CVE-2026-41862

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...

EUVD-2026-38596

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...

CVE-2026-41862

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...

CVE-2026-41862

CVE-2026-41862 affects Spring Statemachine Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) which deserialize persisted StateMachineContext without a class allowlist. This can enable a gadget chain leading to remote code execution inside the application JVM. Affected versions a...

PT-2026-51593

Name of the Vulnerable Software and Affected Versions Spring Statemachine versions 4.0.0 through 4.0.1 Spring Statemachine versions 3.2.0 through 3.2.4 Description Kryo-based persistence backends, including JPA, MongoDB, Redis, and ZooKeeper, deserialize persisted state-machine contexts without...

python-statemachine SCXML <data expr> Eval Injection

Summary python-statemachine 3.1.2 evaluates attributes in SCXML documents using Python's eval. Any application that passes attacker-controlled SCXML content to SCXMLProcessor is vulnerable to arbitrary code execution in the context of the hosting process. Details SCXMLProcessor.parsescxmlfile...

EUVD-2026-37730

python-statemachine SCXML Eval Injection...

CVE-2026-47103

Python StateMachine 3.0.0 before 3.2.0 has a remote code execution flaw: crafted SCXML documents with are unsafely evaluated via eval() in the SCXMLProcessor, enabling arbitrary code execution in the hosting process. Affected versions are 3.0.0 up to (but not including) 3.2.0. The CVSS metrics i...

PT-2026-50440

Name of the Vulnerable Software and Affected Versions Python StateMachine versions 3.0.0 through 3.1.x Description An issue exists where the library evaluates expressions from SCXML documents unsafely. The SCXMLProcessor passes attacker-controlled expression strings from attributes through a call...

CVE-2026-41862: Kryo deserialization of persisted context without class allowlist

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM...

CVE-2018-12290

The Yii2-StateMachine extension v2.x.x for Yii2 has XSS...

CVE-2023-54235

In the Linux kernel, the following vulnerability has been resolved: PCI/DOE: Fix destroyworkonstack race The following debug object splat was observed in testing: ODEBUG: free active active state 0 object: 0000000097d23782 object type: workstruct hint: doestatemachinework+0x0/0x510 WARNING: CPU: ...

CVE-2023-52456

A flaw was found in the UART driver handling RS485 communication in the Linux Kernel when an unexpected closure of the TTY port occurs, such as during a userland application crash. In this scenario, the imxuartshutdown function disables the UART interface and the Transmission Complete TC interrup...

Design/Logic Flaw

In the Linux kernel, the following vulnerability has been resolved: serial: imx: fix tx statemachine deadlock When using the serial port as RS485 port, the tx statemachine is used to control the RTS pin to drive the RS485 transceiver TXEN pin. When the TTY port is closed in the middle of a...

CVE-2023-52456

CVE-2023-52456 affects the Linux kernel, specifically the imx serial driver used for RS-485 when the TX state machine can deadlock if the TTY is closed mid-transmission. In that scenario, imx_uart_shutdown disables the interface and the Transmission Complete interrupt, causing imx_uart_stop_tx to...

CVE-2023-52456 serial: imx: fix tx statemachine deadlock

In the Linux kernel, the following vulnerability has been resolved: serial: imx: fix tx statemachine deadlock When using the serial port as RS485 port, the tx statemachine is used to control the RTS pin to drive the RS485 transceiver TXEN pin. When the TTY port is closed in the middle of a...

CVE-2023-52456

In the Linux kernel, the following vulnerability has been resolved: serial: imx: fix tx statemachine deadlock When using the serial port as RS485 port, the tx statemachine is used to control the RTS pin to drive the RS485 transceiver TXEN pin. When the TTY port is closed in the middle of a...

CVE-2023-52456

In the Linux kernel, the following vulnerability has been resolved: serial: imx: fix tx statemachine deadlock When using the serial port as RS485 port, the tx statemachine is used to control the RTS pin to drive the RS485 transceiver TXEN pin. When the TTY port is closed in the middle of a...

This Week in Spring - October 31st, 2023

Hi Spring fans, and Happy Halloween from the Spring team to those who celebrate! I hope your evening is fun and your day free of scary bugs! My friends, we've got some interesting stuff to look at this week so let's dive right into it. A Bootiful Podcast: Mr. Spring in Action, Craig Walls Spring...

GHSA-65QG-F77J-CCCF Yii2-StateMachine extension for Yii2 XSS Vulnerability

The Yii2-StateMachine extension v2.x.x for Yii2 has XSS...