CVE-2026-40458

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

CVE-2026-40459

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10, 5.7.10...

Exploit for CVE-2026-29000

Lab Demo CVE-2026-29000: pac4j-jwt Authentication Bypass Môi...

Exploit for CVE-2026-29000

CVE-2026-29000: pac4j JWT Authentication Bypass PoC Proof...

Exploit for CVE-2026-29000

🚀 CVE-2026-29000 - pac4j-jwt Authentication Bypass Exploit !...

Exploit for CVE-2026-29000

HackTheBox — Principal Difficulty: Medium OS: Linux...

Exploit for CVE-2026-29000

pac4j-jwe-forge CVE-2026-29000 Proof-of-concept for CVE-202...

com.axelor:axelor-core (>=8.0.0 <=8.1.1), com.axelor:axelor-web (>=8.0.0 <=8.1.1) potentially affected by CVE-2026-40458 +1 more via org.pac4j:pac4j-ldap (>=6.2.2 <=6.3.1)

org.pac4j:pac4j-ldap MAVEN version =6.2.2, =8.0.0, =8.0.0, =8.1.1 Source cves: CVE-2026-40458, CVE-2026-40459 Source advisory: SNYK:JAVA-ORGPAC4J-16109662...

ch.exense.commons:exense-auth-ldap (>=1.3.0 <=1.3.1), ch.exense.commons:exense-core-server (>=1.3.0 <=1.3.1) +12 more potentially affected by CVE-2026-40458 +1 more via org.pac4j:pac4j-ldap (>=4.0.0 <=4.4.0)

org.pac4j:pac4j-ldap MAVEN version =4.0.0, =1.3.0, =1.3.0, =3.14.0, =3.14.0, =3.14.0, =3.14.0, =3.14.0, =3.14.0, =3.14.0, =3.14.0, =3.14.0, =3.14.0, =3.14.0, =1.0.0.RELEASE, =1.0.1.RELEASE Source cves: CVE-2026-40458, CVE-2026-40459 Source advisory: SNYK:JAVA-ORGPAC4J-16109662...

LDAP Injection

Overview Affected versions of this package are vulnerable to LDAP Injection in the LdapProfileService class, which accepts ID-based search parameters in multiple methods. A privileged attacker can execute unauthorized LDAP queries and perform arbitrary directory operations. Remediation Upgrade...

ai.tock:bot-test (=23.9.2), ai.tock:bot-test-base (=23.9.2) +498 more potentially affected by CVE-2026-40458 via org.pac4j:pac4j-core (>=6.0.0-RC1 <=6.4.0)

org.pac4j:pac4j-core MAVEN version =6.0.0-RC1, =6.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.pac4j:pac4j-core and may be impacted: - ai.tock:bot-test =23.9.2 - ai.tock:bot-test-base =23.9.2 - ai.tock:bot-toolkit =23.9.2 -...

EUVD-2026-23423

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10, 5.7.10...

ai.tock:bot-test (>=22.9.0 <=23.9.1), ai.tock:bot-test-base (>=22.9.0 <=23.9.1) +469 more potentially affected by CVE-2026-40458 via org.pac4j:pac4j-core (>=5.0.0-RC1 <=5.7.1)

org.pac4j:pac4j-core MAVEN version =5.0.0-RC1, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =23.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =23.9.1 and more Source cves: CVE-2026-40458 Source advisory: SNYK:JAVA-ORGPAC4J-16109661...

ai.tock:bot-test (>=22.3.0 <=23.9.1), ai.tock:bot-test-base (>=22.3.0 <=23.9.1) +1287 more potentially affected by CVE-2026-40458 via org.pac4j:pac4j-core (>=1.4.0 <=5.7.1)

org.pac4j:pac4j-core MAVEN version =1.4.0, =22.3.0, =22.3.0, =22.3.0, =22.3.0, =22.3.0, =23.9.0, =22.3.0, =22.3.0, =22.3.0, =22.3.0, =22.3.0, =22.3.0, =22.3.0, =22.3.0, =22.3.0, =23.9.1 and more Source cves: CVE-2026-40458 Source advisory: OSV:GHSA-XW5C-JC7X-GF75...

ai.tock:bot-test (=23.9.2), ai.tock:bot-test-base (=23.9.2) +498 more potentially affected by CVE-2026-40458 via org.pac4j:pac4j-core (>=6.0.0-RC1 <=6.4.0)

org.pac4j:pac4j-core MAVEN version =6.0.0-RC1, =6.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.pac4j:pac4j-core and may be impacted: - ai.tock:bot-test =23.9.2 - ai.tock:bot-test-base =23.9.2 - ai.tock:bot-toolkit =23.9.2 -...

Cross-site Request Forgery (CSRF)

Overview org.pac4j:pac4j-core is a pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF d...

GHSA-XW5C-JC7X-GF75 PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

CVE-2026-40459

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10, 5.7.10...

CVE-2026-40458

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

CVE-2026-40459

PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10, 5.7.10...