c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects

A flaw was found in c3p0, a Java Database Connectivity JDBC Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or javax.naming.Reference instances. By manipulating the userOverridesAsString...

Security Bulletin: Due to the use of c3p0, IBM webMethods BPM is vulnerable to attack via maliciously crafted Java-serialized objects (CVE-2026-27830)

Summary IBM webMethods BPM includes the standalone utility which includes the vulnerable component c3p0. The tool operates as a standalone utility and is not part of the main runtime environments. Vulnerability Details CVEID:CVE-2026-27830 DESCRIPTION: c3p0, a JDBC Connection pooling library, is...

Astra Linux - уязвимость в c3p0

C3P0 versions less than 0.9.5.4 may be exploited by a “billion laughs attack” when loading XML configuration, due to the lack of protections against recursive entity expansion during the loading of configuration files...

c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects

A flaw was found in c3p0, a Java Database Connectivity JDBC Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or javax.naming.Reference instances. By manipulating the userOverridesAsString...

c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects

A flaw was found in c3p0, a Java Database Connectivity JDBC Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or javax.naming.Reference instances. By manipulating the userOverridesAsString...

RHEL 8 : Red Hat JBoss Enterprise Application Platform 8.1.6 (RHSA-2026:18054)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:18054 advisory. Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime. This release ...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses c3p0-0.11.2.jar and mchange-commons-java-0.3.2.jar which are vulnerable to CVE-2026-27830 and CVE-2026-27727.

Summary IBM Maximo Application Suite - Monitor Component uses c3p0-0.11.2.jar and mchange-commons-java-0.3.2.jar which are vulnerable to CVE-2026-27830 and CVE-2026-27727. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-27727 DESCRIPTION:...

RCE (Remote Code Execution) at c3p0 dependency in Crucible Server

This High severity RCE Remote Code Execution vulnerability was introduced in version 4.9.0 of Crucible Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.9 and a CVSS Vector of code:java CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H code allows an...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses c3p0-0.11.2.jar and mchange-commons-java-0.3.2.jar which are vulnerable to CVE-2026-27830 and CVE-2026-27727.

Summary IBM Maximo Application Suite - Monitor Component uses c3p0-0.11.2.jar and mchange-commons-java-0.3.2.jar which are vulnerable to CVE-2026-27830 and CVE-2026-27727. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-27830 DESCRIPTION: c3p0...

OESA-2026-1691 c3p0 security update

c3p0 is a JDBC driver for extending traditional libraries DriverManager-based libraries with JNDI bindable data sources including data sources, as described in the jdbc3 specification and jdbc2 standard extensions. They implement connections and statement pools. Security Fixes: c3p0 is a JDBC...

c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects

A flaw was found in c3p0, a Java Database Connectivity JDBC Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or javax.naming.Reference instances. By manipulating the userOverridesAsString...

Important: Red Hat Security Advisory: Red Hat build of Debezium 3.2.7 release

Red Hat build of Debezium connectors in version 3.2.7 are now available for Red Hat Application Foundations. Debezium is a distributed platform that turns your existing databases into event streams, so applications can see and respond immediately to each row-level change in the databases. Debeziu...

openSUSE 15 Security Update : c3p0 and mchange-commons (SUSE-SU-2026:0855-1)

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0855-1 advisory. c3p0: - Security issues fixed: - CVE-2026-27830: Fixed unsafe object deserialization bsc1258942 - Fix the null pointer exception in the...

openSUSE Security Advisory (SUSE-SU-2026:0855-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security update for c3p0 and mchange-commons

This update for c3p0 and mchange-commons fixes the following issues: c3p0: Security issues fixed: CVE-2026-27830: Fixed unsafe object deserialization bsc1258942 Fix the null pointer exception in the userOverridesAsString method bsc1259313. mchange-commons: Security issues fixed: CVE-2026-27727:...

SUSE-SU-2026:0855-1 Security update for c3p0 and mchange-commons

This update for c3p0 and mchange-commons fixes the following issues: c3p0: - Security issues fixed: - CVE-2026-27830: Fixed unsafe object deserialization bsc1258942 - Fix the null pointer exception in the userOverridesAsString method bsc1259313. mchange-commons: - Security issues fixed: -...

📄 c3p0 Insecure Deserialization

A critical vulnerability in c3p0 prior to version 0.12.0 allows attackers to achieve remote code execution through insecure handling of the userOverridesAsString property in several ConnectionPoolDataSource implementations...

c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects

A flaw was found in c3p0, a Java Database Connectivity JDBC Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or javax.naming.Reference instances. By manipulating the userOverridesAsString...

Important: Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14.4 for Spring Boot release.

Red Hat build of Apache Camel 4.14.4 for Spring Boot patch release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

c3p0-0.12.0-1.1 on GA media (moderate)

c3p0-0.12.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:10279-1 Rating: moderate Cross-References: CVE-2026-27727 CVSS scores: CVE-2026-27727 SUSE : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-27727 SUSE : 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N...