Lucene search
+L
VeracodeRecent

38468 matches found

Veracode
Veracode
•added 2026/05/04 8:5 p.m.•16 views

Cross-site Scripting (XSS)

org.apache.activemq, activemq-web is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper neutralization of script-related HTML content in the web console, which allows an attacker to inject and execute malicious HTML/JavaScript by manipulating content type and JMS selecto...

6.5CVSS5.9AI score0.0056EPSS
Exploits0References3Affected Software4
Veracode
Veracode
•added 2026/05/04 12:12 p.m.•13 views

Authentication Bypass

Apache Camel is vulnerable to Authentication Bypass. The vulnerability is due to the authentication handler matching only the exact configured context path, not its subpaths, where unauthenticated requests to subpaths can reach protected business routes and management endpoints without being...

8.2CVSS5.8AI score0.00622EPSS
Exploits1References7Affected Software1
Veracode
Veracode
•added 2026/05/04 11:11 a.m.•12 views

Improper Access Control

Apache Storm is vulnerable to Improper Access Control. The vulnerability is due to fail-open handling of TLS client authentication in TlsTransportPlugin, where SSLPeerUnverifiedException is suppressed and a fallback principal CN=ANONYMOUS is assigned, allowing unauthenticated clients to obtain a...

6.5CVSS5.8AI score0.00286EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/04 10:52 a.m.•13 views

Information Exposure

org.springframework.grpc, spring-grpc-core is vulnerable to information exposure through error messages. The vulnerability is due to returning raw server-side AuthenticationException messages in the gRPC status description, which allows an attacker to gather authentication failure details and...

5.3CVSS5.8AI score0.002EPSS
Exploits0References3Affected Software2
Veracode
Veracode
•added 2026/05/04 9:41 a.m.•19 views

Improper Input Validation

org.apache.activemq, activemq-broker is vulnerable to Improper Input Validation. The vulnerability is due to insufficient validation in HTTP Discovery transport handling, which allows an authenticated attacker to bypass previous fixes and exploit broker configuration loading to execute arbitrary...

8.8CVSS7.7AI score0.04783EPSS
Exploits14References6Affected Software3
Veracode
Veracode
•added 2026/05/04 8:52 a.m.•10 views

Insecure Deserialization

org.apache.camel, camel-jms is vulnerable to insecure deserialization. The vulnerability is due to unsafe deserialization of JMS ObjectMessage payloads without applying input filters or class restrictions, which allows an attacker to send a crafted message and achieve remote code execution if a...

9.8CVSS6.4AI score0.00881EPSS
Exploits2References8Affected Software4
Veracode
Veracode
•added 2026/05/04 8:43 a.m.•13 views

Deserialization Of Untrusted Data

Apache Camel is vulnerable to Unsafe Deserialization. The vulnerability is due to deserialization of untrusted data in ConsulRegistryUtils.deserialize using ObjectInputStream.readObject without applying an ObjectInputFilter, allowing attackers with write access to the Consul KV store to inject...

8.8CVSS6.1AI score0.00667EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2026/05/04 8:36 a.m.•13 views

Authentication Bypass

Spring gRPC is vulnerable to Authentication Bypass. The vulnerability is due to improper clearing of the authenticated security context on gRPC worker threads, where a previously authenticated identity may persist after an access denial and be reused by a subsequent request, potentially leading t...

8.8CVSS5.8AI score0.00171EPSS
Exploits0References2Affected Software2
Veracode
Veracode
•added 2026/05/04 8:26 a.m.•11 views

Deserialization Vulnerability

Aache MINA is vulnerable to Unsafe Deserialization. The vulnerability is due to incomplete enforcement of a classname allowlist in AbstractIoBuffer.getObject, where deserialization occurs before validation, allowing execution of static initializers in malicious classes and potentially leading to...

9.8CVSS6.2AI score0.00451EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/04 6:9 a.m.•6 views

Information Disclosure

github.com/zitadel/zitadel is vulnerable to information disclosure. The vulnerability is due to exposure of the total number of instance users through the totalResult field, which allows an authenticated attacker to infer sensitive usage metrics regardless of their permissions...

