649 matches found
Apache Shiro 1.2.4 Cookie RememberME - Deserial Remote Code Execution Vulnerability
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. id: CVE-2016-4437 info: name: Apache Shiro 1.2.4 Cookie RememberME -...
CVE-2026-56130
A flaw was found in Apache Shiro. When the 'Remember me' functionality is enabled, the server does not verify the age of the 'Remember me' cookie. This allows a remote attacker to intercept a valid cookie and reuse it indefinitely, potentially leading to session hijacking. Mitigation Mitigation f...
PT-2026-53934
Name of the Vulnerable Software and Affected Versions JeecgBoot versions prior to 3.9.3 Description Authenticated low-privilege users can perform full create, read, update, and delete operations on OpenAPI credentials. This occurs because the 'OpenApiAuthController' and...
Linux Distros Unpatched Vulnerability : CVE-2026-56091
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This...
Linux Distros Unpatched Vulnerability : CVE-2026-56130
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Remember me cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the...
CVE-2026-56091
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://vulners.com/cve/CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the shiro-guice module...
CVE-2026-56130
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...
DEBIAN-CVE-2026-56130
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...
DEBIAN-CVE-2026-56091
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://vulners.com/cve/CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the shiro-guice module...
CVE-2026-56091
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://vulners.com/cve/CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the shiro-guice module...
EUVD-2026-39230
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://vulners.com/cve/CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the shiro-guice module...
CVE-2026-56091 Apache Shiro: Authentication bypass in Guice-Web integration
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://vulners.com/cve/CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the shiro-guice module...
CVE-2026-56091
CVE-2026-56091 involves Apache Shiro when used with the shiro-guice module in a web servlet context. A specially crafted HTTP request may cause an authentication bypass. Affected: all Apache Shiro versions through 2.x; 3.0.0-alpha-1 is affected when using shiro-guice in this context. Remediation:...
CVE-2026-56130
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...
EUVD-2026-39229
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...
CVE-2026-56130
The CVE concerns Apache Shiro’s RememberMe functionality: the server does not verify the RememberMe cookie’s age, allowing reuse of a valid cookie beyond its expiration. Affected versions are Apache Shiro 1.2.4 through 2.x, and 3.0.0-alpha-1, only when RememberMe is enabled. The underlying impact...
CVE-2026-56130 Apache Shiro: Remember-me cookie isn't checked for expiry on the server
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...
CVE-2026-11748
The CVE affects centraldogma-server-auth-shiro
Linux Distros Unpatched Vulnerability : CVE-2026-49268
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is...
LDAP Injection
Overview org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to LDAP Injection in the DefaultLdapRealm class. An attacker can bypass...