Lucene search
K

7361 matches found

Nuclei
Nuclei
added 16 hours ago138 views

Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution

Spring Cloud Netflix Hystrix Dashboard prior to version 2.2.10 is susceptible to remote code execution. Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view...

8.8CVSS7.3AI score0.13035EPSS
Exploits0References5
Nuclei
Nuclei
added 16 hours ago93 views

Spring Boot Actuator Logview Directory Traversal

spring-boot-actuator-logview before version 0.2.13 contains a directory traversal vulnerability in libraries that adds a simple logfile viewer as a spring boot actuator endpoint maven package "eu.hinsch:spring-boot-actuator-logview". id: CVE-2021-21234 info: name: Spring Boot Actuator Logview...

7.7CVSS7AI score0.21173EPSS
Exploits2References6
Nuclei
Nuclei
added 16 hours ago41 views

Spring Framework - Path Traversal

Spring Framework MVC applications deployed as WAR or with embedded Servlet containers that do not reject suspicious URI sequences and serve static resources with Spring resource handling contain a path traversal vulnerability, letting attackers access unauthorized files, exploit requires...

5.9CVSS6.6AI score0.01916EPSS
Exploits1References4
Nuclei
Nuclei
added 16 hours ago39 views

WebMvc.fn/WebFlux.fn - Path Traversal

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...

7.5CVSS6.8AI score0.14718EPSS
Exploits1References4
Nuclei
Nuclei
added 16 hours ago104 views

Spring MVC Framework - Local File Inclusion

Spring MVC Framework versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported are vulnerable to local file inclusion because they allow applications to configure Spring MVC to serve static resources e.g. CSS, JS, images. A malicious user can send a request using a...

5.9CVSS6.8AI score0.35681EPSS
Exploits1References5
Nuclei
Nuclei
added 16 hours ago44 views

Spring Cloud Config Server - Path Traversal

Spring Cloud 3.1.x 3.1.13, 4.1.x 4.1.9, 4.2.x 4.2.3, 4.3.x 4.3.2, and 5.0.x 5.0.2 contain a path traversal caused by profile parameter substitution in Config Server using native file system backend, letting attackers access files outside configured directories, exploit requires crafted request. i...

8.6CVSS7AI score0.0122EPSS
Exploits0References4
Nuclei
Nuclei
added 16 hours ago6 views

Spring Framework Path Traversal in Functional Web Frameworks

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...

7.5CVSS6.7AI score0.54862EPSS
Exploits6References3
Nuclei
Nuclei
added 16 hours ago38 views

Java-springboot-codebase 1.1 - Arbitrary File Read

OsamaTaher/Java-springboot-codebase is a collection of Java and Spring Boot code snippets, applications, and projects. Prior to commit c835c6f7799eacada4c0fc77e0816f250af01ad2, insufficient path traversal mechanisms make absolute path traversal possible. This vulnerability allows unauthorized...

8.7CVSS7.1AI score0.03847EPSS
Exploits14References5
Nuclei
Nuclei
added 16 hours ago18 views

Spring Cloud Gateway Server Webflux - Broken Access Control

Spring Cloud Gateway Server Webflux contains a vulnerability caused by unsecured and exposed actuator endpoints allowing modification of Spring Environment properties, letting attackers modify configuration, exploit requires unsecured actuator endpoints exposure. id: CVE-2025-41243 info: name:...

10CVSS7AI score0.03311EPSS
Exploits0References4
EUVD
EUVD
added 22 hours ago5 views

EUVD-2026-43556

Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation against private IP ranges or metadata endpoints. Attackers can...

8.6CVSS6.2AI score
Exploits0References6
Cvelist
Cvelist
added yesterday29 views

CVE-2026-62242 Spring Boot Admin Server < 4.1.2 SSRF via Unauthenticated Instance Registration

Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation against private IP ranges or metadata endpoints. Attackers can...

8.6CVSS
Exploits0References5
CVE
CVE
added yesterday10 views

CVE-2026-62242

CVE-2026-62242 affects Spring Boot Admin Server prior to 4.1.2. The vulnerability is a server-side request forgery in the unauthenticated instance registration flow, where attacker-controlled healthUrl and managementUrl are not validated against private IP ranges or metadata endpoints. This allow...

8.6CVSS6.2AI score
Exploits0References5
OSV
OSV
added yesterday19 views

ROOT-APP-MAVEN-CVE-2026-22732 CVE-2026-22732 in io.root.org.springframework.security:spring-security-web - Patched by Root

Root has patched CVE-2026-22732 in the io.root.org.springframework.security:spring-security-web package for Root:Maven. Multiple fixed versions available...

9.1CVSS5.8AI score0.0048EPSS
Exploits2
OSV
OSV
added yesterday12 views

ROOT-APP-MAVEN-CVE-2026-22751 CVE-2026-22751 in io.root.org.springframework.security:spring-security-core - Patched by Root

Root has patched CVE-2026-22751 in the io.root.org.springframework.security:spring-security-core package for Root:Maven. Multiple fixed versions available...

4.8CVSS5.4AI score0.00124EPSS
Exploits0
OSV
OSV
added yesterday25 views

ROOT-APP-MAVEN-CVE-2026-22748 CVE-2026-22748 in io.root.org.springframework.security:spring-security-oauth2-jose - Patched by Root

Root has patched CVE-2026-22748 in the io.root.org.springframework.security:spring-security-oauth2-jose package for Root:Maven. Multiple fixed versions available...

6.5CVSS5.8AI score0.00203EPSS
Exploits0
OSV
OSV
added yesterday4 views

ROOT-APP-MAVEN-CVE-2026-47838 CVE-2026-47838 in io.root.org.springframework.security:spring-security-web - Patched by Root

Root has patched CVE-2026-47838 in the io.root.org.springframework.security:spring-security-web package for Root:Maven. Multiple fixed versions available...

8.1CVSS6.1AI score0.00116EPSS
Exploits0
Nuclei
Nuclei
added yesterday21 views

Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution

Spring Data REST 2.6.9 and 3.0.1, Spring Boot 1.5.9 and 2.0 M6 contain a remote code execution caused by processing malicious PATCH requests with crafted JSON data, letting attackers execute arbitrary Java code, exploit requires sending malicious PATCH requests. id: CVE-2017-8046 info: name: Spri...

9.8CVSS7.5AI score0.74355EPSS
Exploits8References5
Nuclei
Nuclei
added yesterday55 views

Spring Cloud Config Server - Local File Inclusion

Spring Cloud Config Server versions 2.1.x prior to 2.1.2, 2.0.x prior to 2.0.4, 1.4.x prior to 1.4.6, and older unsupported versions are vulnerable to local file inclusion because they allow applications to serve arbitrary configuration files. An attacker can send a request using a specially...

6.5CVSS6.7AI score0.85295EPSS
Exploits6References5
Nuclei
Nuclei
added 3 days ago26 views

Apache ActiveMQ - Remote Code Execution

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations o...

8.8CVSS7.2AI score0.96666EPSS
Exploits13References3
Nuclei
Nuclei
added 3 days ago103 views

Spring Cloud Gateway Code Injection

Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote...

10CVSS7.1AI score0.98253EPSS
Exploits54References5
Rows per page
Query Builder