29 matches found
CVE-2026-44598
A flaw was found in Apache Shiro, specifically within the shiro-jakarta-ee integration module. A remote attacker with valid login credentials could exploit this vulnerability by forging the shiroSavedRequest cookie. This unvalidated cookie can be manipulated to send an HTTP GET request from the...
Linux Distros Unpatched Vulnerability : CVE-2026-44598
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue...
cloud.opencode.base:opencode-base-token (=1.0.0), com.flowlogix.depchain:shiro-jakarta (>=18 <=119) +22 more potentially affected by CVE-2026-44598 via org.apache.shiro:shiro-jakarta-ee (>=2.0.0-alpha-1 <=2.1.0)
org.apache.shiro:shiro-jakarta-ee MAVEN version =2.0.0-alpha-1, =18, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =0.82.10, =0.82.10, =4.7.0, =3.10.0, =3.10.0, =3.10.0, =4.5.0, =4.20.0 and more Source cves: CVE-2026-44598 Source advisory: SNYK:JAVA-ORGAPACHESHIRO-17115416...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect in handling shiroSavedRequest cookies, which use unprotected/unencrypted values for SAVEDREQUESTKEY. An authenticated user can cause the server to make blind HTTP GET requests to arbitrary URLs or redirect users to untrust...
cloud.opencode.base:opencode-base-token (=1.0.0), com.flowlogix.depchain:shiro-jakarta (>=18 <=121) +22 more potentially affected by CVE-2026-48589 via org.apache.shiro:shiro-jakarta-ee (>=2.0.0-alpha-1 <=2.2.0)
org.apache.shiro:shiro-jakarta-ee MAVEN version =2.0.0-alpha-1, =18, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =0.82.10, =0.82.10, =4.7.0, =3.10.0, =3.10.0, =3.10.0, =4.5.0, =4.20.0 and more Source cves: CVE-2026-48589 Source advisory: SNYK:JAVA-ORGAPACHESHIRO-17115412...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect due to insufficient validation of the Referer header in saveRequestReferer. An authenticated user can redirect users to arbitrary external sites by supplying a malicious Referer value during authentication. Remediation...
CVE-2026-48589
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...
CVE-2026-44598
With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended t...
CVE-2026-44598
With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended t...
CVE-2026-48589
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...
UBUNTU-CVE-2026-48589
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...
CVE-2026-48589
Apache Shiro (Jakarta EE module) is affected by CVE-2026-48589 due to insufficient validation of the HTTP Referer header, enabling an attacker to influence the post-login redirect target. Affected are Shiro 2.0-alpha through 2.2.0, and 3.0.0-alpha-1, specifically when using the shiro-jakarta-ee i...
CVE-2026-48589
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...
CVE-2026-48589 Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...
EUVD-2026-31738
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...
CVE-2026-48589
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...
CVE-2026-44598
With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended t...
CVE-2026-44598 Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)
With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended t...
CVE-2026-44598 Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)
With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended t...
CVE-2026-44598
Apache Shiro Jakarta EE module contains an open redirect and SSRF vulnerability (CVE-2026-44598) that affects Shiro 2.0-alpha through 2.1.0 and 3.0.0-alpha-1 when using the shiro-jakarta-ee integration. After login, the shiroSavedRequest cookie can be forged and used to redirect the server to an ...