Trivy Report

Trivy Scan Report

Report Information

Generated At	2026-05-27T03:34:09.705854-07:00
--input	./input/trivy-report-camunda-bpm-platform-7.24.0.json
--output	output/trivy-report-camunda-bpm-platform-7.24.0.html

Vulnerability Summary

Severity	Count
CRITICAL	28
HIGH	75
MEDIUM	101
LOW	47

Vulnerabilities

Severity	CVE	Package	Installed	Fixed	Target	Title
CRITICAL	CVE-2026-41293	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	distro/run/core/pom.xml	Improper Input Validation vulnerability in Apache Tomcat. This issue ...
CRITICAL	CVE-2026-43512	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	distro/run/core/pom.xml	DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...
CRITICAL	CVE-2026-43515	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	distro/run/core/pom.xml	Improper Authorization vulnerability when multiple method constraints ...
CRITICAL	CVE-2026-22732	org.springframework.security:spring-security-web	6.5.3	6.5.9, 7.0.4	distro/run/modules/oauth2/pom.xml	Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers
CRITICAL	CVE-2026-29145	org.apache.tomcat:tomcat	10.1.43	9.0.116, 10.1.53, 11.0.20	distro/tomcat/assembly/pom.xml	Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration
CRITICAL	CVE-2026-41293	org.apache.tomcat:tomcat	10.1.43	9.0.118, 10.1.55, 11.0.22	distro/tomcat/assembly/pom.xml	Improper Input Validation vulnerability in Apache Tomcat. This issue ...
CRITICAL	CVE-2026-43512	org.apache.tomcat:tomcat	10.1.43	9.0.118, 10.1.55, 11.0.22	distro/tomcat/assembly/pom.xml	DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...
CRITICAL	CVE-2026-43515	org.apache.tomcat:tomcat	10.1.43	9.0.118, 10.1.55, 11.0.22	distro/tomcat/assembly/pom.xml	Improper Authorization vulnerability when multiple method constraints ...
CRITICAL	CVE-2026-25896	fast-xml-parser	4.5.3	5.3.5, 4.5.4	engine-rest/docs/package-lock.json	fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling
CRITICAL	CVE-2016-1000027	org.springframework:spring-web	5.3.39	6.0.0	qa/integration-tests-engine/pom.xml	spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization
CRITICAL	CVE-2019-10202	org.codehaus.jackson:jackson-mapper-asl	1.9.11		qa/performance-tests-engine/pom.xml	codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities
CRITICAL	CVE-2022-22965	org.springframework:spring-beans	5.2.19.RELEASE	5.2.20.RELEASE, 5.3.18	qa/test-db-instance-migration/pom.xml	spring-framework: RCE via Data Binding on JDK 9+
CRITICAL	CVE-2022-22965	org.springframework:spring-beans	5.2.8.RELEASE	5.2.20.RELEASE, 5.3.18	qa/test-db-instance-migration/pom.xml	spring-framework: RCE via Data Binding on JDK 9+
CRITICAL	CVE-2022-22965	org.springframework:spring-beans	5.2.8.RELEASE	5.2.20.RELEASE, 5.3.18	qa/test-db-instance-migration/test-fixture-714/pom.xml	spring-framework: RCE via Data Binding on JDK 9+
CRITICAL	CVE-2022-22965	org.springframework:spring-beans	5.2.19.RELEASE	5.2.20.RELEASE, 5.3.18	qa/test-db-instance-migration/test-fixture-717/pom.xml	spring-framework: RCE via Data Binding on JDK 9+
CRITICAL	CVE-2016-4000	org.python:jython	2.5.3	2.7.1-rc1	qa/tomcat-runtime/pom.xml	jython: Unsafe deserialization leads to code execution
CRITICAL	CVE-2016-4000	org.python:jython	2.5.3	2.7.1-rc1	qa/tomcat9-runtime/pom.xml	jython: Unsafe deserialization leads to code execution
CRITICAL	CVE-2016-4000	org.python:jython	2.5.3	2.7.1-rc1	qa/wildfly-runtime/pom.xml	jython: Unsafe deserialization leads to code execution
CRITICAL	CVE-2016-4000	org.python:jython	2.5.3	2.7.1-rc1	qa/wildfly26-runtime/pom.xml	jython: Unsafe deserialization leads to code execution
CRITICAL	CVE-2026-41293	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Improper Input Validation vulnerability in Apache Tomcat. This issue ...
CRITICAL	CVE-2026-43512	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...
CRITICAL	CVE-2026-43515	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Improper Authorization vulnerability when multiple method constraints ...
CRITICAL	CVE-2026-22732	org.springframework.security:spring-security-web	6.5.3	6.5.9, 7.0.4	spring-boot-starter/starter-security/pom.xml	Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers
CRITICAL	CVE-2026-41293	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-webapp-core/pom.xml	Improper Input Validation vulnerability in Apache Tomcat. This issue ...
CRITICAL	CVE-2026-43512	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-webapp-core/pom.xml	DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...
CRITICAL	CVE-2026-43515	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-webapp-core/pom.xml	Improper Authorization vulnerability when multiple method constraints ...
CRITICAL	CVE-2026-25896	fast-xml-parser	4.3.4	5.3.5, 4.5.4	webapps/frontend/package-lock.json	fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling
CRITICAL	CVE-2025-7783	form-data	4.0.0	2.5.4, 3.0.4, 4.0.4	webapps/frontend/package-lock.json	Use of Insufficiently Random Values vulnerability in form-data allows ...
HIGH	CVE-2023-6378	ch.qos.logback:logback-classic	1.2.11	1.3.12, 1.4.12, 1.2.13	commons/pom.xml	logback: serialization vulnerability in logback receiver
HIGH	CVE-2023-6378	ch.qos.logback:logback-core	1.2.11	1.3.12, 1.4.12, 1.2.13	commons/pom.xml	logback: serialization vulnerability in logback receiver
HIGH	CVE-2023-6378	ch.qos.logback:logback-classic	1.2.11	1.3.12, 1.4.12, 1.2.13	commons/testing/pom.xml	logback: serialization vulnerability in logback receiver
HIGH	CVE-2023-6378	ch.qos.logback:logback-core	1.2.11	1.3.12, 1.4.12, 1.2.13	commons/testing/pom.xml	logback: serialization vulnerability in logback receiver
HIGH	CVE-2025-55752	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.11, 10.1.45, 9.0.109	distro/run/core/pom.xml	Relative Path Traversal vulnerability in Apache Tomcat. The fix for b ...
HIGH	CVE-2026-24734	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.18, 10.1.52, 9.0.115	distro/run/core/pom.xml	tomcat: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation
HIGH	CVE-2026-24880	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.116, 10.1.52, 11.0.20	distro/run/core/pom.xml	Apache Tomcat: Apache Tomcat: HTTP Request/Response Smuggling via invalid chunk extension
HIGH	CVE-2026-34483	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.116, 10.1.54, 11.0.21	distro/run/core/pom.xml	Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve
HIGH	CVE-2026-34487	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.117, 10.1.54, 11.0.21	distro/run/core/pom.xml	Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files
HIGH	CVE-2026-41284	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	distro/run/core/pom.xml	Allocation of Resources Without Limits or Throttling vulnerability in ...
HIGH	CVE-2026-42498	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	distro/run/core/pom.xml	Exposure of HTTP Authentication Header to unexpected hosts during WebS ...
HIGH	CVE-2026-43513	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	distro/run/core/pom.xml	Improper Handling of Case Sensitivity vulnerability in LockOutRealm in ...