5.3CVSS5.9AI score0.00195EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/04 6:1 a.m.•9 views

HTML Injection

github.com/abhinavxd/libredesk is vulnerable to stored HTML injection. The vulnerability is due to improper sanitization of user input in the contact notes feature, which allows an attacker to inject arbitrary HTML by manipulating the request and exploit it to perform phishing, CSRF-style actions...

8.6CVSS5.9AI score0.00193EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2026/05/03 7:11 p.m.•11 views

Path Confusion

Caddy is vulnerable to Path Confusion. The vulnerability is due to incorrect path splitting logic in FastCGI processing, where strings.ToLower is applied before computing byte offsets, causing incorrect SCRIPTNAME, SCRIPTFILENAME, and PATHINFO values for certain Unicode paths and potentially...

9.8CVSS7.3AI score0.00542EPSS
Exploits1References5Affected Software2
Veracode
Veracode
•added 2026/05/03 4:52 p.m.•13 views

Improper Certificate Validation

Caddy is vulnerable to Improper Certificate Validation. The vulnerability is due to swallowed errors in ClientAuthentication.provision, where failures loading trustedcacertfile or trustedcacertspemfiles are ignored, causing mTLS authentication to fail open and accept any client certificate signed...

9.3CVSS5.8AI score0.00267EPSS
Exploits1References6Affected Software2
Veracode
Veracode
•added 2026/05/03 4:46 p.m.•14 views

Improper Access Control

Caddy is vulnerable to Improper Access Control. The vulnerability is due to incorrect case-insensitive matching in the HTTP path request matcher when percent-encoded sequences are present, allowing attackers to alter request path casing and bypass path-based routing or attached access controls...

9.1CVSS5.8AI score0.0037EPSS
Exploits1References4Affected Software2
Veracode
Veracode
•added 2026/05/03 1:35 a.m.•15 views

Authorization Bypass

google.golang.org/grpc is vulnerable to authorization bypass. The vulnerability is due to improper validation of the HTTP/2 :path pseudo-header, which allows an attacker to send malformed requests without a leading slash and bypass path-based authorization policies when fallback "allow" rules are...

9.1CVSS6.8AI score0.01557EPSS
Exploits1References188Affected Software3
Veracode
Veracode
•added 2026/04/30 5:13 p.m.•17 views

CRLF Injection

Axios is vulnerable to CRLF Injection. The vulnerability is due to improper sanitization of the Content-Type value in multipart form-data construction, which allows an attacker to inject arbitrary headers into the request body via crafted input...

5.3CVSS5.9AI score0.0024EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/04/30 5:2 p.m.•13 views

Insertion Of Sensitive Information Into Sent Data

Axios is vulnerable to Insertion of Sensitive Information Into Sent Data. The vulnerability is due to improper use of truthy/falsy evaluation for the withXSRFToken configuration instead of strict boolean checks, which allows an attacker to force XSRF tokens to be sent to malicious cross-origin...

5.4CVSS5.8AI score0.00228EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/04/30 4:17 p.m.•13 views

Improper Resource Consumption

Axios is vulnerable to Improper Resource Consumption. The vulnerability is due to lack of enforcement of maxContentLength when using responseType 'stream', which allows an attacker to send large responses leading to unbounded resource consumption...

5.3CVSS5.8AI score0.00421EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/04/30 10:4 a.m.•19 views

Server-Side Request Forgery (SSRF)

Axios is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to inadequate hostname normalization and reliance on string matching in proxy bypass logic, which allows an attacker to route local requests through a proxy instead of bypassing it...

7.5CVSS5.2AI score0.00301EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/04/30 9:54 a.m.•11 views

Uncontrolled Recursion

Axios is vulnerable to uncontrolled recursion. The vulnerability is due to the toFormData function recursively processing deeply nested objects without a depth limit, which allows an attacker to supply specially crafted input that triggers a stack overflow and crashes the Node.js process...

