Security Bulletin: Due to the use of c3p0, IBM webMethods BPM is vulnerable to attack via maliciously crafted Java-serialized objects (CVE-2026-27830)

Summary IBM webMethods BPM includes the standalone utility which includes the vulnerable component c3p0. The tool operates as a standalone utility and is not part of the main runtime environments. Vulnerability Details CVEID:CVE-2026-27830 DESCRIPTION: c3p0, a JDBC Connection pooling library, is...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses c3p0-0.11.2.jar and mchange-commons-java-0.3.2.jar which are vulnerable to CVE-2026-27830 and CVE-2026-27727.

Summary IBM Maximo Application Suite - Monitor Component uses c3p0-0.11.2.jar and mchange-commons-java-0.3.2.jar which are vulnerable to CVE-2026-27830 and CVE-2026-27727. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-27727 DESCRIPTION:...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses c3p0-0.11.2.jar and mchange-commons-java-0.3.2.jar which are vulnerable to CVE-2026-27830 and CVE-2026-27727.

Summary IBM Maximo Application Suite - Monitor Component uses c3p0-0.11.2.jar and mchange-commons-java-0.3.2.jar which are vulnerable to CVE-2026-27830 and CVE-2026-27727. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-27830 DESCRIPTION: c3p0...

Linux Distros Unpatched Vulnerability : CVE-2026-27830

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several...

be.yildiz-games:module-database-pool-c3p0 (=1.0.1), com.codbex.atlas:codbex-atlas-application (>=1.1.0 <=2.97.0) +109 more potentially affected by CVE-2026-27830 via com.mchange:c3p0 (>=0.10.0-pre2 <=0.11.2)

com.mchange:c3p0 MAVEN version =0.10.0-pre2, =1.1.0, =2.55.0, =1.0.5, =1.1.0, =1.1.0, =1.1.0, =0.2.0, =1.1.0, =4.1.2, =3.4.5, =5.0.4, =6.0.3 and more Source cves: CVE-2026-27830 Source advisory: SNYK:JAVA-COMMCHANGE-15353395...

UBUNTU-CVE-2026-27830

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to...

CVE-2026-27830

CVE-2026-27830 affects the c3p0 JDBC connection pool. Before 0.12.0, the property userOverridesAsString was stored as a hex-encoded serialized object, enabling an attacker to reset it and trigger deserialization that could load code from a remote factoryClassLocation via embedded JNDI references....

CVE-2026-27830 c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to...

CVE-2026-27830 c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to...

CVE-2026-27830

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to...

c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property

Impact c3p0 is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to v0.12.0, that property was...

PT-2026-22063

Name of the Vulnerable Software and Affected Versions c3p0 versions prior to 0.12.0 Description c3p0, a JDBC Connection pooling library, is susceptible to attack through maliciously crafted Java-serialized objects and javax.naming.Reference instances. Specifically, the userOverridesAsString...

EUVD-2019-0409

Malware in sbrugna...

Ubuntu 14.04 LTS : c3p0 vulnerability (USN-7571-1)

The remote Ubuntu 14.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-7571-1 advisory. Aaron Massey discovered that c3p0 could be made to crash when parsing certain input. An attacker able to modify the applications XML configuration file could...

USN-7571-1: c3p0 vulnerability

Aaron Massey discovered that c3p0 could be made to crash when parsing certain input. An attacker able to modify the application’s XML configuration file could possibly use this issue to cause a denial of service...

USN-7571-1 c3p0 vulnerability

Aaron Massey discovered that c3p0 could be made to crash when parsing certain input. An attacker able to modify the application’s XML configuration file could possibly use this issue to cause a denial of service...

Ubuntu 16.04 ESM : c3p0 vulnerability (USN-5293-2)

The remote Ubuntu 16.04 ESM host has a package installed that is affected by a vulnerability as referenced in the USN-5293-2 advisory. USN-5293-1 fixed a vulnerability in c3p0. This update provides the corresponding update for Ubuntu 16.04 ESM. Tenable has extracted the preceding description bloc...

Ubuntu 18.04 LTS / 20.04 LTS : c3p0 vulnerability (USN-5293-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-5293-1 advisory. Aaron Massey discovered that c3p0 could be made to crash when parsing certain input. An attacker able to modify the application's XML configuration fi...

USN-5293-1: c3p0 vulnerability

Aaron Massey discovered that c3p0 could be made to crash when parsing certain input. An attacker able to modify the application's XML configuration file could cause a denial of service...

PT-2019-5029 · Mchange +4 · C3P0 +4

Name of the Vulnerable Software and Affected Versions: c3p0 versions prior to 0.9.5.4 Description: The issue is related to errors in processing XML entities in the ConfigXmlUtils function of the c3p0 library for JDBC drivers. This can be exploited by a remote attacker to cause a denial of service...