CVE-2026-3505

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcpg. A specially crafted PGP AEAD Authenticated Encryption with Associated Data message with an unbounded chunk size can lead to an excessive consumption of memory. This issue allows an unauthenticated remote attacker to cause memory...

be.ugent.idlab.knows:dataio (>=1.2.0 <=1.3.1), cn.org.expect:modest-build (=1.0.4) +221 more potentially affected by CVE-2026-41245 via com.github.junrar:junrar (>=7.4.0 <=7.5.1)

com.github.junrar:junrar MAVEN version =7.4.0, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1, =2.7.0, =2.7.2, =2.1, =3.5.3, =3.5.11 and more Source cves: CVE-2026-41245 Source advisory: SNYK:JAVA-COMGITHUBJUNRAR-16115493...

GHSA-C3FC-8QFF-9HWX Bouncy Castle has an LDAP injection

Improper neutralization of special elements used in an LDAP query 'LDAP injection' vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all prov modules. This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.84...

GHSA-CJ8J-37RH-8475 Bouncy Castle Uncontrolled Resource Consumption vulnerability

Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all pg modules. This issue affects BC-JAVA before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion...

Bouncy Castle Uncontrolled Resource Consumption vulnerability

Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all pg modules. This issue affects BC-JAVA before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion...

SUSE CVE-2026-3505

Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all pg modules. This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java,...

com.flowlogix.depchain:shiro-jakarta (>=101 <=115), de.muehlencord.pf-adm:pf-adm-spring-boot-autoconfigure (=0.2.0) +6 more potentially affected by CVE-2026-41883 via org.omnifaces:omnifaces (>=5.0-M2 <=5.2.2)

org.omnifaces:omnifaces MAVEN version =5.0-M2, =101, =5.0-M2, =5.0-M2, =6.0.4, =6.0.4, =6.1.0-m4 Source cves: CVE-2026-41883 Source advisory: SNYK:JAVA-ORGOMNIFACES-16638690...

best.skn:skn-spring-mail (>=1.0.0 <=2.4.0), ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=7.0.0 <=8.8.1) +746 more potentially affected by CVE-2026-40477 via org.thymeleaf:thymeleaf-spring6 (>=3.1.0.M1 <=3.1.3.RELEASE)

org.thymeleaf:thymeleaf-spring6 MAVEN version =3.1.0.M1, =1.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.0.0, =7.6.0, =7.6.0, =7.0.0, =7.0.0, =8.8.1 and more Source cves: CVE-2026-40477 Source advisory: SNYK:JAVA-ORGTHYMELEAF-16078370...

Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules

: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all pkix modules. PKIX draft CompositeVerifier accepts empty signature sequence as valid. This issue affects BC-JAVA: from 1.49 before 1.84...

DEBIAN-CVE-2026-3505

Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all pg modules. This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.Java,...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:lmos-router-llm-in-spring-cloud-gateway-demo (=0.1.0) +17237 more potentially affected by CVE-2025-14813 via org.bouncycastle:bcprov-jdk18on (>=1.71 <=1.83)

org.bouncycastle:bcprov-jdk18on MAVEN version =1.71, =0.2.0, =0.31.0, =0.5.0, =0.6.0, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.8.3, =0.8.3, =0.8.7 and more Source cves: CVE-2025-14813 Source advisory: SNYK:JAVA-ORGBOUNCYCASTLE-16075266...

io.github.compyoot:utilities-and-generic-tools (=0.3.11), org.scala-sbt.ivy:ivy (>=2.3.0-sbt-1b57d3bbc08ecf671169fd548918da18c91f77be <=2.3.0-sbt-fbc4f586aeeb1591710b14eb4f41b94880dcd745) potentially affected by CVE-2026-3505 via org.bouncycastle:bcpg-jdk14 (=1.45)

org.bouncycastle:bcpg-jdk14 MAVEN version =1.45 is affected by a known vulnerability. The following packages have a transitive dependency on org.bouncycastle:bcpg-jdk14 and may be impacted: - io.github.compyoot:utilities-and-generic-tools =0.3.11 - org.scala-sbt.ivy:ivy...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the AEADEncDataPacket parser in AEADEncDataPacket.java. An attacker can crash packet parsing by supplying an AEAD-encrypted OpenPGP packet with an out-of-range chunk size valu...

CVE-2026-0636 LDAP Injection Vulnerability in LDAPStoreHelper.java

Improper neutralization of special elements used in an LDAP query 'LDAP injection' vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all prov modules. This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from...

CVE-2026-0636

Improper neutralization of special elements used in an LDAP query 'LDAP injection' vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all prov modules. This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from...

CVE-2026-0636

CVE-2026-0636 affects BC-JAVA:bcprov libraries from Legion of the Bouncy Castle Inc. Affected versions are 1.49 up to but not including 1.84. The issue is an LDAP injection in LDAPStoreHelper.java caused by improper neutralization of special LDAP query elements. This results in a high-impact vuln...

CVE-2025-14813

CVE-2025-14813 affects BC-JAVA (bcprov) releases prior to 1.84, where the GOSTCTR mode cannot process more than 255 blocks. This vulnerability impacts all core modules using GOSTCTR in bcprov, with a critical impact on confidentiality, integrity, and availability (per CVSS 4.0: AV:L, AC:L, PR:N, ...

org.apache.logging.log4j:log4j-layout-template-json-test (>=3.0.0-alpha1 <=3.0.0-beta2), software.airborne.kairo:kairo-alternative-money-formatters (=5.0.0) +29 more potentially affected by CVE-2026-34481 via org.apache.logging.log4j:log4j-layout-template-json (>=3.0.0-alpha1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-layout-template-json MAVEN version =3.0.0-alpha1, =3.0.0-alpha1, =3.0.0-beta2 - software.airborne.kairo:kairo-alternative-money-formatters =5.0.0 - software.airborne.kairo:kairo-clock-feature =5.0.0 - software.airborne.kairo:kairo-closeable =5.0.0 -...

AWS SDK for Java 2.0: Improper Handling of Special Characters in CloudFront Signing Utilities

Summary This notification is related to the CloudFront signing utilities in the AWS SDK for Java v2, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes an...

CVE-2025-70952

pf4j before 20c2f80 has a path traversal vulnerability in the extract function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation...