Linux Distros Unpatched Vulnerability : CVE-2026-40994

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestDat...

CVE-2026-41000

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be...

CVE-2026-41000 WSS4J validation does not use configured replay cache

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be...

CVE-2026-40996

CVE-2026-40996 affects Spring Web Services where Wss4jSecurityInterceptor incorrectly defaults allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J’s safer validation behavior for RequestData. This could allow RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material in inbound WS-Security dec...

PT-2026-48623

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be...

PT-2026-48619

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS1 v1.5 rsa-1 5 encrypted key material unless operators explicitly reconfigured the flag...

VMware Spring Web Services 安全漏洞

VMware Spring Web Services is a SOAP Web services development framework provided by the American company VMware. There are security vulnerabilities in versions 5.0.0 to 5.0.1, 4.1.0 to 4.1.3, 4.0.0 to 4.0.18, and 3.1.0 to 3.1.8 of VMware Spring Web Services. These vulnerabilities stem from...

Insecure Defaults

Overview Affected versions of this package are vulnerable to Insecure Defaults due to the Wss4jSecurityInterceptor class in Wss4jSecurityInterceptor.java initializing its bspCompliant flag to false, so inbound validation always calls RequestData.setDisableBSPEnforcementtrue and disables WSS4J's...

Use of RSA Algorithm without OAEP

Overview Affected versions of this package are vulnerable to Use of RSA Algorithm without OAEP via the Wss4jSecurityInterceptor class, in the Wss4jSecurityInterceptor.java file due to defaulting allowRSA15KeyTransportAlgorithm to true when building the validation RequestData. This overrides Apach...

EUVD-2022-5374

Malicious code in bioql PyPI...

EUVD-2022-3343

Malicious code in bioql PyPI...

EUVD-2022-1624

Malicious code in bioql PyPI...

Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Express.

Summary There are multiple vulnerabilities in Open Source Apache Tomcat that is used by IBM Cognos Express. Additionally, there are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6 that is used by IBM Cognos Express. This bulletin also addresses LOGJAM: The...

Security Bulletin: A vulnerability in Apache WSS4J affects IBM Tivoli Business Service Manager (CVE-2014-3623)

Summary Apache WSS4J is shipped with IBM Tivoli Business Manager 6.2.0 as part of its web services infrastructure. Information about security vulnerabilities affecting Apache WSS4J has been published in a security bulletin. Vulnerability Details CVEID:CVE-2014-3623 DESCRIPTION: Apache CXF could...

com.amazon.aes.webservices.client:ec2-java-client (=20080327), com.cybersource:cybersource-sdk-java (>=6.2.0 <=6.2.1) +83 more potentially affected by CVE-2015-0227 via wss4j:wss4j (>=1.5.0 <=1.5.1)

wss4j:wss4j MAVEN version =1.5.0, =6.2.0, =1.0.12, =9.00.2110.07.220316, =0.0.9, =0.0.3, =0.0.3, =0.0.3, =0.0.3, =0.3.0 - com.github.rapidark:rapid-ark-pretty =0.3.0 - com.github.rapidark:rapid-ark-pretty-demo =0.3.0 - com.github.rapidark:rapid-ark-pretty-demo-keeper =0.3.0 -...

br.net.woodstock.rockframework:rockframework-web (>=1.2.1 <=1.2.2), com.cybersource:cybersource-sdk-java (>=6.0.1 <=6.1.0) +333 more potentially affected by CVE-2015-0227 via org.apache.ws.security:wss4j (>=1.5.2 <=1.6.16)

org.apache.ws.security:wss4j MAVEN version =1.5.2, =1.2.1, =6.0.1, =1.0.1, =1.1.0.Beta5, =1.1.0.Beta5, =1.1.0.Beta5, =1.1.0.Beta1, =1.0.0, =1.2.0 and more Source cves: CVE-2015-0227 Source advisory: OSV:GHSA-6R5V-HP32-FJQW...

GHSA-6R5V-HP32-FJQW Improper Access Control in Apache WSS4J

Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."...

Improper Access Control in Apache WSS4J

Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."...

Improper Authentication in Apache WSS4J

The LDAPLoginModule implementation in the Java Authentication and Authorization Service JAAS in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier...

net.gplatform:sudoor-server-lib (>=1.0.4 <=1.0.8), no.difi.sdp:sikker-digital-post-java-klient (>=1.0 <=1.2.0.RC1) +60 more potentially affected by CVE-2015-0226 via org.apache.wss4j:wss4j-ws-security-dom (>=2.0.0 <=2.0.10)

org.apache.wss4j:wss4j-ws-security-dom MAVEN version =2.0.0, =1.0.4, =1.0, =0.9, =0.9, =1.1.9 - org.apache.camel:camel-example-reportincident-wssecurity =2.14.0 - org.apache.cxf.fediz.examples.wsclientWebapp.webservice:fedizservice =1.2.4 - org.apache.cxf.fediz.examples.wsclientWebapp:webapp =1.2...