PT-2025-51262

CVE-2025-13832 - Apache HTTP Server Remote Code Execution Vulnerability CVE ID : CVE-2025-13832 Published : Dec. 13, 2025, 11:15 p.m. | 22 minutes ago Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Severity: 0.0 | NA Visit the link for mo...

CVE-2025-54947

In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain...

CVE-2025-53960

When issuing JSON Web Tokens JWT, Apache StreamPark directly uses the user's password as the HMAC signing key e.g., with the HS256 algorithm. An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge...

CVE-2025-58137

Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release...

CVE-2025-58130

Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release...

tomcat security update

An update is available for tomcat. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages...

Remote Code Execution (RCE)

apacheairflow is vulnerable to remote code execution. The vulnerability is due to insufficient validation in the /api/v2/dagReports API endpoint, which allows an attacker with API access to trigger DAG code execution in the context of the API server when DAG files are present in the deployment...

Denial Of Service (DoS)

org.apache.struts, struts2-core is vulnerable to Denial of Service DoS. The vulnerability is due to a file leak during multipart request processing, which allows an attacker to repeatedly trigger file creation on disk, leading to disk exhaustion and service disruption...

Remote Code Execution (RCE)

org.apache.dubbo:dubbo is vulnerable to Remote Code Execution RCE. The vulnerability is due to insecure deserialization handling in hessian-lite during exception logging, which allows an attacker to execute malicious code through crafted serialized data...

Use Of Hard-coded Cryptographic Key

Apache StreamPark is vulnerable to use of a hard-coded cryptographic key. The vulnerability is due to Apache StreamPark uses an immutable, embedded key for encryption instead of a securely generated or configurable one, allowing attackers who obtain the key through reverse engineering or source...

Uncontrolled Resource Consumption

Apache Commons Configuration is vulnerable to Uncontrolled Resource Consumption. The vulnerability is due to multiple design issues in the configuration loading and processing logic, where loading untrusted configuration files or allowing attacker-controlled usage patterns can trigger excessive C...

Cleartext Password Disclosure

Apache Syncope is vulnerable to Cleartext Password Disclosure. The issue arises from use of a hard-coded default AES key when AES-based password storage is enabled, allowing an attacker with access to the internal database to decrypt and recover user passwords...

SQL Injection

Apache Hive is vulnerable to SQL Injection. The vulnerability is due to improper handling of delete column statistics requests via Thrift APIs, which allows an authorized attacker to inject malicious SQL queries and manipulate backend database operations...

Remote Code Execution (RCE)

Apache DolphinScheduler is vulnerable to Remote Code Execution RCE. The vulnerability is due to insufficient validation of user input in alert scripts, which allows an attacker to execute arbitrary shell scripts on the server...

Security Bulletin: Vulnerabilities in Apache Kafka Client affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Summary: Potential vulnerability in Apache Kafka Client has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2025-27817...

EUVD-2025-203092

Apache StreamPark: Use the user’s password as the secret key Vulnerability...

GHSA-3HG2-RH4R-8QF6 Apache StreamPark: Use the user’s password as the secret key Vulnerability

When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leadi...

Apache StreamPark: Use the user’s password as the secret key Vulnerability

When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leadi...

CVE-2025-53960

When issuing JSON Web Tokens JWT, Apache StreamPark directly uses the user's password as the HMAC signing key e.g., with the HS256 algorithm. An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge...

GHSA-749J-2HP6-8CXM Apache StreamPark uses a Weak Encryption Algorithm

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are...