Important: Red Hat Security Advisory: Red Hat build of Quarkus 3.27.1 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more information...

cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection

An XML External Entity XXE injection vulnerability was found in the CycloneDX Java core library’s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM XML is validated, external XML entities can be processed XXE, allowing an attacker to...

CVE-2025-64518 CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML Validator used by cyclonedx-core-java was not configured securely, making the library...

CVE-2025-64518 CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML Validator used by cyclonedx-core-java was not configured securely, making the library...

CVE-2025-64518

CVE-2025-64518 affects CycloneDX core (Java). From 2.1.0 up to but excluding 11.0.1, the XML Validator in cyclonedx-core-java was insecurely configured, enabling XML External Entity (XXE) injection. The issue is tied to incomplete mitigation that fixed parsing but not validation (GHSA-683x-4444-j...

GHSA-6FHJ-VR9J-G45R CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection

Impact The XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity XXE injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 has been incomplete in that it only fixed parsing of XML BOMs, but not validation. Patches The...

CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection

Impact The XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity XXE injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 has been incomplete in that it only fixed parsing of XML BOMs, but not validation. Patches The...

PT-2025-46213

Name of the Vulnerable Software and Affected Versions CycloneDX versions 2.1.0 through 11.0.1 Description The CycloneDX core module, used for creating, validating, and parsing SBOMs, contains a flaw due to an insecurely configured XML Validator. This allows for XML External Entity XXE injection...

CVE-2024-38374 Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the...

GHSA-683X-4444-JXH8 Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java

Impact Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The DocumentBuilderFactory used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML Extern...

CVE-2024-38374

creationtimestamp| type| source ---|---|--- 2024-06-24 09:20:38+00:00| published-proof-of-concept| https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-683x-4444-jxh8...

PT-2024-27967

Name of the Vulnerable Software and Affected Versions cyclonedx-core-java versions prior to 9.0.4 Description The CycloneDX core module provides a model representation of SBOMs and utilities for creating, validating, and parsing them. Before deserializing CycloneDX Bill of Materials in XML format...