HIGH	CVE-2026-40973	org.springframework.boot:spring-boot	3.5.5	4.0.6, 3.5.14	distro/run/core/pom.xml	Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
HIGH	CVE-2025-41249	org.springframework:spring-core	6.2.10	6.2.11	distro/run/core/pom.xml	The Spring Framework annotation detection mechanism may not correctly ...
HIGH	CVE-2025-41248	org.springframework.security:spring-security-core	6.5.3	6.4.10, 6.5.4	distro/run/modules/oauth2/pom.xml	Spring Security annotation detection mechanism has authorization bypass
HIGH	CVE-2025-55752	org.apache.tomcat:tomcat	10.1.43	11.0.11, 10.1.45, 9.0.109	distro/tomcat/assembly/pom.xml	Relative Path Traversal vulnerability in Apache Tomcat. The fix for b ...
HIGH	CVE-2026-34483	org.apache.tomcat:tomcat	10.1.43	9.0.116, 10.1.54, 11.0.21	distro/tomcat/assembly/pom.xml	Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve
HIGH	CVE-2026-34487	org.apache.tomcat:tomcat	10.1.43	9.0.117, 10.1.54, 11.0.21	distro/tomcat/assembly/pom.xml	Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files
HIGH	CVE-2026-41284	org.apache.tomcat:tomcat	10.1.43	9.0.118, 10.1.55, 11.0.22	distro/tomcat/assembly/pom.xml	Allocation of Resources Without Limits or Throttling vulnerability in ...
HIGH	CVE-2026-42498	org.apache.tomcat:tomcat	10.1.43	9.0.118, 10.1.55, 11.0.22	distro/tomcat/assembly/pom.xml	Exposure of HTTP Authentication Header to unexpected hosts during WebS ...
HIGH	CVE-2026-43513	org.apache.tomcat:tomcat	10.1.43	9.0.118, 10.1.55, 11.0.22	distro/tomcat/assembly/pom.xml	Improper Handling of Case Sensitivity vulnerability in LockOutRealm in ...
HIGH	CVE-2026-26278	fast-xml-parser	4.5.3	4.5.4, 5.3.6	engine-rest/docs/package-lock.json	fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion
HIGH	CVE-2026-33036	fast-xml-parser	4.5.3	5.5.6, 4.5.5	engine-rest/docs/package-lock.json	fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass
HIGH	CVE-2026-26996	minimatch	5.1.6	10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3	engine-rest/docs/package-lock.json	minimatch: minimatch: Denial of Service via specially crafted glob patterns
HIGH	CVE-2026-27903	minimatch	5.1.6	10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3	engine-rest/docs/package-lock.json	minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
HIGH	CVE-2026-27904	minimatch	5.1.6	10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4	engine-rest/docs/package-lock.json	minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
HIGH	CVE-2025-41249	org.springframework:spring-core	6.2.10	6.2.11	engine/pom.xml	The Spring Framework annotation detection mechanism may not correctly ...
HIGH	CVE-2025-41249	org.springframework:spring-core	6.2.10	6.2.11	qa/integration-tests-engine-jakarta/pom.xml	The Spring Framework annotation detection mechanism may not correctly ...
HIGH	CVE-2023-6378	ch.qos.logback:logback-classic	1.2.11	1.3.12, 1.4.12, 1.2.13	qa/performance-tests-engine/pom.xml	logback: serialization vulnerability in logback receiver
HIGH	CVE-2023-6378	ch.qos.logback:logback-core	1.2.11	1.3.12, 1.4.12, 1.2.13	qa/performance-tests-engine/pom.xml	logback: serialization vulnerability in logback receiver
HIGH	CVE-2019-10172	org.codehaus.jackson:jackson-mapper-asl	1.9.11		qa/performance-tests-engine/pom.xml	jackson-mapper-asl: XML external entity similar to CVE-2016-3720
HIGH	CVE-2020-26945	org.mybatis:mybatis	3.5.3	3.5.6	qa/test-db-instance-migration/pom.xml	mybatis: mishandles deserialization of object streams which could result in remote code execution
HIGH	CVE-2022-22970	org.springframework:spring-beans	5.2.19.RELEASE	5.2.22.RELEASE, 5.3.20	qa/test-db-instance-migration/pom.xml	springframework: DoS via data binding to multipartFile or servlet part
HIGH	CVE-2022-22970	org.springframework:spring-beans	5.2.8.RELEASE	5.2.22.RELEASE, 5.3.20	qa/test-db-instance-migration/pom.xml	springframework: DoS via data binding to multipartFile or servlet part
HIGH	CVE-2020-26945	org.mybatis:mybatis	3.5.3	3.5.6	qa/test-db-instance-migration/test-fixture-714/pom.xml	mybatis: mishandles deserialization of object streams which could result in remote code execution
HIGH	CVE-2022-22970	org.springframework:spring-beans	5.2.8.RELEASE	5.2.22.RELEASE, 5.3.20	qa/test-db-instance-migration/test-fixture-714/pom.xml	springframework: DoS via data binding to multipartFile or servlet part
HIGH	CVE-2022-22970	org.springframework:spring-beans	5.2.19.RELEASE	5.2.22.RELEASE, 5.3.20	qa/test-db-instance-migration/test-fixture-717/pom.xml	springframework: DoS via data binding to multipartFile or servlet part
HIGH	CVE-2026-42198	org.postgresql:postgresql	42.5.5	42.7.11	qa/tomcat-runtime/pom.xml	jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication
HIGH	CVE-2026-42198	org.postgresql:postgresql	42.5.5	42.7.11	qa/tomcat9-runtime/pom.xml	jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication
HIGH	CVE-2026-42198	org.postgresql:postgresql	42.5.5	42.7.11	qa/wildfly-runtime/pom.xml	jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication
HIGH	CVE-2026-42198	org.postgresql:postgresql	42.5.5	42.7.11	qa/wildfly26-runtime/pom.xml	jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication
HIGH	CVE-2026-40973	org.springframework.boot:spring-boot	3.5.5	4.0.6, 3.5.14	spring-boot-starter/starter-client/spring-boot/pom.xml	Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
HIGH	CVE-2025-41249	org.springframework:spring-core	6.2.10	6.2.11	spring-boot-starter/starter-client/spring-boot/pom.xml	The Spring Framework annotation detection mechanism may not correctly ...
HIGH	CVE-2025-55752	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.11, 10.1.45, 9.0.109	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Relative Path Traversal vulnerability in Apache Tomcat. The fix for b ...
HIGH	CVE-2026-24734	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.18, 10.1.52, 9.0.115	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	tomcat: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation
HIGH	CVE-2026-24880	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.116, 10.1.52, 11.0.20	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Apache Tomcat: Apache Tomcat: HTTP Request/Response Smuggling via invalid chunk extension
HIGH	CVE-2026-34483	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.116, 10.1.54, 11.0.21	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve
HIGH	CVE-2026-34487	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.117, 10.1.54, 11.0.21	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files
HIGH	CVE-2026-41284	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Allocation of Resources Without Limits or Throttling vulnerability in ...
HIGH	CVE-2026-42498	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Exposure of HTTP Authentication Header to unexpected hosts during WebS ...
HIGH	CVE-2026-43513	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Improper Handling of Case Sensitivity vulnerability in LockOutRealm in ...
HIGH	CVE-2026-40973	org.springframework.boot:spring-boot	3.5.5	4.0.6, 3.5.14	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
