944 matches found
Elastic OTel Java 1.10.0 Security Update (ESA-2026-22 / GHSA-xw7x-h9fj-p2c7)
Dependency on Vulnerable Third-Party Component in Elastic OTel Java Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component CWE-1395 exists in Elastic OTel Java via a dependency on OpenTelemetry Java instrumentation library. This vulnerability could allow an attacker to...
org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability
A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration...
org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability
A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration...
Incorrect Authorization
Overview @openclaw/msteams is an OpenClaw Microsoft Teams channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the feedback invocation process. An attacker can record unauthorized session feedback or trigger feedback reflection by bypassing sender allowlis...
CVE-2026-33728 dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution
dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to 1.60.2, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access ...
CVE-2026-33701
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and...
OpenTelemetry Instrumentation for Java 代码问题漏洞
OpenTelemetry Instrumentation for Java is an open-source Java proxy JAR developed by OpenTelemetry. There were code-related vulnerabilities in versions of OpenTelemetry Instrumentation for Java prior to 2.26.1. These vulnerabilities stemmed from the fact that custom endpoints registered by RMI...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the RMI integration. An attacker can execute arbitrary code with the privileges of the user running the instrumented JVM by sending specially crafted serialized data to a network-exposed JMX or RMI...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the RMI integration. An attacker can execute arbitrary code with the privileges of the user running the instrumented JVM by sending specially crafted serialized data to a network-exposed JMX or RMI...
splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution
In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. Al...
EUVD-2026-16505
dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution...
PT-2026-28514
Name of the Vulnerable Software and Affected Versions dd-trace-java versions 0.40.0 through prior to 1.60.2 Description dd-trace-java is a Datadog APM client for Java. The RMI instrumentation in affected versions registered a custom endpoint that deserialized incoming data without applying...
GHSA-XW7X-H9FJ-P2C7 OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution
In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. Al...
CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from window.open calls directly to shell.openExternal without any validation or protocol allowlisting. An attacker who can place ...
CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from window.open calls directly to shell.openExternal without any validation or protocol allowlisting. An attacker who can place ...
CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from window.open calls directly to shell.openExternal without any validation or protocol allowlisting. An attacker who can place ...
CVE-2026-33335
Vikunja Desktop Electron wrapper risk (CVE-2026-33335). The vulnerability affects Vikunja Desktop prior to 2.2.0, where URLs from window.open() are passed directly to shell.openExternal() without validation or protocol allowlisting. An attacker who can insert a link (e.g., target="_blank" in user...
We Found Eight Attack Vectors Inside AWS Bedrock. Here's What Attackers Can Do with Them
AWS Bedrock is Amazon's platform for building AI-powered applications. It gives developers access to foundation models and the tools to connect those models directly to enterprise data and systems. That connectivity is what makes it powerful – but it’s also what makes Bedrock a target. When an AI...
org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability
A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration...
org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability
A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration...