JavaMelody through 1.60.0 has XSS via the counter parameter in a clear_counter action to the /monitoring URI.
6.1CVSS
5.9AI Score
0.001EPSS
JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
9.8CVSS
9.4AI Score
0.004EPSS