CVE-2026-41732

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

CVE-2026-41732

CVE-2026-41732 affects Spring for Apache Pulsar due to JsonPulsarHeaderMapper using a prefix-based check on trusted packages, causing trust to cascade to subpackages. An empty trusted-packages config can default to trusting all packages. This exposes potential deserialization risk by allowing acc...

PT-2026-48328

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

EUVD-2024-0948

Malicious code in bioql PyPI...

org.apache.pulsar:pulsar-io-distribution (>=2.3.0 <=2.7.5), org.apache.pulsar:pulsar-io-docs (>=2.3.0 <=2.7.5) potentially affected by CVE-2025-30677 via org.apache.pulsar:pulsar-io-kafka (>=2.3.0 <=2.7.5)

org.apache.pulsar:pulsar-io-kafka MAVEN version =2.3.0, =2.3.0, =2.3.0, =2.7.5 Source cves: CVE-2025-30677 Source advisory: SNYK:JAVA-ORGAPACHEPULSAR-9685318...

CVE-2024-27135

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is...

CVE-2022-34321 Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint

Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections...

io.github.embedded-middleware:embedded-pulsar-core (>=0.0.4 <=0.0.5), org.apache.pulsar:pulsar-broker (>=2.11.0 <=2.11.1) +7 more potentially affected by CVE-2023-37544 via org.apache.pulsar:pulsar-websocket (>=2.11.0 <=2.11.1)

org.apache.pulsar:pulsar-websocket MAVEN version =2.11.0, =0.0.4, =2.11.0, =2.11.0, =2.11.0, =2.11.0, =2.11.0, =2.11.0, =2.11.0, =2.11.0, =2.11.1 Source cves: CVE-2023-37544 Source advisory: OSV:GHSA-83Q5-WHQP-R8JR...

GHSA-74MC-G2XV-PCH2 Apache Pulsar Function Worker Incorrect Authorization vulnerability

Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker. This issue affects Apache Pulsar: before 2.10.4, and 2.11.0. Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks...