osv-java-poc

OSV Scanner CVE Detection POC — Vulnerable Java App ⚠️ WA...

ai.aletyx.kogito:aletyx-kogito-ai-addons-quarkus-adhoc-subprocess (>=0.1.0 <=0.2.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-quarkus-adhoc-subprocess-storage-jpa (>=0.1.0 <=0.2.0) +785 more potentially affected by CVE-2026-42027 via org.apache.opennlp:opennlp-tools (>=2.0.0 <=2.5.8)

org.apache.opennlp:opennlp-tools MAVEN version =2.0.0, =0.1.0, =0.1.0, =2.12.1, =2.12.1, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =0.0.6, =0.0.9 and more Source cves: CVE-2026-42027 Source advisory: SNYK:JAVA-ORGAPACHEOPENNLP-16419373...

io.crossplane.compositefunctions:crossplane-function-example (>=1.20-alpha <=2.0.5), io.crossplane.compositefunctions:crossplane-function-springboot-starter (>=1.20-alpha <=2.0.5) +19 more potentially affected by CVE-2026-40969 via org.springframework.grpc:spring-grpc-core (>=1.0.0-RC1 <=1.0.2)

org.springframework.grpc:spring-grpc-core MAVEN version =1.0.0-RC1, =1.20-alpha, =1.20-alpha, =2026.01, =0.8.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =1.0.0, =1.0.0, =1.0.2 - org.springframew...

net.enilink.platform:net.enilink.platform.web (=1.6.0), org.webjars.npm:formio__core (=2.6.0) +1 more potentially affected by unknown CVE via org.webjars.npm:dompurify (>=3.1.7 <=3.3.0)

org.webjars.npm:dompurify MAVEN version =3.1.7, =0.54.0, =0.55.1 Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15874906...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2047 more potentially affected by CVE-2026-33870 via io.netty:netty-codec-http (>=4.2.0.Alpha1 <=4.2.11.Final)

io.netty:netty-codec-http MAVEN version =4.2.0.Alpha1, =0.1.0, =0.1.0, =0.3.0 - ai.tock:bot-test =26.3.0 - ai.tock:bot-test-base =26.3.0 - ai.tock:bot-toolkit =26.3.0 - ai.tock:bot-toolkit-base =26.3.0 - ai.tock:tock-analytics-chatbase =26.3.0 - ai.tock:tock-aws-tools =26.3.0 -...

org.webjars.npm:browser-sync-ui (=2.27.11), org.webjars.npm:bulma (=1.0.0) +21 more potentially affected by CVE-2026-29063 via org.webjars.npm:immutable (>=3.7.6 <=5.1.3)

org.webjars.npm:immutable MAVEN version =3.7.6, =0.7.0, =0.8.3, =0.8.4 - org.webjars.npm:flux =2.1.1 - org.webjars.npm:github-com-DataTables-DataTablesSrc =2.0.5 - org.webjars.npm:github-com-codeforms-Punica-CSS-Framework =3.0.0 - org.webjars.npm:github-com-digicorp-propeller =1.3.2 -...

ai.konduit.serving:konduit-serving-clients (>=0.0.2 <=0.3.0), ai.konduit.serving:konduit-serving-distro-bom (>=0.0.2 <=0.3.0) +4105 more potentially affected by CVE-2025-66453 via org.mozilla:rhino (>=1.7R3 <=1.7.14)

org.mozilla:rhino MAVEN version =1.7R3, =0.0.2, =0.0.2, =0.1-1, =1.0, =1.0, =1.0, =1.2.1 - blog.svenbayer:spring-cloud-contract-swagger =1.2.0.RELEASE - br.com.objectos.jabuticava:boleto =0.3.0 - br.com.objectos.jabuticava:duplicata =0.3.0 - br.com.objectos:boleto =0.1.0 - br.com.objectos:duplica...

org.webjars.npm:vega-embed (=6.21.0) potentially affected by CVE-2025-59840 via org.webjars.npm:vega-interpreter (=1.0.4)

org.webjars.npm:vega-interpreter MAVEN version =1.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vega-interpreter and may be impacted: - org.webjars.npm:vega-embed =6.21.0 Source cves: CVE-2025-59840 Source advisory:...

