Lucene search
K

1227 matches found

Veracode
Veracode
added 2026/04/29 11:31 a.m.8 views

Authorization Bypass

spring-security-config is vulnerable to Authorization Bypass. The vulnerability is due to incorrect handling of the servlet-path attribute in , where the servlet path is not included when computing the path matcher, causing defined authorization rules to be skipped and allowing unauthorized acces...

7.5CVSS5.1AI score0.00266EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2026/04/28 12:43 p.m.8 views

Time-of-check Time-of-use

Spring Security is vulnerable to a Time-of-check Time-of-use race condition. The vulnerability is due to a Time-of-Check Time-of-Use TOCTOU issue in JdbcOneTimeTokenService, where token validation and usage are not performed atomically, allowing attackers to reuse or race token consumption and...

4.8CVSS5.2AI score0.00124EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/27 12:53 p.m.5 views

CVE-2026-22747

A flaw was found in Spring Security. This vulnerability allows a remote attacker to impersonate another user. The SubjectX500PrincipalExtractor component incorrectly handles certain malformed X.509 certificate Common Name CN values, which can lead to the system reading an incorrect username. By...

8.1CVSS5.5AI score0.00296EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/27 12:48 p.m.5 views

CVE-2026-22754

A flaw was found in Spring Security. When an application uses to define authorization rules, the servlet path may not be correctly included in the path matcher. This oversight can lead to an authorization bypass, allowing a remote attacker to access protected resources without proper authenticati...

7.5CVSS5.4AI score0.00266EPSS
Exploits0References4
Circl
Circl
added 2026/04/27 11:57 a.m.6 views

CVE-2026-40967

creationtimestamp| type| source ---|---|--- 2026-04-27 11:57:47+00:00| seen| https://cyber.gc.ca/en/alerts-advisories/spring-security-advisory-av26-397 2026-04-28 05:17:59+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mkjthfhfzr2u 2026-04-28 12:15:14+00:00| seen|...

8.6CVSS5.7AI score0.00394EPSS
Exploits0References5
Circl
Circl
added 2026/04/27 11:57 a.m.5 views

CVE-2026-40978

creationtimestamp| type| source ---|---|--- 2026-04-27 11:57:47+00:00| seen| https://cyber.gc.ca/en/alerts-advisories/spring-security-advisory-av26-397 2026-04-28 12:17:24+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3mkkkritijh27 2026-04-29 19:07:08+00:00| seen|...

8.8CVSS5.7AI score0.00338EPSS
Exploits0References4
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/27 7:43 a.m.15 views

Security Bulletin: Maximo AI Service uses multiple third party dependencies which is vulnerable to multiple CVEs.

Summary Maximo AI Service uses nltk-3.9.1-py3-none-any.whl, mlflow-3.1.0-py3-none-any.whl, and spring-security-web-6.5.7.jar, which are vulnerable to CVE-2025-14009, CVE-2026-2635, CVE-2026-0848, and CVE-2026-22732. This bulletin contains information regarding how to address the vulnerabilities...

10CVSS9.8AI score0.00968EPSS
Exploits6Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/25 10:49 a.m.8 views

CVE-2026-22748

A flaw was found in Spring Security. When an application is configured to decode JSON Web Tokens JWTs using NimbusJwtDecoder or NimbusReactiveJwtDecoder, it may not properly validate these tokens if an OAuth2TokenValidator is not explicitly configured. This oversight could allow an attacker with...

6.5CVSS5.3AI score0.00203EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/25 10:49 a.m.5 views

CVE-2026-22753

A flaw was found in Spring Security. When an application uses specific configurations involving securityMatchersString and PathPatternRequestMatcher.Builder to handle servlet paths, the intended security controls may not be applied. This can result in a security bypass, where authentication and...

7.5CVSS5.2AI score0.00248EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/25 10:43 a.m.4 views

CVE-2026-22746

A flaw was found in Spring Security. If an application uses the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, an attacker can bypass the DaoAuthenticationProvider's timing attack defense. This bypass allows an attacker to potentially gain limited information...

3.7CVSS5.2AI score0.00215EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/25 10:34 a.m.4 views

CVE-2026-22751

A flaw was found in Spring Security, specifically in applications configured for One-Time Token login using JdbcOneTimeTokenService. This vulnerability is due to a Time-of-check Time-of-use TOCTOU race condition. A remote attacker with high attack complexity could exploit this flaw to achieve low...

4.8CVSS5.2AI score0.00124EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/22 12:26 p.m.2 views

Insufficient Verification of Data Authenticity

Overview org.springframework.security:spring-security-oauth2-jose is a provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the withIssuerLocation component. An attacker can bypass intended...

6.5CVSS5.5AI score0.00203EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/22 12:26 p.m.9 views

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +309 more potentially affected by CVE-2026-22748 via org.springframework.security:spring-security-oauth2-jose (>=7.0.0-M1 <=7.0.4)

org.springframework.security:spring-security-oauth2-jose MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

6.5CVSS5.7AI score0.00203EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/22 12:26 p.m.6 views

app.valuationcontrol:library (>=0.5.2 <=0.5.5), app.valuationcontrol:webservice (>=0.5.0 <=0.5.1) +998 more potentially affected by CVE-2026-22748 via org.springframework.security:spring-security-oauth2-jose (>=6.0.0 <=6.5.1)

org.springframework.security:spring-security-oauth2-jose MAVEN version =6.0.0, =0.5.2, =0.5.0, =7.0.0, =1.0.0, =1.10.0, =1.10.0, =1.10.0, =1.0.0, =1.55.1, =1.55.1, =3.1.0, =3.1.0, =8.4.0, =1.0.0, =17.16.0, =17.39.3 and more Source cves: CVE-2026-22748 Source advisory:...

6.5CVSS5.7AI score0.00203EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/22 12:26 p.m.8 views

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +835 more potentially affected by CVE-2026-22753 via org.springframework.security:spring-security-config (>=7.0.0-M1 <=7.0.4)

org.springframework.security:spring-security-config MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

7.5CVSS5.7AI score0.00248EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/04/22 12:25 p.m.9 views

ai.langsa:ccaas-starter (>=cloud-0.1 <=cloud-0.3), ai.langsa:pom-ccaas-langsa (=0.1) +5150 more potentially affected by CVE-2026-22746 via org.springframework.security:spring-security-core (>=6.0.0 <=6.5.1)

org.springframework.security:spring-security-core MAVEN version =6.0.0, =cloud-0.1, =0.5.2, =0.5.0, =0.0.1, =55.v51410e712e0c, =7.0.0, =2.0.0, =1.5.1.RELEASE, =1.0.0, =1.0.0, =1.2.1 and more Source cves: CVE-2026-22746 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKSECURITY-16121176...

3.7CVSS5.7AI score0.00215EPSS
Exploits0
Snyk
Snyk
added 2026/04/22 12:25 p.m.3 views

Information Exposure

Overview org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Information Exposure in the DaoAuthenticationProvider component. An attacker can determine the status of user...

6.3CVSS5.5AI score0.00215EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/22 12:25 p.m.8 views

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +1099 more potentially affected by CVE-2026-22746 via org.springframework.security:spring-security-core (>=7.0.0-M1 <=7.0.4)

org.springframework.security:spring-security-core MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

3.7CVSS5.7AI score0.00215EPSS
Exploits0
Snyk
Snyk
added 2026/04/22 12:24 p.m.3 views

Access Control Bypass

Overview org.springframework.security:spring-security-config is a security configuration package for Spring Framework. Affected versions of this package are vulnerable to Access Control Bypass in the XML authorization rules processing when the servlet-path attribute is used. An attacker can gain...

8.7CVSS5.4AI score0.00266EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/22 12:24 p.m.8 views

be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +835 more potentially affected by CVE-2026-22754 via org.springframework.security:spring-security-config (>=7.0.0-M1 <=7.0.4)

org.springframework.security:spring-security-config MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...

7.5CVSS5.7AI score0.00266EPSS
Exploits0
Rows per page
Query Builder