HIGH	CVE-2025-41249	org.springframework:spring-core	6.2.10	6.2.11	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	The Spring Framework annotation detection mechanism may not correctly ...
HIGH	CVE-2026-40973	org.springframework.boot:spring-boot	3.5.5	4.0.6, 3.5.14	spring-boot-starter/starter-security/pom.xml	Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
HIGH	CVE-2025-41248	org.springframework.security:spring-security-core	6.5.3	6.4.10, 6.5.4	spring-boot-starter/starter-security/pom.xml	Spring Security annotation detection mechanism has authorization bypass
HIGH	CVE-2025-41249	org.springframework:spring-core	6.2.10	6.2.11	spring-boot-starter/starter-security/pom.xml	The Spring Framework annotation detection mechanism may not correctly ...
HIGH	CVE-2026-24400	org.assertj:assertj-core	3.27.4	3.27.7	spring-boot-starter/starter-test/pom.xml	assertj: AssertJ: Information disclosure and denial of service via XML External Entity (XXE)
HIGH	CVE-2026-40973	org.springframework.boot:spring-boot	3.5.5	4.0.6, 3.5.14	spring-boot-starter/starter-test/pom.xml	Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
HIGH	CVE-2025-41249	org.springframework:spring-core	6.2.10	6.2.11	spring-boot-starter/starter-test/pom.xml	The Spring Framework annotation detection mechanism may not correctly ...
HIGH	CVE-2025-55752	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.11, 10.1.45, 9.0.109	spring-boot-starter/starter-webapp-core/pom.xml	Relative Path Traversal vulnerability in Apache Tomcat. The fix for b ...
HIGH	CVE-2026-24734	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.18, 10.1.52, 9.0.115	spring-boot-starter/starter-webapp-core/pom.xml	tomcat: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation
HIGH	CVE-2026-24880	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.116, 10.1.52, 11.0.20	spring-boot-starter/starter-webapp-core/pom.xml	Apache Tomcat: Apache Tomcat: HTTP Request/Response Smuggling via invalid chunk extension
HIGH	CVE-2026-34483	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.116, 10.1.54, 11.0.21	spring-boot-starter/starter-webapp-core/pom.xml	Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve
HIGH	CVE-2026-34487	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.117, 10.1.54, 11.0.21	spring-boot-starter/starter-webapp-core/pom.xml	Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files
HIGH	CVE-2026-41284	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-webapp-core/pom.xml	Allocation of Resources Without Limits or Throttling vulnerability in ...
HIGH	CVE-2026-42498	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-webapp-core/pom.xml	Exposure of HTTP Authentication Header to unexpected hosts during WebS ...
HIGH	CVE-2026-43513	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-webapp-core/pom.xml	Improper Handling of Case Sensitivity vulnerability in LockOutRealm in ...
HIGH	CVE-2026-40973	org.springframework.boot:spring-boot	3.5.5	4.0.6, 3.5.14	spring-boot-starter/starter-webapp-core/pom.xml	Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
HIGH	CVE-2025-41249	org.springframework:spring-core	6.2.10	6.2.11	spring-boot-starter/starter-webapp-core/pom.xml	The Spring Framework annotation detection mechanism may not correctly ...
HIGH	CVE-2026-40973	org.springframework.boot:spring-boot	3.5.5	4.0.6, 3.5.14	spring-boot-starter/starter/pom.xml	Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
HIGH	CVE-2025-41249	org.springframework:spring-core	6.2.10	6.2.11	spring-boot-starter/starter/pom.xml	The Spring Framework annotation detection mechanism may not correctly ...
HIGH	CVE-2024-21490	angular	1.8.2		webapps/frontend/package-lock.json	This affects versions of the package angular from 1.3.0. A regular exp ...
HIGH	CVE-2026-26278	fast-xml-parser	4.3.4	4.5.4, 5.3.6	webapps/frontend/package-lock.json	fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion
HIGH	CVE-2026-33036	fast-xml-parser	4.3.4	5.5.6, 4.5.5	webapps/frontend/package-lock.json	fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass
HIGH	CVE-2026-4800	lodash	4.17.21	4.18.0	webapps/frontend/package-lock.json	lodash: lodash: Arbitrary code execution via untrusted input in template imports
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	clients/java/client/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	clients/java/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2024-12798	ch.qos.logback:logback-core	1.2.11	1.5.13, 1.3.15	commons/pom.xml	ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core ...
MEDIUM	CVE-2025-11226	ch.qos.logback:logback-core	1.2.11	1.5.19, 1.3.16	commons/pom.xml	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
MEDIUM	CVE-2024-12798	ch.qos.logback:logback-core	1.2.11	1.5.13, 1.3.15	commons/testing/pom.xml	ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core ...
MEDIUM	CVE-2025-11226	ch.qos.logback:logback-core	1.2.11	1.5.19, 1.3.16	commons/testing/pom.xml	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	distro/jboss/webapp/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2025-11226	ch.qos.logback:logback-core	1.5.18	1.5.19, 1.3.16	distro/run/core/pom.xml	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.1, 2.18.6	distro/run/core/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2025-48924	org.apache.commons:commons-lang3	3.17.0	3.18.0	distro/run/core/pom.xml	Uncontrolled Recursion vulnerability in Apache Commons Lang. This iss ...
MEDIUM	CVE-2025-66614	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.15, 10.1.50, 9.0.113	distro/run/core/pom.xml	tomcat: Client certificate verification bypass due to virtual host mapping
MEDIUM	CVE-2026-25854	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.116, 10.1.53, 11.0.20	distro/run/core/pom.xml	Apache Tomcat: Apache Tomcat: Open Redirect vulnerability via LoadBalancerDrainingValve
MEDIUM	CVE-2026-22737	org.springframework:spring-webmvc	6.2.10	7.0.6, 6.2.17	distro/run/core/pom.xml	Spring Framework: Spring Framework: Information disclosure via Java scripting engine enabled template views
MEDIUM	CVE-2026-22745	org.springframework:spring-webmvc	6.2.10	7.0.7, 6.2.18	distro/run/core/pom.xml	spring-webflux: Spring MVC and Spring WebFlux: Denial of Service via slow static resource resolution on Windows
MEDIUM	CVE-2026-22751	org.springframework.security:spring-security-core	6.5.3	6.5.10, 7.0.5	distro/run/modules/oauth2/pom.xml	Spring Security: JdbcOneTimeTokenService: Spring Security: Authentication bypass due to race condition in One-Time Token login
MEDIUM	CVE-2026-22748	org.springframework.security:spring-security-oauth2-jose	6.5.3	6.5.10, 7.0.5	distro/run/modules/oauth2/pom.xml	Spring Security: Spring Security: Integrity impact due to improper JSON Web Token (JWT) validation
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.1, 2.18.6	distro/run/modules/rest/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.1, 2.18.6	distro/run/modules/webapps/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2026-22737	org.springframework:spring-webmvc	6.2.10	7.0.6, 6.2.17	distro/run/modules/webapps/pom.xml	Spring Framework: Spring Framework: Information disclosure via Java scripting engine enabled template views
