Apache Shiro 1.2.4 Cookie RememberME - Deserial Remote Code Execution Vulnerability

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. id: CVE-2016-4437 info: name: Apache Shiro 1.2.4 Cookie RememberME -...

CVE-2026-11748

The CVE affects centraldogma-server-auth-shiro

Linux Distros Unpatched Vulnerability : CVE-2026-49268

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is...

EUVD-2026-37701

A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate th...

CVE-2026-49268

The CVE-2026-49268 issue affects Apache Shiro’s DefaultLdapRealm where user input is concatenated into the LDAP DN template without escaping RFC 2253 characters. This LDAP DN injection can alter the bind DN, potentially bypassing authentication or impersonating other users. Technical details conf...

CVE-2026-49268

A remote attacker can inject LDAP special characters into the Distinguished Name DN construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate th...

PT-2026-50410

Name of the Vulnerable Software and Affected Versions Apache Shiro versions prior to 2.2.1 Apache Shiro versions prior to 3.0.0-alpha-2 Description A remote attacker can inject LDAP special characters into the Distinguished Name DN construction within the DefaultLdapRealm class. User-supplied...

CVE-2026-48589

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module...

CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

CVE-2026-43827

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already...

CVE-2026-44598

With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended t...

Linux Distros Unpatched Vulnerability : CVE-2026-44598

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - With valid login credentials, URL Redirection to Untrusted Site 'Open Redirect', Server-Side Request Forgery SSRF vulnerability in Apache Shiro. This issue...

Linux Distros Unpatched Vulnerability : CVE-2026-43828

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, an...

Linux Distros Unpatched Vulnerability : CVE-2026-48589

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Apache Shiro's Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validati...

Linux Distros Unpatched Vulnerability : CVE-2026-43827

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are...

com.github.fangjinuo.agileway:agileway-shiro-redis (>=2.3.3 <=3.1.12), com.github.fangjinuo.agileway:agileway-shiro-redis-springdata2 (>=2.4.2 <=3.1.12) +19 more potentially affected by CVE-2026-43827 via org.apache.shiro:shiro-web (=3.0.0-alpha-1)

org.apache.shiro:shiro-web MAVEN version =3.0.0-alpha-1 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.shiro:shiro-web and may be impacted: - com.github.fangjinuo.agileway:agileway-shiro-redis =2.3.3, =2.4.2, =0.0.3, =0.0.3, =0.0.3, =0.0.3,...

com.github.fangjinuo.agileway:agileway-shiro-redis (>=2.3.3 <=3.1.12), com.github.fangjinuo.agileway:agileway-shiro-redis-springdata2 (>=2.4.2 <=3.1.12) +27 more potentially affected by CVE-2026-43827 via org.apache.shiro:shiro-core (=3.0.0-alpha-1)

org.apache.shiro:shiro-core MAVEN version =3.0.0-alpha-1 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.shiro:shiro-core and may be impacted: - com.github.fangjinuo.agileway:agileway-shiro-redis =2.3.3, =2.4.2, =0.0.3, =0.0.3, =0.0.3, =0.0....

ca.ibodrov.concord:mcp-for-concord (>=0.0.1 <=0.0.2), ca.ibodrov.concord:testcontainers-concord-core (>=2.0.3 <=2.0.5) +185 more potentially affected by CVE-2026-43827 via org.apache.shiro:shiro-web (>=2.0.0-alpha-1 <=2.1.0)

org.apache.shiro:shiro-web MAVEN version =2.0.0-alpha-1, =0.0.1, =2.0.3, =0.0.27, =0.0.27, =0.0.27, =8.0.0, =8.0.0, =1.0.2, =3.4.0, =3.3.0, =3.3.0, =3.3.0, =3.3.0, =3.3.0, =3.8.0 and more Source cves: CVE-2026-43827 Source advisory: SNYK:JAVA-ORGAPACHESHIRO-17116506...

ca.ibodrov.concord:mcp-for-concord (>=0.0.1 <=0.0.2), ca.ibodrov.concord:testcontainers-concord-core (>=2.0.3 <=2.0.5) +298 more potentially affected by CVE-2026-43827 via org.apache.shiro:shiro-core (>=2.0.0-alpha-1 <=2.1.0)

org.apache.shiro:shiro-core MAVEN version =2.0.0-alpha-1, =0.0.1, =2.0.3, =0.0.27, =0.0.27, =0.0.27, =6.0.0, =8.0.0, =8.0.0, =2.2.0, =1.0.2, =3.4.0, =3.3.0, =3.3.0, =3.3.0, =3.8.0 and more Source cves: CVE-2026-43827 Source advisory: SNYK:JAVA-ORGAPACHESHIRO-17116505...

Session Fixation

Overview org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Session Fixation during the login operation in DefaultSecurityManager.ja...