EUVD-2021-11021

Malware in sbrugna...

com.farao-community.farao:csa-runner-api (>=1.3.1 <=2.6.1), com.farao-community.farao:csa-runner-app (>=1.3.1 <=2.6.1) +97 more potentially affected by CVE-2025-48059 via com.powsybl:powsybl-iidm-criteria (>=6.3.0 <=6.7.1)

com.powsybl:powsybl-iidm-criteria MAVEN version =6.3.0, =1.3.1, =1.3.1, =1.18.0, =1.18.0, =1.4.0, =1.6.0, =1.12.0, =1.27.0, =1.27.0, =1.27.0, =1.27.0, =1.27.0, =1.24.0, =1.6.2, =1.13.0 and more Source cves: CVE-2025-48059 Source advisory:...

An Accurate and Efficient Vulnerability Propagation Analysis Framework

Identifying the impact scope and scale is critical for software supply chain vulnerability assessment. However, existing studies face substantial limitations. First, prior studies either work at coarse package-level granularity, producing many false positives, or fail to accomplish whole-ecosyste...

ai.dev-tools:ai-devtools (>=0.1.12 <=0.1.20), ai.dev-tools:ai-devtools-selenium (>=0.1.2 <=0.1.11) +599 more potentially affected by CVE-2025-4641 via io.github.bonigarcia:webdrivermanager (>=1.0.0 <=6.0.1)

io.github.bonigarcia:webdrivermanager MAVEN version =1.0.0, =0.1.12, =0.1.2, =0.1.1, =0.0.3, =0.2.6, =0.2.48 and more Source cves: CVE-2025-4641 Source advisory: OSV:GHSA-PWM3-776C-8Q7Q...

be.objectify:objectify-struts2-tags (=1.0), br.net.woodstock.rockframework:rockframework-struts2 (>=2.0.0 <=2.0.8) +324 more potentially affected by CVE-2023-50164 via org.apache.struts:struts2-core (>=2.0.11 <=2.5.32)

org.apache.struts:struts2-core MAVEN version =2.0.11, =2.0.0, =1.2.1, =1.5.3, =1.5.3, =1.2.2, =1.2.2, =1.2.2, =1.2.2, =1.2, =1.0, =1.0, =1.0, =1.0.4 and more Source cves: CVE-2023-50164 Source advisory: OSV:GHSA-2J39-QCJM-428W...

ai.bareun.tagger:bareun (>=1.0.0 <=1.4.1), ai.djl.serving:serving (=0.19.0) +3733 more potentially affected by CVE-2022-3510 via com.google.protobuf:protobuf-java (>=3.21.0 <=3.21.6)

com.google.protobuf:protobuf-java MAVEN version =3.21.0, =1.0.0, =3.42.0.2-1-3.4, =0.0.1, =22.3.2, =22.3.2, =22.3.2, =22.3.2, =1.0.0-beta01, =1.0.0-beta01, =1.0.0-beta06 - at.ac.ait.lablink.clients:universalapiclient =0.1.0 and more Source cves: CVE-2022-3510 Source advisory: OSV:GHSA-4GG5-VX3J-X...

Microsoft Visual Studio Code Remote Code Execution (CVE-2021-27084)

A remote code execution vulnerability exists in the Maven for Java Extension for Microsoft Visual Studio Code. The vulnerability is due to a design weakness. A remote attacker can exploit this vulnerability by enticing a user to open a maliciously crafted Java Maven project folder...

ai.chronon:flink_2.12 (>=0.0.62 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91), ai.chronon:online_2.11 (>=0.0.25 <=revert-391-thread-0.0.24) +3230 more potentially affected by CVE-2021-38153 via org.apache.kafka:kafka-clients (>=2.0.0 <=2.7.1)

org.apache.kafka:kafka-clients MAVEN version =2.0.0, =0.0.62, =0.0.25, =0.0.25, =0.0.86, =0.0.86, =local, =local, =0.0.8, =0.0.6, =0.0.2, =1.0.0, =0.0.13, =1.0.0, =1.0.0, =1.14.0, =1.15.0 and more Source cves: CVE-2021-38153 Source advisory: SNYK:JAVA-ORGAPACHEKAFKA-1540737...

cc.kebei:onion-expands-compress (>=3.0.0 <=3.0.6), com.aftia.plugin:aem-build-maven-plugin.core (>=1.1.1 <=1.2.2) +90 more potentially affected by CVE-2018-1002201 via org.zeroturnaround:zt-zip (>=1.10 <=1.12)

org.zeroturnaround:zt-zip MAVEN version =1.10, =3.0.0, =1.1.1, =5.0, =2.1.6, =3.6.1, =0.1.4, =1.0.3, =1.0.0, =1.0, =1.1 and more Source cves: CVE-2018-1002201 Source advisory: SNYK:JAVA-ORGZEROTURNAROUND-31681...