MEDIUM	CVE-2026-22745	org.springframework:spring-webmvc	6.2.10	7.0.7, 6.2.18	distro/run/modules/webapps/pom.xml	spring-webflux: Spring MVC and Spring WebFlux: Denial of Service via slow static resource resolution on Windows
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.1, 2.18.6	distro/run/qa/example-plugin/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2025-66614	org.apache.tomcat:tomcat	10.1.43	11.0.15, 10.1.50, 9.0.113	distro/tomcat/assembly/pom.xml	tomcat: Client certificate verification bypass due to virtual host mapping
MEDIUM	CVE-2026-25854	org.apache.tomcat:tomcat	10.1.43	9.0.116, 10.1.53, 11.0.20	distro/tomcat/assembly/pom.xml	Apache Tomcat: Apache Tomcat: Open Redirect vulnerability via LoadBalancerDrainingValve
MEDIUM	CVE-2026-33750	brace-expansion	2.0.1	5.0.5, 3.0.2, 2.0.3, 1.1.13	engine-rest/docs/package-lock.json	brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
MEDIUM	CVE-2025-15599	dompurify	3.2.5	3.2.7	engine-rest/docs/package-lock.json	DOMPurify: DOMPurify: Cross-site scripting
MEDIUM	CVE-2026-0540	dompurify	3.2.5	3.3.2, 2.5.9	engine-rest/docs/package-lock.json	DOMPurify: DOMPurify: Cross-site scripting vulnerability
MEDIUM	CVE-2026-41238	dompurify	3.2.5	3.4.0	engine-rest/docs/package-lock.json	DOMPurify: DOMPurify: Cross-Site Scripting bypass via prototype pollution
MEDIUM	CVE-2026-41239	dompurify	3.2.5	3.4.0	engine-rest/docs/package-lock.json	DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressions
MEDIUM	CVE-2026-41240	dompurify	3.2.5	3.4.0	engine-rest/docs/package-lock.json	DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization
MEDIUM	GHSA-39q2-94rc-95cp	dompurify	3.2.5	3.4.0	engine-rest/docs/package-lock.json	DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
MEDIUM	GHSA-cj63-jhhr-wcxv	dompurify	3.2.5	3.3.2	engine-rest/docs/package-lock.json	DOMPurify USE_PROFILES prototype pollution allows event handlers
MEDIUM	GHSA-cjmm-f4jc-qw8r	dompurify	3.2.5	3.3.2	engine-rest/docs/package-lock.json	DOMPurify ADD_ATTR predicate skips URI validation
MEDIUM	GHSA-h8r8-wccr-v5f2	dompurify	3.2.5	3.3.2	engine-rest/docs/package-lock.json	DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
MEDIUM	CVE-2026-33349	fast-xml-parser	4.5.3	4.5.5, 5.5.7	engine-rest/docs/package-lock.json	fast-xml-parser: fast-xml-parser: Denial of Service via unbounded entity expansion due to incorrect configuration limit handling
MEDIUM	CVE-2026-41650	fast-xml-parser	4.5.3	5.7.0	engine-rest/docs/package-lock.json	fast-xml-parser: fast-xml-parser: XML injection via improper escaping of comment and CDATA sequences
MEDIUM	CVE-2025-64718	js-yaml	4.1.0	4.1.1, 3.14.2	engine-rest/docs/package-lock.json	js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1. ...
MEDIUM	CVE-2026-41305	postcss	8.4.49	8.5.10	engine-rest/docs/package-lock.json	postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
MEDIUM	CVE-2026-33532	yaml	1.10.2	2.8.3, 1.10.3	engine-rest/docs/package-lock.json	yaml: yaml: Denial of Service via deeply nested YAML document parsing
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	engine-rest/engine-rest-jakarta/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	engine-rest/engine-rest-openapi-generator/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2025-48924	org.apache.commons:commons-lang3	3.8.1	3.18.0	engine-rest/engine-rest-openapi-generator/pom.xml	Uncontrolled Recursion vulnerability in Apache Commons Lang. This iss ...
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	engine-rest/engine-rest/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	engine-rest/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	engine-rest/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	engine-rest/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2025-48924	org.apache.commons:commons-lang3	3.8.1	3.18.0	engine-rest/pom.xml	Uncontrolled Recursion vulnerability in Apache Commons Lang. This iss ...
MEDIUM	CVE-2024-38820	org.springframework:spring-context	5.3.39	6.1.14	qa/integration-tests-engine/pom.xml	The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBinder ...
MEDIUM	CVE-2024-38820	org.springframework:spring-web	5.3.39	6.1.14	qa/integration-tests-engine/pom.xml	The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBinder ...
MEDIUM	CVE-2024-12798	ch.qos.logback:logback-core	1.2.11	1.5.13, 1.3.15	qa/performance-tests-engine/pom.xml	ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core ...
MEDIUM	CVE-2025-11226	ch.qos.logback:logback-core	1.2.11	1.5.19, 1.3.16	qa/performance-tests-engine/pom.xml	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	spin/dataformat-json-jackson/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	spin/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2025-11226	ch.qos.logback:logback-core	1.5.18	1.5.19, 1.3.16	spring-boot-starter/starter-client/spring-boot/pom.xml	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.1, 2.18.6	spring-boot-starter/starter-client/spring/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.1, 2.18.6	spring-boot-starter/starter-qa/integration-test-plugins/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.1, 2.18.6	spring-boot-starter/starter-qa/integration-test-plugins/spin/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.1, 2.18.6	spring-boot-starter/starter-qa/integration-test-plugins/spin/spin-dataformat-all/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2025-11226	ch.qos.logback:logback-core	1.5.18	1.5.19, 1.3.16	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.1, 2.18.6	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2025-66614	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.15, 10.1.50, 9.0.113	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	tomcat: Client certificate verification bypass due to virtual host mapping
MEDIUM	CVE-2026-25854	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.116, 10.1.53, 11.0.20	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Apache Tomcat: Apache Tomcat: Open Redirect vulnerability via LoadBalancerDrainingValve
MEDIUM	CVE-2026-22737	org.springframework:spring-webmvc	6.2.10	7.0.6, 6.2.17	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Spring Framework: Spring Framework: Information disclosure via Java scripting engine enabled template views
MEDIUM	CVE-2026-22745	org.springframework:spring-webmvc	6.2.10	7.0.7, 6.2.18	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	spring-webflux: Spring MVC and Spring WebFlux: Denial of Service via slow static resource resolution on Windows
MEDIUM	CVE-2025-11226	ch.qos.logback:logback-core	1.5.18	1.5.19, 1.3.16	spring-boot-starter/starter-security/pom.xml	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
MEDIUM	CVE-2025-53864	com.nimbusds:nimbus-jose-jwt	9.37.3	10.0.2, 9.37.4	spring-boot-starter/starter-security/pom.xml	Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON
MEDIUM	CVE-2026-22751	org.springframework.security:spring-security-core	6.5.3	6.5.10, 7.0.5	spring-boot-starter/starter-security/pom.xml	Spring Security: JdbcOneTimeTokenService: Spring Security: Authentication bypass due to race condition in One-Time Token login