7.5CVSS5.3AI score0.00717EPSS
Exploits1References43Affected Software1
Veracode
Veracode
•added 2026/04/30 9:53 a.m.•19 views

Cross-site Scripting (XSS)

DOMPurify is vulnerable to cross-site scripting XSS. The vulnerability is due to SAFEFORTEMPLATES not stripping ... expressions in RETURNDOM or RETURNDOMFRAGMENT modes, which allows an attacker to exploit template-evaluating frameworks like Vue 2 to execute malicious scripts...

6.8CVSS4.8AI score0.00248EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/04/30 9:40 a.m.•13 views

Sensitive Information Disclosure

Apache Kafka is vulnerable to Sensitive Information Disclosure. The vulnerability is due to logging of sensitive request and response data at DEBUG level in the NetworkClient component, which allows an attacker with log access to obtain sensitive information...

5.3CVSS5.2AI score0.00535EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/04/30 9:31 a.m.•11 views

Prototype Pollution

Axios is vulnerable to a Prototype Pollution. The vulnerability is due to improper validation of the parseReviver property in the transformResponse function, which allows an attacker to exploit a polluted Object.prototype and manipulate JSON response data, leading to privilege escalation and...

9.1CVSS5.2AI score0.00586EPSS
Exploits1References42Affected Software1
Veracode
Veracode
•added 2026/04/30 8:44 a.m.•11 views

Cross-site Scripting

DOMPurify is vulnerable to a Cross-site Scripting. The vulnerability is due to reliance on prototype-inherited properties during sanitization, where a prior prototype pollution can inject permissive tagNameCheck and attributeNameCheck logic, allowing malicious elements and attributes including...

6.9CVSS5.3AI score0.00225EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/04/30 8:31 a.m.•13 views

Prototype Pollution

Axios is vulnerable to Prototype Pollution. The vulnerability is due to missing hasOwnProperty checks when reading object properties, which allows an attacker to exploit polluted prototypes to intercept and modify JSON responses or hijack HTTP transport, gaining access to sensitive request data...

7.4CVSS5.2AI score0.00808EPSS
Exploits1References43Affected Software1
Veracode
Veracode
•added 2026/04/30 7:50 a.m.•10 views

Sensitive Information Disclosure

Spring Security is vulnerable to Sensitive Information Disclosure. The vulnerability is due to bypass of timing attack protections in DaoAuthenticationProvider when handling disabled, expired, or locked user states, which allows an attacker to infer user account status through response timing...

3.7CVSS5.2AI score0.00215EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/04/30 7:25 a.m.•9 views

Improper Authentication

org.springframework.security:spring-security-oauth2-jose is vulnerable to Improper Authentication. The vulnerability is due to missing configuration of a JWT validator when using NimbusJwtDecoder or NimbusReactiveJwtDecoder, which allows an attacker to bypass token validation with crafted JWTs...

6.5CVSS5.2AI score0.00203EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/04/30 6:55 a.m.•11 views

Prototype Pollution

Axios is vulnerable to Prototype Pollution. The vulnerability is due to use of the in operator in the mergeDirectKeys strategy for validateStatus, which traverses the prototype chain, allowing a polluted Object.prototype.validateStatus to override behavior and treat all HTTP responses as...

8.2CVSS5.3AI score0.00611EPSS
Exploits1References43Affected Software1
Veracode
Veracode
•added 2026/04/30 6:14 a.m.•10 views

Null Pointer Dereference

github.com/emiago/sipgo is vulnerable to a Null pointer dereference. The vulnerability is due to missing nil checks for the To header in the NewResponseFromRequest function, which allows an attacker to exploit it by sending a malformed SIP request without a To header and crash the application...

8.7CVSS7.7AI score0.00495EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/04/30 5:14 a.m.•20 views

Stream Request Bypass

Axios is vulnerable to Stream Request Bypass. The vulnerability is due to the bypassing of maxBodyLength when maxRedirects is set to 0 for stream request bodies, where oversized streamed uploads are sent fully even when the caller sets strict body limits...

