cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection

An XML External Entity XXE injection vulnerability was found in the CycloneDX Java core library’s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM XML is validated, external XML entities can be processed XXE, allowing an attacker to...

EUVD-2025-200244

Vulnerability in the access control system of the GAMS licensing system that allows unlimited valid licenses to be generated, bypassing any usage restrictions. The validator uses an insecure checksum algorithm; knowing this algorithm and the format of the license lines, an attacker can recalculat...

net.codinux.invoicing:e-invoice (>=0.5.0 <=0.5.2), net.codinux.invoicing:e-invoice-jvm (>=0.6.0 <=0.7.3) potentially affected by CVE-2025-66372 via org.mustangproject:validator (>=2.14.2 <=2.15.1)

org.mustangproject:validator MAVEN version =2.14.2, =0.5.0, =0.6.0, =0.7.3 Source cves: CVE-2025-66372 Source advisory: OSV:GHSA-X832-FPVJ-R5PH...

net.codinux.invoicing:e-invoice (>=0.5.0 <=0.5.2), net.codinux.invoicing:e-invoice-domain-android (>=0.6.0 <=0.8.0) +2 more potentially affected by CVE-2025-66372 via org.mustangproject:library (>=2.0.0 <=2.16.2)

org.mustangproject:library MAVEN version =2.0.0, =0.5.0, =0.6.0, =0.6.0, =2.0.0, =2.16.2 Source cves: CVE-2025-66372 Source advisory: OSV:GHSA-X832-FPVJ-R5PH...

CVE-2025-12758

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength function that does not take into account Unicode variation selectors \uFE0F, \uFE0E appearing in a sequence which lead to improper string length...

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection via the XML parsing process. An attacker can access sensitive files by submitting specially crafted XML data containing external entities. Details XXE Injection is a type of attack against an applicatio...

net.codinux.invoicing:e-invoice (>=0.5.0 <=0.5.2), net.codinux.invoicing:e-invoice-domain-android (>=0.6.0 <=0.8.0) +2 more potentially affected by CVE-2025-66372 via org.mustangproject:library (>=2.0.0 <=2.16.2)

org.mustangproject:library MAVEN version =2.0.0, =0.5.0, =0.6.0, =0.6.0, =2.0.0, =2.16.2 Source cves: CVE-2025-66372 Source advisory: SNYK:JAVA-ORGMUSTANGPROJECT-14147555...

net.codinux.invoicing:e-invoice (>=0.5.0 <=0.5.2), net.codinux.invoicing:e-invoice-jvm (>=0.6.0 <=0.7.3) potentially affected by CVE-2025-66372 via org.mustangproject:validator (>=2.14.2 <=2.15.1)

org.mustangproject:validator MAVEN version =2.14.2, =0.5.0, =0.6.0, =0.7.3 Source cves: CVE-2025-66372 Source advisory: SNYK:JAVA-ORGMUSTANGPROJECT-14147556...

01homework (>=1.0.0 <=1.0.1), 0xauth (>=0.0.2 <=0.0.6) +7191 more potentially affected by CVE-2025-12758 via validator (>=0.1.8 <=13.15.20)

validator NPM version =0.1.8, =1.0.0, =0.0.2, =0.0.6, =0.0.1, =1.0.0, =4.11.0, =0.0.0-canary.0, =0.0.2, =0.0.1, =0.1.0, =0.8.0, =1.0.17, =1.0.33 and more Source cves: CVE-2025-12758 Source advisory: OSV:GHSA-VGHF-HV5Q-VC2G...

EUVD-2025-199795

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength function that does not take into account Unicode variation selectors \uFE0F, \uFE0E appearing in a sequence which lead to improper string length...

CVE-2025-12758

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength function that does not take into account Unicode variation selectors \uFE0F, \uFE0E appearing in a sequence which lead to improper string length...

CVE-2025-12758

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength function that does not take into account Unicode variation selectors \uFE0F, \uFE0E appearing in a sequence which lead to improper string length...

CVE-2025-12758

CVE-2025-12758—Validator.js isLength() Unicode variation selector bypass . Multiple IBM advisories reference affected product lines (e.g., IBM App Connect Enterprise, QRadar) where validator versions earlier than 13.15.22 are vulnerable due to incomplete filtering of Unicode variation selectors i...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to URL validation bypass [CVE-2025-56200]

Summary node.js module validator is used by IBM App Connect Enterprise Certified Container for data validation. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationRuntime and IntegrationServer operands are vulnerable to URL validation bypass. This bulletin provides patch...

Security Bulletin: IBM Application Modernization Accelerator is affected by multiple vulnerabilities found in Java and Node.js

Summary There are multiple vulnerabilities in Java and Node.js used by IBM Application Modernization Accelerator. Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP component could allow a remote attacker to cause high confidentiali...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to different node modules (CVE-2025-57350,CVE-2025-56200 & CVE-2025-64118)

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise runtime are vulnerable to multiple vulnerabilities due to csvtojson, node-tar packages and validator modules CVE-2025-57350,CVE-2025-56200 &...

Malicious code in rpc-validator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eca28ab1eabeac24c0ce55063ac151338d0255fcc2c8f74909566c8c3a3a8b1f The package rpc-validator was found to contain malicious code. Source: ghsa-malware 318ca2489ffa297599695ecb6b29c76c63bb61b59d5380b1092213774438e35d...

Malicious Package

Overview rpc-validator is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

EUVD-2025-199591

Malicious code in rpc-validator npm...

MAL-2025-191466 Malicious code in rpc-validator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eca28ab1eabeac24c0ce55063ac151338d0255fcc2c8f74909566c8c3a3a8b1f The package rpc-validator was found to contain malicious code. Source: ghsa-malware 318ca2489ffa297599695ecb6b29c76c63bb61b59d5380b1092213774438e35d...