CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

15 matches found

IBM Security Bulletins•added 2026/05/26 5:14 p.m.•6 views

Security Bulletin: Due to the use of c3p0, IBM webMethods BPM is vulnerable to attack via maliciously crafted Java-serialized objects (CVE-2026-27830)

Summary IBM webMethods BPM includes the standalone utility which includes the vulnerable component c3p0. The tool operates as a standalone utility and is not part of the main runtime environments. Vulnerability Details CVEID:CVE-2026-27830 DESCRIPTION: c3p0, a JDBC Connection pooling library, is...

8.9CVSS6.1AI score0.00313EPSS

Exploits0Affected Software1

RedhatCVE•added 2026/02/26 6:55 p.m.•3 views

CVE-2026-27830

A flaw was found in c3p0, a Java Database Connectivity JDBC Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or javax.naming.Reference instances. By manipulating the userOverridesAsString...

8.9CVSS6.5AI score0.00313EPSS

Exploits0References8

Prion•added 2023/11/08 8:15 a.m.•16 views

Deserialization of untrusted data

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which fixes the issue. The...

6.5CVSS7.1AI score0.00415EPSS

Exploits0References2Affected Software1

CISA KEV Catalog•added 2023/09/28 12:0 a.m.•27 views

Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability

Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via...

9.8CVSS7.9AI score0.89462EPSS

In wildExploits6

Cvelist•added 2023/04/06 12:0 a.m.•15 views

CVE-2023-28500

A Java insecure deserialization vulnerability in Adobe LiveCycle ES4 version 11.0 and earlier allows unauthenticated remote attackers to gain operating system code execution by submitting specially crafted Java serialized objects to a specific URL. Adobe LiveCycle ES4 version 11.0.1 and later may...

9.9AI score0.24016EPSS

Exploits0References1

OSV•added 2022/05/13 1:17 a.m.•75 views

GHSA-J7MW-7CRR-658V Richfaces vulnerable to arbitrary code execution

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language EL injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData...

9.8CVSS9.7AI score0.89462EPSS

Exploits6References10

Github Security Blog•added 2022/05/13 1:17 a.m.•34 views

Richfaces vulnerable to arbitrary code execution

9.8CVSS9.7AI score0.89462EPSS

Exploits6References11Affected Software1

RedhatCVE•added 2019/10/11 10:8 a.m.•26 views

CVE-2018-14667

9.8CVSS5.4AI score0.89462EPSS

Exploits6References2

Veracode•added 2019/01/15 9:25 a.m.•31 views

Remote Code Execution (RCE)

richfaces is vulnerable to Remote code Execution RCE attacks. The vulnerability is due to improper Expression Language EL sanitization in the UserResource class. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects gadget chains...

9.8CVSS9.7AI score0.89462EPSS

Exploits6References13Affected Software2