CVE-2026-41732

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

EUVD-2026-35909

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

GHSA-XQ69-5H5V-X9X4 In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

EUVD-2026-35908

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

CVE-2026-41732

CVE-2026-41732 affects Spring for Apache Pulsar due to JsonPulsarHeaderMapper using a prefix-based check on trusted packages, causing trust to cascade to subpackages. An empty trusted-packages config can default to trusting all packages. This exposes potential deserialization risk by allowing acc...

CVE-2026-41732 In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

CVE-2026-41732 In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

CVE-2026-41731 In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted...

CVE-2026-41731

Spring for Apache Kafka vulnerable due to overly broad trusted-package matching in JsonKafkaHeaderMapper and deprecated DefaultKafkaHeaderMapper: they compare type headers against trusted packages with a prefix check, causing any trusted package to implicitly trust all subpackages. When combined ...

PT-2026-48327

Name of the Vulnerable Software and Affected Versions Spring for Apache Kafka versions 4.0.0 through 4.0.5 Spring for Apache Kafka versions 3.3.0 through 3.3.15 Spring for Apache Kafka versions 3.2.0 through 3.2.13 Spring for Apache Kafka versions 2.9.0 through 2.9.13 Spring for Apache Kafka...

PT-2026-48328

Name of the Vulnerable Software and Affected Versions Spring for Apache Pulsar versions 1.1.0 through 1.1.17 Spring for Apache Pulsar versions 1.2.0 through 1.2.17 Spring for Apache Pulsar versions 2.0.0 through 2.0.5 Description JsonPulsarHeaderMapper uses a prefix check to match type headers...

CVE-2026-41732: In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

Deserialization of Untrusted Data

Overview org.springframework.pulsar:spring-pulsar is a Spring Pulsar Core Affected versions of this package are vulnerable to Deserialization of Untrusted Data via trusted package validation in JsonPulsarHeaderMapper. An attacker can trigger deserialization of unintended classes by supplying...

CVE-2026-24131

A flaw was found in pnpm, a package manager. When pnpm processes the directories.bin field of a package, it fails to properly validate the path, allowing a malicious npm package to specify a crafted path. This directory traversal vulnerability enables the package to escape its intended directory...

What Should We Learn From How Attackers Leveraged AI in 2025?

Old Playbook, New Scale:While defenders are chasing trends, attackers are optimizing the basics The security industry loves talking about "new" threats. AI-powered attacks. Quantum-resistant encryption. Zero-trust architectures. But looking around, it seems like the most effective attacks in 2025...

Shai Hulud 2.0, now with a wiper flavor

In September, a new breed of malware distributed via compromised Node Package Manager npm packages made headlines. It was dubbed "Shai-Hulud", and we published an in-depth analysis of it in another post. Recently, a new version was discovered. Shai Hulud 2.0 is a type of two-stage worm-like malwa...

GHSA-53WX-PR6Q-M3J5 Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be...

CVE-2025-46762 Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be...

PT-2022-28163 · Apache · Maven Enforcer Plugin

Name of the Vulnerable Software and Affected Versions: Artemis Java Test Sandbox versions prior to 1.8.0 Description: The issue allows an attacker to escape the sandbox by including class files in a package that Ares trusts, enabling the execution of arbitrary Java code when a victim runs the...

CVE-2011-2515

PackageKit 0.6.17 allows installation of unsigned RPM packages as though they were signed which may allow installation of non-trusted packages and execution of arbitrary code...