MEDIUM	CVE-2026-22748	org.springframework.security:spring-security-oauth2-jose	6.5.3	6.5.10, 7.0.5	spring-boot-starter/starter-security/pom.xml	Spring Security: Spring Security: Integrity impact due to improper JSON Web Token (JWT) validation
MEDIUM	CVE-2025-11226	ch.qos.logback:logback-core	1.5.18	1.5.19, 1.3.16	spring-boot-starter/starter-test/pom.xml	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
MEDIUM	CVE-2025-11226	ch.qos.logback:logback-core	1.5.18	1.5.19, 1.3.16	spring-boot-starter/starter-webapp-core/pom.xml	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.19.2	2.21.1, 2.18.6	spring-boot-starter/starter-webapp-core/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2025-66614	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.15, 10.1.50, 9.0.113	spring-boot-starter/starter-webapp-core/pom.xml	tomcat: Client certificate verification bypass due to virtual host mapping
MEDIUM	CVE-2026-25854	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.116, 10.1.53, 11.0.20	spring-boot-starter/starter-webapp-core/pom.xml	Apache Tomcat: Apache Tomcat: Open Redirect vulnerability via LoadBalancerDrainingValve
MEDIUM	CVE-2026-22737	org.springframework:spring-webmvc	6.2.10	7.0.6, 6.2.17	spring-boot-starter/starter-webapp-core/pom.xml	Spring Framework: Spring Framework: Information disclosure via Java scripting engine enabled template views
MEDIUM	CVE-2026-22745	org.springframework:spring-webmvc	6.2.10	7.0.7, 6.2.18	spring-boot-starter/starter-webapp-core/pom.xml	spring-webflux: Spring MVC and Spring WebFlux: Denial of Service via slow static resource resolution on Windows
MEDIUM	CVE-2025-11226	ch.qos.logback:logback-core	1.5.18	1.5.19, 1.3.16	spring-boot-starter/starter/pom.xml	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
MEDIUM	CVE-2025-48924	org.apache.commons:commons-lang3	3.17.0	3.18.0	spring-boot-starter/starter/pom.xml	Uncontrolled Recursion vulnerability in Apache Commons Lang. This iss ...
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	webapps/assembly-jakarta/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
MEDIUM	CVE-2022-25844	angular	1.8.2		webapps/frontend/package-lock.json	angular: Regular Expression Denial of Service (ReDoS) in angular
MEDIUM	CVE-2022-25869	angular	1.8.2		webapps/frontend/package-lock.json	angularjs: Angular Cross-site Scripting (XSS)
MEDIUM	CVE-2023-26116	angular	1.8.2		webapps/frontend/package-lock.json	angularjs: Regular Expression Denial of Service via angular.copy()
MEDIUM	CVE-2023-26117	angular	1.8.2		webapps/frontend/package-lock.json	angularjs: Regular expression denial of service via the $resource service
MEDIUM	CVE-2023-26118	angular	1.8.2		webapps/frontend/package-lock.json	angularjs: Regular Expression Denial of Service via the <input type="url"> element
MEDIUM	CVE-2025-2336	angular-sanitize	1.8.2		webapps/frontend/package-lock.json	Improper sanitization of the value of the 'href' and 'xlink:href' attr ...
MEDIUM	CVE-2024-6485	bootstrap	3.4.1		webapps/frontend/package-lock.json	A security vulnerability has been discovered in bootstrap that could e ...
MEDIUM	CVE-2025-1647	bootstrap	3.4.1		webapps/frontend/package-lock.json	Improper Neutralization of Input During Web Page Generation (XSS or 'C ...
MEDIUM	CVE-2025-15599	dompurify	3.2.4	3.2.7	webapps/frontend/package-lock.json	DOMPurify: DOMPurify: Cross-site scripting
MEDIUM	CVE-2026-0540	dompurify	3.2.4	3.3.2, 2.5.9	webapps/frontend/package-lock.json	DOMPurify: DOMPurify: Cross-site scripting vulnerability
MEDIUM	CVE-2026-41238	dompurify	3.2.4	3.4.0	webapps/frontend/package-lock.json	DOMPurify: DOMPurify: Cross-Site Scripting bypass via prototype pollution
MEDIUM	CVE-2026-41239	dompurify	3.2.4	3.4.0	webapps/frontend/package-lock.json	DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressions
MEDIUM	CVE-2026-41240	dompurify	3.2.4	3.4.0	webapps/frontend/package-lock.json	DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization
MEDIUM	GHSA-39q2-94rc-95cp	dompurify	3.2.4	3.4.0	webapps/frontend/package-lock.json	DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
MEDIUM	GHSA-cj63-jhhr-wcxv	dompurify	3.2.4	3.3.2	webapps/frontend/package-lock.json	DOMPurify USE_PROFILES prototype pollution allows event handlers
MEDIUM	GHSA-cjmm-f4jc-qw8r	dompurify	3.2.4	3.3.2	webapps/frontend/package-lock.json	DOMPurify ADD_ATTR predicate skips URI validation
MEDIUM	GHSA-h8r8-wccr-v5f2	dompurify	3.2.4	3.3.2	webapps/frontend/package-lock.json	DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
MEDIUM	CVE-2026-33349	fast-xml-parser	4.3.4	4.5.5, 5.5.7	webapps/frontend/package-lock.json	fast-xml-parser: fast-xml-parser: Denial of Service via unbounded entity expansion due to incorrect configuration limit handling
MEDIUM	CVE-2026-41650	fast-xml-parser	4.3.4	5.7.0	webapps/frontend/package-lock.json	fast-xml-parser: fast-xml-parser: XML injection via improper escaping of comment and CDATA sequences
MEDIUM	CVE-2025-13465	lodash	4.17.21	4.17.23	webapps/frontend/package-lock.json	lodash: prototype pollution in _.unset and _.omit functions
MEDIUM	CVE-2026-2950	lodash	4.17.21	4.18.0	webapps/frontend/package-lock.json	lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
MEDIUM	CVE-2025-15284	qs	6.13.0	6.14.1	webapps/frontend/package-lock.json	Improper Input Validation vulnerability in qs (parse modules) allows H ...
MEDIUM	CVE-2026-8723	qs	6.13.0	6.15.2	webapps/frontend/package-lock.json	### Summary `qs.stringify` throws `TypeError` when called with `arr ...
MEDIUM	GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.2	2.21.1, 2.18.6	webapps/pom.xml	jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
LOW	CVE-2024-12801	ch.qos.logback:logback-core	1.2.11	1.5.13, 1.3.15	commons/pom.xml	Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logba ...
LOW	CVE-2026-1225	ch.qos.logback:logback-core	1.2.11	1.5.25	commons/pom.xml	ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
LOW	CVE-2024-12801	ch.qos.logback:logback-core	1.2.11	1.5.13, 1.3.15	commons/testing/pom.xml	Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logba ...
LOW	CVE-2026-1225	ch.qos.logback:logback-core	1.2.11	1.5.25	commons/testing/pom.xml	ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
LOW	CVE-2026-1225	ch.qos.logback:logback-core	1.5.18	1.5.25	distro/run/core/pom.xml	ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
LOW	CVE-2025-55754	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.11, 10.1.45, 9.0.109	distro/run/core/pom.xml	Improper Neutralization of Escape, Meta, or Control Sequences vulnerab ...
LOW	CVE-2025-61795	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.12, 10.1.47, 9.0.110	distro/run/core/pom.xml	Improper Resource Shutdown or Release vulnerability in Apache Tomcat. ...
LOW	CVE-2026-24733	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.15, 10.1.50, 9.0.113	distro/run/core/pom.xml	tomcat: security constraint bypass with HTTP/0.9
LOW	CVE-2026-43514	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	distro/run/core/pom.xml	Observable Timing Discrepancy vulnerabilitywhen comparing AJP secret i ...
LOW	CVE-2026-22735	org.springframework:spring-webmvc	6.2.10	7.0.6, 6.2.17	distro/run/core/pom.xml	org.springframework/spring-webmvc: org.springframework/spring-webflux: Spring MVC and WebFlux: Stream corruption vulnerability when using Server-Sent Events
LOW	CVE-2026-22741	org.springframework:spring-webmvc	6.2.10	7.0.7, 6.2.18	distro/run/core/pom.xml	Spring MVC: Spring WebFlux: Spring MVC and Spring WebFlux: Denial of Service via cache poisoning
LOW	CVE-2026-22746	org.springframework.security:spring-security-core	6.5.3	6.5.10, 7.0.5	distro/run/modules/oauth2/pom.xml	Spring Security: Spring Security: Timing attack defense bypass allows information disclosure
LOW	CVE-2026-22735	org.springframework:spring-webmvc	6.2.10	7.0.6, 6.2.17	distro/run/modules/webapps/pom.xml	org.springframework/spring-webmvc: org.springframework/spring-webflux: Spring MVC and WebFlux: Stream corruption vulnerability when using Server-Sent Events
LOW	CVE-2026-22741	org.springframework:spring-webmvc	6.2.10	7.0.7, 6.2.18	distro/run/modules/webapps/pom.xml	Spring MVC: Spring WebFlux: Spring MVC and Spring WebFlux: Denial of Service via cache poisoning
LOW	CVE-2025-55754	org.apache.tomcat:tomcat	10.1.43	11.0.11, 10.1.45, 9.0.109	distro/tomcat/assembly/pom.xml	Improper Neutralization of Escape, Meta, or Control Sequences vulnerab ...
LOW	CVE-2025-61795	org.apache.tomcat:tomcat	10.1.43	11.0.12, 10.1.47, 9.0.110	distro/tomcat/assembly/pom.xml	Improper Resource Shutdown or Release vulnerability in Apache Tomcat. ...
LOW	CVE-2026-24733	org.apache.tomcat:tomcat	10.1.43	11.0.15, 10.1.50, 9.0.113	distro/tomcat/assembly/pom.xml	tomcat: security constraint bypass with HTTP/0.9
LOW	CVE-2026-43514	org.apache.tomcat:tomcat	10.1.43	9.0.118, 10.1.55, 11.0.22	distro/tomcat/assembly/pom.xml	Observable Timing Discrepancy vulnerabilitywhen comparing AJP secret i ...
LOW	CVE-2025-5889	brace-expansion	2.0.1	2.0.2, 1.1.12, 3.0.1, 4.0.1	engine-rest/docs/package-lock.json	A vulnerability was found in juliangruber brace-expansion up to 1.1.11 ...
LOW	CVE-2026-27942	fast-xml-parser	4.5.3	5.3.8, 4.5.4	engine-rest/docs/package-lock.json	fast-xml-parser: fast-xml-parser: Stack overflow leads to Denial of Service
LOW	CVE-2025-22233	org.springframework:spring-context	5.3.39	6.2.7, 6.1.20	qa/integration-tests-engine/pom.xml	CVE-2024-38820 ensured Locale-independent, lowercase conversion for bo ...
LOW	CVE-2024-12801	ch.qos.logback:logback-core	1.2.11	1.5.13, 1.3.15	qa/performance-tests-engine/pom.xml	Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logba ...
LOW	CVE-2026-1225	ch.qos.logback:logback-core	1.2.11	1.5.25	qa/performance-tests-engine/pom.xml	ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
LOW	CVE-2026-1225	ch.qos.logback:logback-core	1.5.18	1.5.25	spring-boot-starter/starter-client/spring-boot/pom.xml	ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
LOW	CVE-2026-1225	ch.qos.logback:logback-core	1.5.18	1.5.25	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
LOW	CVE-2025-55754	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.11, 10.1.45, 9.0.109	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Improper Neutralization of Escape, Meta, or Control Sequences vulnerab ...
LOW	CVE-2025-61795	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.12, 10.1.47, 9.0.110	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Improper Resource Shutdown or Release vulnerability in Apache Tomcat. ...
LOW	CVE-2026-24733	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.15, 10.1.50, 9.0.113	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	tomcat: security constraint bypass with HTTP/0.9
LOW	CVE-2026-43514	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Observable Timing Discrepancy vulnerabilitywhen comparing AJP secret i ...
LOW	CVE-2026-22735	org.springframework:spring-webmvc	6.2.10	7.0.6, 6.2.17	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	org.springframework/spring-webmvc: org.springframework/spring-webflux: Spring MVC and WebFlux: Stream corruption vulnerability when using Server-Sent Events
LOW	CVE-2026-22741	org.springframework:spring-webmvc	6.2.10	7.0.7, 6.2.18	spring-boot-starter/starter-qa/integration-test-request-scope/pom.xml	Spring MVC: Spring WebFlux: Spring MVC and Spring WebFlux: Denial of Service via cache poisoning
LOW	CVE-2026-1225	ch.qos.logback:logback-core	1.5.18	1.5.25	spring-boot-starter/starter-security/pom.xml	ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
LOW	CVE-2026-22746	org.springframework.security:spring-security-core	6.5.3	6.5.10, 7.0.5	spring-boot-starter/starter-security/pom.xml	Spring Security: Spring Security: Timing attack defense bypass allows information disclosure
LOW	CVE-2026-1225	ch.qos.logback:logback-core	1.5.18	1.5.25	spring-boot-starter/starter-test/pom.xml	ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
LOW	CVE-2026-1225	ch.qos.logback:logback-core	1.5.18	1.5.25	spring-boot-starter/starter-webapp-core/pom.xml	ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
LOW	CVE-2025-55754	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.11, 10.1.45, 9.0.109	spring-boot-starter/starter-webapp-core/pom.xml	Improper Neutralization of Escape, Meta, or Control Sequences vulnerab ...
LOW	CVE-2025-61795	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.12, 10.1.47, 9.0.110	spring-boot-starter/starter-webapp-core/pom.xml	Improper Resource Shutdown or Release vulnerability in Apache Tomcat. ...
LOW	CVE-2026-24733	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	11.0.15, 10.1.50, 9.0.113	spring-boot-starter/starter-webapp-core/pom.xml	tomcat: security constraint bypass with HTTP/0.9
LOW	CVE-2026-43514	org.apache.tomcat.embed:tomcat-embed-core	10.1.44	9.0.118, 10.1.55, 11.0.22	spring-boot-starter/starter-webapp-core/pom.xml	Observable Timing Discrepancy vulnerabilitywhen comparing AJP secret i ...
LOW	CVE-2026-22735	org.springframework:spring-webmvc	6.2.10	7.0.6, 6.2.17	spring-boot-starter/starter-webapp-core/pom.xml	org.springframework/spring-webmvc: org.springframework/spring-webflux: Spring MVC and WebFlux: Stream corruption vulnerability when using Server-Sent Events
LOW	CVE-2026-22741	org.springframework:spring-webmvc	6.2.10	7.0.7, 6.2.18	spring-boot-starter/starter-webapp-core/pom.xml	Spring MVC: Spring WebFlux: Spring MVC and Spring WebFlux: Denial of Service via cache poisoning
LOW	CVE-2026-1225	ch.qos.logback:logback-core	1.5.18	1.5.25	spring-boot-starter/starter/pom.xml	ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
LOW	CVE-2024-8372	angular	1.8.2		webapps/frontend/package-lock.json	Improper sanitization of the value of the 'srcset' attribute in Angula ...
LOW	CVE-2024-8373	angular	1.8.2		webapps/frontend/package-lock.json	Improper sanitization of the value of the [srcset] attribute in <sourc ...
LOW	CVE-2025-0716	angular	1.8.2		webapps/frontend/package-lock.json	Improper sanitization of the value of the 'href' and 'xlink:href' attr ...
LOW	CVE-2026-27942	fast-xml-parser	4.3.4	5.3.8, 4.5.4	webapps/frontend/package-lock.json	fast-xml-parser: fast-xml-parser: Stack overflow leads to Denial of Service
LOW	CVE-2026-2391	qs	6.13.0	6.14.2	webapps/frontend/package-lock.json	qs: qs's arrayLimit bypass in comma parsing allows denial of service

