CVE-2015-1833

The CVE-2015-1833 issue is an XXE vulnerability in Apache Jackrabbit’s WebDAV handling where the XML parser can be coerced to read local/network resources. Affected versions include Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10....

CVE-2023-37895

Summary: CVE-2023-37895 affects Apache Jackrabbit Webapp/Standalone via an unsafe deserialization in the commons-beanutils component, enabling remote code execution over RMI. Affected RMIs include versions up to 2.20.10 (stable) and 2.21.17 (unstable). Impact: potential remote code execution with...

CVE-2016-6801

CVE-2016-6801 : Apache Jackrabbit’s CSRF in Webdav is due to improper CSRF content-type checks. Affected are Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3. The vulnerability a...

CVE-2009-0026

Summary: CVE-2009-0026 affects Apache Jackrabbit prior to 1.5.2, enabling remote XSS via the q parameter to search.jsp and swr.jsp in the webapp. The root cause is improper escaping/validation of user input in these endpoints, allowing injection of arbitrary HTML/JavaScript into a user’s browser....

CVE-2025-58782

CVE-2025-58782 affects Apache Jackrabbit Core (1.0.0–2.22.1) and Apache Jackrabbit JCR Commons (1.0.0–2.22.1). The issue is Deserialization of Untrusted Data triggered by accepting JNDI URIs for JCR lookup from untrusted users, which can lead to arbitrary code execution through deserialization of...

CVE-2025-53689

CVE-2025-53689 covers blind XXE in Apache Jackrabbit’s jackrabbit-spi-commons and jackrabbit-core prior to 2.23.2, due to an unsecured document build that loads privileges. Public references in the initial and connected documents indicate this affects Confluence Server/Data Center (via bundled Ja...