117 matches found
CVE-2026-44241
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap whose key is derived from the @Format annotation...
CVE-2026-44242
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a...
CVE-2026-44241 Micronaut Framework: Unbounded formattersCache in TimeConverterRegistrar Allows Memory Exhaustion via Accept-Language Header
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap whose key is derived from the @Format annotation...
CVE-2026-44241
Summary of CVE-2026-44241 (Micronaut Framework) Affected: Micronaut Core versions 4.3.0–4.10.21 (fixed in 4.10.22). A cache in TimeConverterRegistrar stores DateTimeFormatter instances in an unbounded ConcurrentHashMap keyed by pattern+Locale derived from the @Format annotation and the HTTP Accep...
CVE-2026-44241 Micronaut Framework: Unbounded formattersCache in TimeConverterRegistrar Allows Memory Exhaustion via Accept-Language Header
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap whose key is derived from the @Format annotation...
CVE-2026-44242
CVE-2026-44242 affects Micronaut Framework when a non-default ResourceBundleMessageSource bean is registered. The bundleCache is a ConcurrentHashMap unbounded by design, allowing an attacker to flood the server with unique Accept-Language headers (while requesting HTML error responses), creating ...
CVE-2026-44242 Micronaut Framework: Unbounded bundleCache in ResourceBundleMessageSource Allows Memory Exhaustion via Accept-Language Header
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a...
CVE-2026-44242
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a...
CVE-2026-44242 Micronaut Framework: Unbounded bundleCache in ResourceBundleMessageSource Allows Memory Exhaustion via Accept-Language Header
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a...
Micronaut Framework 资源管理错误漏洞
The Micronaut Framework is a modern full-stack Java framework based on the JVM, developed by the Micronaut Foundation. Versions of the Micronaut Framework prior to 4.10.22 contained a resource management vulnerability. This vulnerability stemmed from the use of unbounded caching in the bundleCach...
Micronaut Framework 资源管理错误漏洞
The Micronaut Framework is a modern full-stack Java framework based on the JVM, developed by the Micronaut Foundation. Versions of the Micronaut Framework from 4.3.0 to 4.10.22 contained a resource management vulnerability. This vulnerability stemmed from TimeConverterRegistrar caching...
io.micronaut.aot:micronaut-aot-core (=3.0.0-M2), io.micronaut.aot:micronaut-aot-std-optimizers (=3.0.0-M2) +427 more potentially affected by CVE-2026-44241 via io.micronaut:micronaut-context (>=5.0.0-M1 <=5.0.0-M24)
io.micronaut:micronaut-context MAVEN version =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M3 and more Source cves: CVE-2026-44241 Source advisory: SNYK:JAVA-IOMICRONAUT-16478697...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the unbounded formattersCache in TimeConverterRegistrar. An attacker can exhaust system memory and cause a server crash by sending numerous HTTP requests with unique...
io.micronaut.aot:micronaut-aot-core (=3.0.0-M2), io.micronaut.aot:micronaut-aot-std-optimizers (=3.0.0-M2) +536 more potentially affected by CVE-2026-44242 via io.micronaut:micronaut-inject (>=5.0.0-M1 <=5.0.0-M24)
io.micronaut:micronaut-inject MAVEN version =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M1, =5.0.0-M3 and more Source cves: CVE-2026-44242 Source advisory: SNYK:JAVA-IOMICRONAUT-16478712...
ai.stainless:grails-tika (=0.1.0), app.dassana:rule-engine (>=1.6.8 <=1.10.1) +1303 more potentially affected by CVE-2026-44242 via io.micronaut:micronaut-inject (>=1.0.0 <=4.10.21)
io.micronaut:micronaut-inject MAVEN version =1.0.0, =1.6.8, =1.4.0, =1.1.0, =0.3.8, =0.8.0, =0.9.1, =1.4.0, =2.0.8-micronaut-1.0, =1.3.7.6, =1.3.7.6, =1.7.3-micronaut-1.0, =1.6.2-micronaut-1.0, =2.0.0-micronaut-1.0, =2.2.2-micronaut-3.0 and more Source cves: CVE-2026-44242 Source advisory:...
GHSA-3RFQ-4WPF-QQW3 Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header
Summary ResourceBundleMessageSource maintains two caches: messageCache bounded at 100 entries via ConcurrentLinkedHashMap and bundleCache unbounded ConcurrentHashMap. The bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications tha...
CVE-2026-44242
creationtimestamp| type| source ---|---|--- 2026-04-28 15:10:17+00:00| published-proof-of-concept| https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-3rfq-4wpf-qqw3...
CVE-2026-44241
creationtimestamp| type| source ---|---|--- 2026-04-28 15:10:06+00:00| published-proof-of-concept| https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-8hjv-92q9-g4xj...
Denial Of Service (DoS)
Micronaut Framework is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of descending array index order in JsonBeanPropertyBinder::expandArrayToThreshold, where crafted form-urlencoded parameters can trigger a non-terminating loop, leading to CPU exhaustion and...
CVE-2026-33012
A flaw was found in Micronaut Framework. Remote attackers can exploit an unbounded cache in the DefaultHtmlErrorResponseBodyProvider component by influencing exception messages, such as through request query parameters. This can lead to uncontrolled memory growth and an OutOfMemoryError, resultin...