CVE-2026-43512 - org.apache.tomcat:tomcat

Severity: CRITICAL

Installed Version: 10.1.43

Fixed Version: 9.0.118, 10.1.55, 11.0.22

Target: distro/tomcat/assembly/pom.xml

Title: DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...

Reference: https://avd.aquasec.com/nvd/cve-2026-43512

Severity: CRITICAL

Installed Version: 5.2.8.RELEASE

Fixed Version: 5.2.20.RELEASE, 5.3.18

Target: qa/test-db-instance-migration/pom.xml

Title: spring-framework: RCE via Data Binding on JDK 9+

Reference: https://avd.aquasec.com/nvd/cve-2022-22965

CVE-2022-22965 - org.springframework:spring-beans

Severity: CRITICAL

Installed Version: 5.2.8.RELEASE

Fixed Version: 5.2.20.RELEASE, 5.3.18

Target: qa/test-db-instance-migration/test-fixture-714/pom.xml

Title: spring-framework: RCE via Data Binding on JDK 9+

Reference: https://avd.aquasec.com/nvd/cve-2022-22965

Severity: CRITICAL

Installed Version: 4.0.0

Fixed Version: 2.5.4, 3.0.4, 4.0.4

Target: webapps/frontend/package-lock.json

Title: Use of Insufficiently Random Values vulnerability in form-data allows ...

Description:
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

Reference: https://avd.aquasec.com/nvd/cve-2025-7783

CVE-2023-6378 - ch.qos.logback:logback-classic

Severity: HIGH

Installed Version: 1.2.11

Fixed Version: 1.3.12, 1.4.12, 1.2.13

Target: commons/pom.xml

Title: logback: serialization vulnerability in logback receiver

Description:
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

Reference: https://avd.aquasec.com/nvd/cve-2023-6378

CVE-2023-6378 - ch.qos.logback:logback-core

Severity: HIGH

Installed Version: 1.2.11

Fixed Version: 1.3.12, 1.4.12, 1.2.13

Target: commons/pom.xml

Title: logback: serialization vulnerability in logback receiver

Description:
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

Reference: https://avd.aquasec.com/nvd/cve-2023-6378

CVE-2023-6378 - ch.qos.logback:logback-classic

Severity: HIGH

Installed Version: 1.2.11

Fixed Version: 1.3.12, 1.4.12, 1.2.13

Target: commons/testing/pom.xml

Title: logback: serialization vulnerability in logback receiver

Description:
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

Reference: https://avd.aquasec.com/nvd/cve-2023-6378

CVE-2023-6378 - ch.qos.logback:logback-core

Severity: HIGH

Installed Version: 1.2.11

Fixed Version: 1.3.12, 1.4.12, 1.2.13

Target: commons/testing/pom.xml

Title: logback: serialization vulnerability in logback receiver

Description:
A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

Reference: https://avd.aquasec.com/nvd/cve-2023-6378

CVE-2025-55752 - org.apache.tomcat.embed:tomcat-embed-core

Severity: HIGH

Installed Version: 10.1.44

Fixed Version: 11.0.11, 10.1.45, 9.0.109

Target: distro/run/core/pom.xml

Title: Relative Path Traversal vulnerability in Apache Tomcat. The fix for b ...

Description:
Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

Reference: https://avd.aquasec.com/nvd/cve-2025-55752

CVE-2026-24734 - org.apache.tomcat.embed:tomcat-embed-core

Severity: HIGH

Installed Version: 10.1.44

Fixed Version: 11.0.18, 10.1.52, 9.0.115

Target: distro/run/core/pom.xml

Title: tomcat: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation

Description:
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

Reference: https://avd.aquasec.com/nvd/cve-2026-24734

CVE-2026-24880 - org.apache.tomcat.embed:tomcat-embed-core

Severity: HIGH

Installed Version: 10.1.44

Fixed Version: 9.0.116, 10.1.52, 11.0.20

Target: distro/run/core/pom.xml

Title: Apache Tomcat: Apache Tomcat: HTTP Request/Response Smuggling via invalid chunk extension

Description:
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

Reference: https://avd.aquasec.com/nvd/cve-2026-24880

CVE-2026-34483 - org.apache.tomcat.embed:tomcat-embed-core

Severity: HIGH

Installed Version: 10.1.44

Fixed Version: 9.0.116, 10.1.54, 11.0.21

Target: distro/run/core/pom.xml

Title: Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve

Description:
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Reference: https://avd.aquasec.com/nvd/cve-2026-34483

CVE-2026-34487 - org.apache.tomcat.embed:tomcat-embed-core

Severity: HIGH

Installed Version: 10.1.44

Fixed Version: 9.0.117, 10.1.54, 11.0.21

Target: distro/run/core/pom.xml

Title: Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files

Description:
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Reference: https://avd.aquasec.com/nvd/cve-2026-34487

CVE-2026-41284 - org.apache.tomcat.embed:tomcat-embed-core

Severity: HIGH

Installed Version: 10.1.44

Fixed Version: 9.0.118, 10.1.55, 11.0.22

Target: distro/run/core/pom.xml

Title: Allocation of Resources Without Limits or Throttling vulnerability in ...

Description:
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Reference: https://avd.aquasec.com/nvd/cve-2026-41284

CVE-2026-42498 - org.apache.tomcat.embed:tomcat-embed-core

Severity: HIGH

Installed Version: 10.1.44

Fixed Version: 9.0.118, 10.1.55, 11.0.22

Target: distro/run/core/pom.xml

Title: Exposure of HTTP Authentication Header to unexpected hosts during WebS ...

Description:
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

Reference: https://avd.aquasec.com/nvd/cve-2026-42498

CVE-2026-43513 - org.apache.tomcat.embed:tomcat-embed-core

Severity: HIGH

Installed Version: 10.1.44

Fixed Version: 9.0.118, 10.1.55, 11.0.22

Target: distro/run/core/pom.xml

Title: Improper Handling of Case Sensitivity vulnerability in LockOutRealm in ...