5.3CVSS5.2AI score0.00327EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/04/30 4:43 a.m.•16 views

Prototype Pollution

Axios is vulnerable to Prototype Pollution. The vulnerability is due to a gadget in the HTTP adapter lib/adapters/http.js that relies on duck-typed checks for FormData, allowing attacker-controlled properties on Object.prototype e.g., getHeaders to be invoked and inject arbitrary HTTP headers int...

7.4CVSS5.9AI score0.00394EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/04/30 3:15 a.m.•13 views

Improper Access Control

Caddy is vulnerable to Improper Access Control. The vulnerability is due to incorrect case-insensitive matching in the HTTP host request matcher when large host lists are configured, allowing attackers to modify the casing of the Host header and bypass host-based routing or associated access...

9.1CVSS5.8AI score0.0037EPSS
Exploits1References4Affected Software2
Veracode
Veracode
•added 2026/04/29 1:18 p.m.•23 views

Improper Access Control

Spring Security is vulnerable to Improper Access Control. The vulnerability is due to incorrect request matching when using securityMatchersString with a PathPatternRequestMatcher.Builder that prepends a servlet path, causing requests to bypass the intended filter chain and leaving authentication...

7.5CVSS5.8AI score0.00248EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/04/29 1:3 p.m.•10 views

Certificate Impersonation

spring-security-web is vulnerable to certificate impersonation. The vulnerability is due to improper parsing of malformed X.509 certificate CN values in SubjectX500PrincipalExtractor, which can result in extracting an incorrect username and allow attackers to impersonate another user...

8.1CVSS5.2AI score0.00296EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2026/04/29 11:31 a.m.•9 views

Authorization Bypass

spring-security-config is vulnerable to Authorization Bypass. The vulnerability is due to incorrect handling of the servlet-path attribute in , where the servlet path is not included when computing the path matcher, causing defined authorization rules to be skipped and allowing unauthorized acces...

7.5CVSS5.1AI score0.00266EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2026/04/29 11:4 a.m.•9 views

Arbitrary File Overwrite

org.springframework.boot, spring-boot is vulnerable to arbitrary file overwrite. The vulnerability is due to insecure handling of the PID file via ApplicationPidFileWriter, which allows a local attacker with write access to the PID file location to exploit symlink behavior and overwrite or corrup...

6.7CVSS5.5AI score0.00112EPSS
Exploits0References3Affected Software2
Veracode
Veracode
•added 2026/04/29 10:52 a.m.•10 views

Improper Hostname Verification

Spring Boot is vulnerable to improper hostname verification. The vulnerability is due to missing hostname verification in SSL bundle configuration, which allows an attacker to perform man-in-the-middle attacks by impersonating the RabbitMQ broker...

9.1CVSS5.2AI score0.00157EPSS
Exploits0References3Affected Software2
Veracode
Veracode
•added 2026/04/29 10:41 a.m.•10 views

Default Security Bypass

Spring Boot is vulnerable to Default Security Bypass. The vulnerability is due to Spring Boot's default web security being ineffective, where an application with no Spring Security configuration and relying on the default web security filter chain can allow unauthorized access to all endpoints, a...

9.1CVSS5.3AI score0.00489EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2026/04/29 10:20 a.m.•15 views

Denial Of Service (DoS)

Spring Core is vulnerable to Denial of Service DoS. The vulnerability is due to inefficient handling of static resource resolution on Windows file systems, where specially crafted requests can take excessive time to process and hold HTTP connections open, leading to resource exhaustion and servic...

5.3CVSS5.3AI score0.00341EPSS
Exploits0References4Affected Software3
Veracode
Veracode
•added 2026/04/29 10:18 a.m.•14 views

Improper Control Of Temporary Directory Access

org.springframework.boot, spring-boot is vulnerable to improper control of temporary directory access. The vulnerability is due to inadequate ownership verification of the ApplicationTemp directory when persistent sessions are enabled, which allows a local attacker to gain control of the director...

7CVSS5.7AI score0.00136EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/04/29 10:9 a.m.•13 views

Improper SSL Hostname Verification

org.springframework.boot, spring-boot-elasticsearch is vulnerable to improper SSL hostname verification. The vulnerability is due to missing hostname verification in SSL bundle configuration, which allows an attacker to perform man-in-the-middle attacks by connecting to a malicious Elasticsearch...

