Lucene search
K

60 matches found

NVD
NVD
added 2026/07/06 9:16 a.m.9 views

CVE-2026-46590

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadat...

8.8CVSS0.00485EPSS
Exploits1References1
NVD
NVD
added 2026/07/06 9:16 a.m.8 views

CVE-2026-40859

Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter...

8.1CVSS0.00724EPSS
Exploits1References2
OSV
OSV
added 2026/07/06 8:24 a.m.4 views

CVE-2026-43867 Apache Camel: Camel-PQC: The AWS Secrets Manager key-lifecycle manager deserializes persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter

Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata reads that metadata back from the...

9.8CVSS6.4AI score0.00691EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:3 a.m.7 views

CVE-2026-46590

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadat...

6.4AI score0.00485EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/07/06 8:3 a.m.34 views

CVE-2026-46590 Apache Camel: Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle managers deserialize persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter (incomplete remediation of CVE-2026-40048)

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadat...

0.00485EPSS
Exploits1References1
CVE
CVE
added 2026/07/06 8:3 a.m.16 views

CVE-2026-46590

CVE-2026-46590 (Apache Camel-PQC) describes a deserialization of untrusted data issue in the camel-pqc component. Hashicorp Vault and AWS Secrets Manager key lifecycle managers deserialize a Base64-wrapped value via java.io.ObjectInputStream.readObject() without an ObjectInputFilter or class allo...

8.8CVSS6.4AI score0.00485EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.16 views

PT-2026-55882

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.0.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.19.9 Description The camel-vertx-http component deserializes HTTP response bodies with the...

8.1CVSS6.5AI score0.00724EPSS
Exploits1References7
CVE
CVE
added 2026/06/28 2:45 p.m.30 views

CVE-2026-13502

The CVE-2026-13502 entry concerns antlr ANTLR4 up to 4.13.2. It affects the function ObjectInputStream.readObject in the antlr4-maven-plugin’s GrammarDependencies.java, indicating a time-of-check time-of-use issue. The attack is restricted to local execution and requires a high degree of complexi...

4.5CVSS5.2AI score0.00091EPSS
Exploits0References5
CVE
CVE
added 2026/06/26 2:43 p.m.13 views

CVE-2026-57527

CVE-2026-57527 affects the Zed Attack Proxy (ZAP) ViewState add-on prior to version 4. The vulnerability arises in the JSFViewState.decode() path, which base64-decodes the javax.faces.ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowl...

8.8CVSS6.4AI score0.00463EPSS
Exploits0References5
OSV
OSV
added 2026/06/03 9:39 a.m.2 views

CVE-2026-47065 Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TCPROXYCLASSDESC the marker for a java.lang.reflect.Proxy , JDK’s ObjectInputStream.readProxyDesc is dispatched. JDK then calls...

9.8CVSS5.9AI score0.00468EPSS
Exploits0References4
OSV
OSV
added 2026/05/28 2:16 p.m.6 views

DEBIAN-CVE-2026-9828

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer c...

6.3CVSS6.4AI score0.0037EPSS
Exploits0References1
OSV
OSV
added 2026/05/11 5:40 a.m.6 views

BIT-HYPERLEDGER-FABRIC-TOOLS-2026-41586 ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject and exposes deSerializeChannel which call ObjectInputStream.readObject on untrusted byte arrays without...

9.3CVSS5.8AI score0.0041EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/07 5:12 a.m.74 views

CVE-2026-41586 ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java deserialization RCE

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject and exposes deSerializeChannel which call ObjectInputStream.readObject on untrusted byte arrays without...

9.3CVSS0.0041EPSS
Exploits0References2
CVE
CVE
added 2026/05/07 5:12 a.m.32 views

CVE-2026-41586

CVE-2026-41586 affects Hyperledger Fabric’s deprecated fabric-sdk-java (Channel.java) where readObject() is invoked on untrusted bytes without an ObjectInputFilter, enabling Java deserialization RCE. Exploitation requires crafted serialized Channel data processed by deSerializeChannel(), with hig...

9.3CVSS5.8AI score0.0041EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/05 2:40 p.m.9 views

CVE-2026-40858

A flaw was found in the camel-infinispan component of Apache Camel. A remote attacker, with the ability to write to the Infinispan cache, can inject a specially crafted serialized Java object. When this object is deserialized during normal aggregation repository operations, it can lead to arbitra...

8.8CVSS6.3AI score0.00711EPSS
Exploits2References4
Veracode
Veracode
added 2026/05/04 8:47 p.m.14 views

Deserialization Of Untrusted Data

Apache Camel is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe deserialization of data using ObjectInputStream without proper filtering, which allows an attacker to inject malicious serialized objects and execute arbitrary code...

8.8CVSS6AI score0.00711EPSS
Exploits2References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/29 8:41 p.m.10 views

fabric-sdk-java has ObjectInputStream.readObject() without ObjectInputFilter, which allows Java deserialization RCE

Summary This advisory covers the deprecated fabric-sdk-java client SDK. Channel.java implements readObject and exposes deSerializeChannel which call ObjectInputStream.readObject on untrusted byte arrays without configuring an ObjectInputFilter. This is the classic Java deserialization RCE pattern...

9.3CVSS5.8AI score0.0041EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/27 12:30 p.m.10 views

Apache Camel-Infinispan Component Vulnerable to Deserialization of Untrusted Data

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a...

8.8CVSS6.4AI score0.00711EPSS
Exploits2References17Affected Software1
NVD
NVD
added 2026/04/27 9:16 a.m.11 views

CVE-2026-40048

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of .key files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair is evaluated only after readObject has...

7.8CVSS0.00342EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 2026/04/27 7:53 a.m.8 views

CVE-2026-40048

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of .key files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair is evaluated only after readObject has...

6.3AI score0.00342EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder