Authorization Bypass

spring-security-config is vulnerable to Authorization Bypass. The vulnerability is due to incorrect handling of the servlet-path attribute in , where the servlet path is not included when computing the path matcher, causing defined authorization rules to be skipped and allowing unauthorized acces...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization causing web security to be ineffective and allowing unauthorized access to all endpoints. Note: This is only exploitable if the following conditions are met: - the application is servlet-based; - the application ha...

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +822 more potentially affected by CVE-2026-22753 via org.springframework.security:spring-security-config (>=7.0.0-M1 <=7.0.4)

org.springframework.security:spring-security-config MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +822 more potentially affected by CVE-2026-22754 via org.springframework.security:spring-security-config (>=7.0.0-M1 <=7.0.4)

org.springframework.security:spring-security-config MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

Access Control Bypass

Overview org.springframework.security:spring-security-config is a security configuration package for Spring Framework. Affected versions of this package are vulnerable to Access Control Bypass in the XML authorization rules processing when the servlet-path attribute is used. An attacker can gain...

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +818 more potentially affected by CVE-2026-22754 via org.springframework.security:spring-security-config (>=7.0.0 <=7.0.4)

org.springframework.security:spring-security-config MAVEN version =7.0.0, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +818 more potentially affected by CVE-2026-22753 via org.springframework.security:spring-security-config (>=7.0.0 <=7.0.4)

org.springframework.security:spring-security-config MAVEN version =7.0.0, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

CVE-2025-41746

CVE-2025-41746 is a reflected XSS vulnerability in pxc_portSecCfg.php (pxc_portSecCfg.php/pxc portSecCfg.php as reported) that an unauthenticated attacker could leverage to induce an authenticated user to submit a manipulated POST request to change device configuration via the web UI. The issue i...

WatchGuard Fireware OS 安全漏洞

WatchGuard Fireware OS is a software from WatchGuard USA that runs on a Firebox. A security vulnerability exists in WatchGuard Fireware OS versions 11.12.4+541730 and earlier, 12.11.4 and earlier, 12.5.13 and earlier, and 2025.1.2 and earlier, which stems from an out-of-bounds write to an IPSec...

CVE-2025-25585

Incorrect access control in the component /config/WebSecurityConfig.java of yimioa before v2024.07.04 allows unauthorized attackers to arbitrarily modify Administrator passwords...

PT-2024-16054 · Safenet · Esafenet Cdg

Name of the Vulnerable Software and Affected Versions: ESAFENET CDG version 5 Description: A critical issue was found in the function actionDelNetSecConfig of the file /com/esafenet/servlet/netSec/NetSecConfigService.java. The manipulation of the argument id leads to SQL injection. It is possible...

Security Bulletin: IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource

Summary IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource Vulnerability Details CVEID:CVE-2023-34042 DESCRIPTION: VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused ...

Security Bulletin: IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource

Summary IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource Vulnerability Details CVEID:CVE-2023-34042 DESCRIPTION: VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused...

cn.herodotus.engine:oauth2-sdk-authentication (>=3.1.1.0 <=3.1.4.3), cn.herodotus.engine:oauth2-sdk-authorization (>=3.1.1.0 <=3.1.4.3) +321 more potentially affected by CVE-2023-34042 via org.springframework.security:spring-security-config (>=6.1.1 <=6.1.3)

org.springframework.security:spring-security-config MAVEN version =6.1.1, =3.1.1.0, =3.1.1.0, =3.1.1.0, =3.1.1.0, =5.5.0, =5.5.0, =0.0.9, =0.0.12, =0.0.30, =0.0.42, =6.1.16, =6.1.16, =7.0.0, =7.1.8 and more Source cves: CVE-2023-34042 Source advisory: OSV:GHSA-9GP8-6CG8-7H34...

com.epam.reportportal:service-authorization (>=5.11.0 <=5.11.1), com.erudika:para-jar (=1.49.0) +51 more potentially affected by CVE-2023-34042 via org.springframework.security:spring-security-config (>=5.8.4 <=5.8.6)

org.springframework.security:spring-security-config MAVEN version =5.8.4, =5.11.0, =1.73.40, =1.73.40, =1.73.40, =1.73.40, =2.35.0, =2.14.0, =2.14.0, =11.3.6, =11.3.6, =11.3.6, =11.3.6, =11.4.2 and more Source cves: CVE-2023-34042 Source advisory: OSV:GHSA-9GP8-6CG8-7H34...

com.almis.awe:awe-annotation (>=4.7.1 <=4.7.7), com.almis.awe:awe-annotations-spring-boot-starter (>=4.7.1 <=4.7.7) +28 more potentially affected by CVE-2023-34042 via org.springframework.security:spring-security-config (>=6.0.4 <=6.0.6)

org.springframework.security:spring-security-config MAVEN version =6.0.4, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.7 - com.giffing.wicket.spring.boot.starter:wicket-spring-boot-starter =4.0.0-M1 and more Source cves:...

Design/Logic Flaw

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...

CVE-2023-34042

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...

Improper Access Control

org.springframework.security:spring-security-config is vulnerable to Improper Access Control. The vulnerability exists due to lack of checks in multiple files, which allows an attacker to use as a pattern in the configurations for WebFlux, creating a mismatch in pattern matching, resulting in a...

Authorization Rule Misconfiguration

spring-security-config is vulnerable to Authorization Rule Misconfiguration. The vulnerability exists due to the lack of validation in the RequestMatcher of AbstractRequestMatcherRegistry.java when the application uses the requestMatchersString function with multiple servlets, one of them being...