuntuCve
UbuntuCveadded 2026/05/25 9:16 p.m.5 views

CVE-2026-48589

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...

5.4CVSS5.8AI score0.00086EPSS
Exploits0References4
UbuntuCve
UbuntuCveadded 2026/05/25 9:16 p.m.5 views

CVE-2026-43827

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already...

6.5CVSS5.8AI score0.00067EPSS
Exploits0References4
UbuntuCve
UbuntuCveadded 2026/05/25 9:16 p.m.7 views

CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

6.5CVSS5.8AI score0.00024EPSS
Exploits0References4
OSV
OSVadded 2026/05/25 9:16 p.m.5 views

UBUNTU-CVE-2026-43827

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already...

6.5CVSS5.8AI score0.00067EPSS
Exploits0References5
Vulnrichment
Vulnrichmentadded 2026/05/25 8:20 p.m.7 views

CVE-2026-48589 Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...

5.8AI score0.00086EPSS
Exploits0References1
CVE
CVEadded 2026/05/25 8:20 p.m.14 views

CVE-2026-48589

Apache Shiro (Jakarta EE module) is affected by CVE-2026-48589 due to insufficient validation of the HTTP Referer header, enabling an attacker to influence the post-login redirect target. Affected are Shiro 2.0-alpha through 2.2.0, and 3.0.0-alpha-1, specifically when using the shiro-jakarta-ee i...

5.4CVSS5.8AI score0.00086EPSS
Exploits0References2Affected Software1
Cvelist
Cvelistadded 2026/05/25 8:20 p.m.20 views

CVE-2026-48589 Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...

0.00086EPSS
Exploits0References1
EUVD
EUVDadded 2026/05/25 8:20 p.m.7 views

EUVD-2026-31738

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...

5.8AI score0.00086EPSS
Exploits0References1
Debian CVE
Debian CVEadded 2026/05/25 8:20 p.m.7 views

CVE-2026-48589

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...

5.4CVSS5.8AI score0.00086EPSS
Exploits0
CVE
CVEadded 2026/05/25 8:19 p.m.19 views

CVE-2026-44598

Apache Shiro Jakarta EE module contains an open redirect and SSRF vulnerability (CVE-2026-44598) that affects Shiro 2.0-alpha through 2.1.0 and 3.0.0-alpha-1 when using the shiro-jakarta-ee integration. After login, the shiroSavedRequest cookie can be forged and used to redirect the server to an ...

5.4CVSS5.9AI score0.00119EPSS
Exploits0References2Affected Software1
EUVD
EUVDadded 2026/05/25 8:19 p.m.5 views

EUVD-2026-31739

With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended t...

5.1CVSS5.9AI score0.00119EPSS
Exploits0References1
EUVD
EUVDadded 2026/05/25 8:19 p.m.7 views

EUVD-2026-31734

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

5.9CVSS5.8AI score0.00024EPSS
Exploits0References1
Debian CVE
Debian CVEadded 2026/05/25 8:19 p.m.7 views

CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

6.5CVSS5.8AI score0.00024EPSS
Exploits0
ATTACKERKB
ATTACKERKBadded 2026/05/25 8:19 p.m.7 views

CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

5.9CVSS5.8AI score0.00024EPSS
Exploits0References2Affected Software1
CVE
CVEadded 2026/05/25 8:19 p.m.17 views

CVE-2026-43828

CVE-2026-43828 affects Apache Shiro. The issue: Shiro-native session manager and Remember-Me manager set cookies (JSESSIONID and rememberMe) without the Secure attribute by default, leaking sensitive cookies over non-HTTPS channels. Affected versions: 1.0 to 2.1.0, and 3.0.0-alpha-1. Remediation:...

6.5CVSS5.8AI score0.00024EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/05/25 8:19 p.m.8 views

CVE-2026-43828 Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

5.9CVSS5.8AI score0.00024EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/05/25 8:19 p.m.18 views

CVE-2026-43828 Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

5.9CVSS0.00024EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/05/25 8:19 p.m.17 views

CVE-2026-43827 Apache Shiro: Session fixation: new session is not created after login by default

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already...

5.9CVSS0.00067EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/05/25 8:19 p.m.6 views

CVE-2026-43827 Apache Shiro: Session fixation: new session is not created after login by default

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already...

5.9CVSS5.8AI score0.00067EPSS
Exploits0References1
Rows per page
Query Builder