This Week in Spring - May 26th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in Coimbra, Portugal, where I just did my usual shtick on the latest and greatest in Spring Framework 7.x, Spring Boot 4.x, and Spring AI 2.x. It was a ton of fun, and I want to thank everybody who came out. Last week I w...

CVE-2024-34914

php-censor v2.1.4 and fixed in v.2.1.5 was discovered to utilize a weak hashing algorithm for its rememberkey value. This allows attackers to bruteforce to bruteforce the rememberkey value to gain access to accounts that have checked "remember me" when logging in...

CVE-2024-25572

CVE-2024-25572 affects Ninja Forms for WordPress prior to version 3.4.31. The issue is a CSRF vulnerability: if an administrator views a malicious page while logged in, unintended operations may be performed. Affected product/version: Ninja Forms before 3.4.31. Red Hat, NVD, JVN and related sourc...

Cross site scripting

FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability. If this vulnerability is exploited by a remote authenticated attacker with an administrative privilege, an arbitrary script may be executed on the web browser of the user who is logging in to the product...

Advanced Access Manager < 6.9.19 - Open Redirect

Description The plugin is vulnerable to Open Redirect due to insufficient validation on the redirect url supplied via params-redirect parameter. This makes it possible for authenticated attackers author and higher to redirect users to potentially malicious sites if they can successfully trick the...

Cross-Site Scripting

hoteldruid is vulnerable to Cross-Site Scripting. The vulnerability is due to improper neutralization of input during web page generation. This allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product...

CVE-2023-47164

Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product...

CVE-2023-36492

Reflected cross-site scripting vulnerability in SHIRASAGI prior to v1.18.0 allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product...

CVE-2023-39153

A cross-site request forgery CSRF vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account...

CVE-2023-37961

A cross-site request forgery CSRF vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick users into logging in to the attacker's account...

CVE-2023-37961

A cross-site request forgery CSRF vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick users into logging in to the attacker's account...

CVE-2023-37961

A cross-site request forgery CSRF vulnerability in Jenkins Assembla Auth Plugin 1.14 and earlier allows attackers to trick users into logging in to the attacker's account...

Cisco StarOS Input Validation Error Vulnerability

Cisco StarOS is a set of virtualization operating system of the American Cisco Cisco. Cisco StarOS suffers from an input validation error vulnerability that stems from insufficient validation of user-supplied credentials, which could be exploited by an attacker to allow logging into an affected...

CVE-2023-27918

Cross-site scripting vulnerability in Appointment and Event Booking Calendar for WordPress - Amelia versions prior to 1.0.76 allows a remote unauthenticated attacker to inject an arbitrary script by having a user who is logging in the WordPress where the product is installed visit a malicious URL...

Cross-site request forgery vulnerability in Jenkins OpenID Plugin

A cross-site request forgery CSRF vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account...

CVE-2023-24446

A cross-site request forgery CSRF vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account...

CVE-2022-34772 Tabit - password enumeration

Tabit - password enumeration. Description: Tabit - password enumeration. The passwords for the Tabit system is a 4 digit OTP. One can resend OTP and try logging in indefinitely. Once again, this is an example of OWASP: API4 - Rate limiting...

CVE-2022-30561

When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in, the attacker could log in to the device by replaying the user's login packet...

CVE-2022-30563

When an attacker uses a man-in-the-middle attack to sniff the request packets with success logging in through ONVIF, he can log in to the device by replaying the user's login packet...

CVE-2022-30561

The CVE-2022-30561 entry concerns Dahua ASI7XXX devices (and related Dahua product families) vulnerable to an authentication bypass via capture-replay. The root cause is an MITM-capable attacker who can sniff login traffic and replay authentication data to gain access without a password (CWE-294)...