6.8CVSS5.2AI score0.00136EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/04/29 10:4 a.m.•9 views

Denial Of Service (DoS)

Spring Web is vulnerable to Denial of Service DoS. The vulnerability is due to improper cleanup of temporary files created during multipart request processing, where files for large parts may not be deleted after request completion, allowing attackers to exhaust disk space...

6.5CVSS5.2AI score0.00344EPSS
Exploits0References4Affected Software2
Veracode
Veracode
•added 2026/04/29 9:39 a.m.•14 views

Cache Poisoning

Spring MVC and WebFlux are vulnerable to Cache Poisoning. The vulnerability is due to improper handling of encoded resource resolution when resource chain caching is enabled, allowing attackers to store incorrectly encoded resources in the cache, which can break frontend asset delivery and lead t...

3.1CVSS5.2AI score0.00236EPSS
Exploits0References4Affected Software2
Veracode
Veracode
•added 2026/04/29 9:24 a.m.•7 views

Weak Random Value Generation For Secrets (weak PRNG)

Spring Boot is vulnerable to the use of a weak pseudo-random number generator PRNG. The vulnerability is due to the use of predictable random value sources e.g., $random.value, $random.int, $random.long, which allows an attacker to guess or brute-force generated secrets and compromise application...

8.2CVSS5.8AI score0.00312EPSS
Exploits0References10Affected Software2
Veracode
Veracode
•added 2026/04/29 8:5 a.m.•10 views

Timing Attack

org.springframework.boot, spring-boot-devtools is vulnerable to a timing attack. The vulnerability is due to insecure comparison of the DevTools remote secret, which allows an attacker on the same network to exploit timing differences to guess the secret and potentially achieve remote code...

7.5CVSS5.8AI score0.00262EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/04/29 6:40 a.m.•16 views

Improper Input Validation

org.springframework.security:spring-security-oauth2-authorization-server is vulnerable to Improper Input Validation. The vulnerability is due to insufficient validation of client metadata fields during dynamic client registration, which allows an attacker to register a malicious client and exploi...

9.6CVSS5.2AI score0.00425EPSS
Exploits0References1Affected Software1
Veracode
Veracode
•added 2026/04/28 5:26 p.m.•16 views

Improper Authentication

Apache HttpClient is vulnerable to Improper Authentication. The vulnerability is due to a missing verification step in SCRAM-SHA-256 authentication, which allows an attacker to bypass proper mutual authentication checks and be accepted by the client...

7.3CVSS5.3AI score0.00456EPSS
Exploits0References8Affected Software1
Veracode
Veracode
•added 2026/04/28 12:43 p.m.•8 views

Time-of-check Time-of-use

Spring Security is vulnerable to a Time-of-check Time-of-use race condition. The vulnerability is due to a Time-of-Check Time-of-Use TOCTOU issue in JdbcOneTimeTokenService, where token validation and usage are not performed atomically, allowing attackers to reuse or race token consumption and...

4.8CVSS5.2AI score0.00124EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/04/28 8:57 a.m.•12 views

Proxy Bypass

Axios is vulnerable to Proxy Bypass. The vulnerability is due to incomplete NOPROXY handling for loopback addresses, where requests to the 127.0.0.0/8 range excluding 127.0.0.1 bypass proxy restrictions, allowing attackers to access internal or local services despite configured protections...

10CVSS5.2AI score0.00661EPSS
Exploits1References42Affected Software1
Veracode
Veracode
•added 2026/04/28 8:13 a.m.•10 views

Improper Input Encoding

Axios is vulnerable to Improper Input Encoding. The vulnerability is due to incorrect character mapping in the encode function, where safely percent-encoded null bytes %00 are converted back to raw null bytes, potentially leading to unsafe request data handling in affected usage scenarios...

3.7CVSS5.2AI score0.00217EPSS
Exploits1References2Affected Software1
Total number of security vulnerabilities38468