Lost in Migration: Exposing Android Framework Vulnerabilities in Parallel Java-Kotlin Implementations

Android has adopted Kotlin alongside Java across apps and core system components. During this shift, we observe parallel implementations in the Android Open Source Project AOSP where the same component is implemented in both Java and Kotlin. In principle, their functional purposes are identical. ...

EUVD-2026-31998

epa4all-client: Unauthenticated REST API for Patient Record Writes...

CVE-2026-41207 netty-incubator-codec-ohttp's HPKEContext operations may produce empty byte[] on failures

The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDFexpand returns non-NULL on failure. The byte is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a...

MINI-JVM8-C8V6-W3W4

Bulletin has no description...

CVE-2026-50076 Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

CVE-2026-50076

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

SUSE CVE-2026-45682

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running...

SUSE CVE-2026-45683

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Java TLS ioctl probe reads user-controlled ioctl pointers with bpfproberead instead of bpfprobereaduser. An instrumented local process can therefore point OBI at kerne...

EUVD-2026-34182

A vulnerability was found in crmeb crmebjava 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request...

A Bootiful Podcast: JetBrains' Marit van Dijk

hi Spring and IntelliJ IDEA fans! In this installment I talk to my friend and JetBrains Developer Advocate extraordinaire Marit van Dijk! This episode was recorded at JNation, an amazing show in Coimbra, Portugal! jetbrains java jnation...

PT-2026-46269

Name of the Vulnerable Software and Affected Versions Apache Fory fory-core versions prior to 1.1.0 Description Deserialization of untrusted data in the Java replace-resolve path on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks. B...

Joern 4.0.554

Joern is the bug hunter's workbench. With this tool, you can uncover attack surface, sloppy coding practices, and variants of known vulnerabilities using an interactive code analysis shell. Joern supports C, C++, LLVM bitcode, x86 binaries via Ghidra, JVM bytecode via Soot, and Javascript...

netty-incubator-codec-ohttp 缓冲区错误漏洞

netty-incubator-codec-ohttp is an application developed by the Netty community. Versions prior to 0.0.22.Final of netty-incubator-codec-ohttp contain a buffer error vulnerability. This vulnerability arises due to the use of a backtrack path when performing encryption operations via JNI on specifi...

CVE-2026-10771

CVE-2026-10771 affects crmeb_crmeb_java 1.4. The vulnerability targets the function RestTemplate.getForEntity in the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint . Manipulating the argument url results in a server-side request...

CVE-2026-10771 crmeb crmeb_java base64 Qrcode Endpoint RestTemplateUtil.java RestTemplate.getForEntity server-side request forgery

A vulnerability was found in crmeb crmebjava 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request...

CVE-2026-10771

A vulnerability was found in crmeb crmebjava 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request...

CVE-2026-10771 crmeb crmeb_java base64 Qrcode Endpoint RestTemplateUtil.java RestTemplate.getForEntity server-side request forgery

A vulnerability was found in crmeb crmebjava 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request...

DEBIAN-CVE-2026-47065

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TCPROXYCLASSDESC the marker for a java.lang.reflect.Proxy , JDK’s ObjectInputStream.readProxyDesc is dispatched. JDK then calls...

Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content

Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims' systems. The Minecraft-focused malware-as-a-service MaaS campaign has been codenamed Weedhack by McAfee Labs, stating the activity has been active...

PT-2026-46067

Name of the Vulnerable Software and Affected Versions crmeb crmeb java version 1.4 Description An issue exists in the base64 Qrcode Endpoint where the manipulation of the url argument in the RestTemplate.getForEntity function within the file...