Description:
Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Reference: https://avd.aquasec.com/nvd/cve-2026-43513

CVE-2026-40973 - org.springframework.boot:spring-boot

Severity: HIGH

Installed Version: 3.5.5

Fixed Version: 4.0.6, 3.5.14

Target: distro/run/core/pom.xml

Title: Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory

Description:
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.

Reference: https://avd.aquasec.com/nvd/cve-2026-40973

CVE-2025-41249 - org.springframework:spring-core

Severity: HIGH

Installed Version: 6.2.10

Fixed Version: 6.2.11

Target: distro/run/core/pom.xml

Title: The Spring Framework annotation detection mechanism may not correctly ...

Description:
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .

Reference: https://avd.aquasec.com/nvd/cve-2025-41249

CVE-2025-41248 - org.springframework.security:spring-security-core

Severity: HIGH

Severity: HIGH

Installed Version: 6.2.10

Fixed Version: 6.2.11

Target: engine/pom.xml

Title: The Spring Framework annotation detection mechanism may not correctly ...

Reference: https://avd.aquasec.com/nvd/cve-2025-41249

Severity: HIGH

Installed Version: 5.2.8.RELEASE

Fixed Version: 5.2.22.RELEASE, 5.3.20

Target: qa/test-db-instance-migration/pom.xml

Title: springframework: DoS via data binding to multipartFile or servlet part

Reference: https://avd.aquasec.com/nvd/cve-2022-22970

CVE-2020-26945 - org.mybatis:mybatis

Severity: HIGH

Installed Version: 3.5.3

Fixed Version: 3.5.6

Target: qa/test-db-instance-migration/test-fixture-714/pom.xml

Title: mybatis: mishandles deserialization of object streams which could result in remote code execution

Description:
MyBatis before 3.5.6 mishandles deserialization of object streams.

Reference: https://avd.aquasec.com/nvd/cve-2020-26945

CVE-2022-22970 - org.springframework:spring-beans

Severity: HIGH

Installed Version: 5.2.8.RELEASE

Fixed Version: 5.2.22.RELEASE, 5.3.20

Target: qa/test-db-instance-migration/test-fixture-714/pom.xml

Title: springframework: DoS via data binding to multipartFile or servlet part

Reference: https://avd.aquasec.com/nvd/cve-2022-22970

CVE-2022-22970 - org.springframework:spring-beans

Severity: HIGH

Installed Version: 5.2.19.RELEASE

Fixed Version: 5.2.22.RELEASE, 5.3.20

Target: qa/test-db-instance-migration/test-fixture-717/pom.xml

Title: springframework: DoS via data binding to multipartFile or servlet part

Reference: https://avd.aquasec.com/nvd/cve-2022-22970

CVE-2026-42198 - org.postgresql:postgresql

Severity: HIGH

CVE-2024-21490 - angular

Severity: HIGH

Installed Version: 1.8.2

Fixed Version:

Target: webapps/frontend/package-lock.json

Title: This affects versions of the package angular from 1.3.0. A regular exp ...

Description:
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).

Reference: https://avd.aquasec.com/nvd/cve-2024-21490

CVE-2026-26278 - fast-xml-parser

Severity: HIGH

Installed Version: 4.3.4

Fixed Version: 4.5.4, 5.3.6

Target: webapps/frontend/package-lock.json

Title: fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion

Reference: https://avd.aquasec.com/nvd/cve-2026-26278

CVE-2026-33036 - fast-xml-parser

Severity: HIGH

Installed Version: 4.3.4

Fixed Version: 5.5.6, 4.5.5

Target: webapps/frontend/package-lock.json

Title: fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass

Reference: https://avd.aquasec.com/nvd/cve-2026-33036

CVE-2026-4800 - lodash

Severity: HIGH

Installed Version: 4.17.21

Fixed Version: 4.18.0

Target: webapps/frontend/package-lock.json

Title: lodash: lodash: Arbitrary code execution via untrusted input in template imports

Description:
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Reference: https://avd.aquasec.com/nvd/cve-2026-4800

GHSA-72hv-8253-57qq - com.fasterxml.jackson.core:jackson-core

Severity: MEDIUM

Installed Version: 2.15.2

Fixed Version: 2.21.1, 2.18.6

Target: clients/java/client/pom.xml

Title: jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition

Description:
### Summary The non-blocking (async) JSON parser in `jackson-core` bypasses the `maxNumberLength` constraint (default: 1000 characters) defined in `StreamReadConstraints`. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS). The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy. ### Details The root cause is that the async parsing path in `NonBlockingUtf8JsonParserBase` (and related classes) does not call the methods responsible for number length validation. - The number parsing methods (e.g., `_finishNumberIntegralPart`) accumulate digits into the `TextBuffer` without any length checks. - After parsing, they call `_valueComplete()`, which finalizes the token but does **not** call `resetInt()` or `resetFloat()`. - The `resetInt()`/`resetFloat()` methods in `ParserBase` are where the `validateIntegerLength()` and `validateFPLength()` checks are performed. - Because this validation step is skipped, the `maxNumberLength` constraint is never enforced in the async code path. ### PoC The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000. ```java package tools.jackson.core.unittest.dos; import java.nio.charset.StandardCharsets; import org.junit.jupiter.api.Test; import tools.jackson.core.*; import tools.jackson.core.exc.StreamConstraintsException; import tools.jackson.core.json.JsonFactory; import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser; import static org.junit.jupiter.api.Assertions.*; /** * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers * * Authors: sprabhav7, rohan-repos * * maxNumberLength default = 1000 characters (digits). * A number with more than 1000 digits should be rejected by any parser. * * BUG: The async parser never calls resetInt()/resetFloat() which is where * validateIntegerLength()/validateFPLength() lives. Instead it calls * _valueComplete() which skips all number length validation. * * CWE-770: Allocation of Resources Without Limits or Throttling */ class AsyncParserNumberLengthBypassTest { private static final int MAX_NUMBER_LENGTH = 1000; private static final int TEST_NUMBER_LENGTH = 5000; private final JsonFactory factory = new JsonFactory(); // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength @Test void syncParserRejectsLongNumber() throws Exception { byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH); // Output to console System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")"); try { try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) { while (p.nextToken() != null) { if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) { System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED"); } } } fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number"); } catch (StreamConstraintsException e) { System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage()); } } // VULNERABILITY: Async parser accepts the SAME number that sync rejects @Test void asyncParserAcceptsLongNumber() throws Exception { byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH); NonBlockingByteArrayJsonParser p = (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty()); p.feedInput(payload, 0, payload.length); p.endOfInput(); boolean foundNumber = false; try { while (p.nextToken() != null) { if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) { foundNumber = true; String numberText = p.getText(); assertEquals(TEST_NUMBER_LENGTH, numberText.length(), "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits"); } } // Output to console System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED"); assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token"); } catch (StreamConstraintsException e) { fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage()); } p.close(); } private byte[] buildPayloadWithLongInteger(int numDigits) { StringBuilder sb = new StringBuilder(numDigits + 10); sb.append("{\"v\":"); for (int i = 0; i < numDigits; i++) { sb.append((char) ('1' + (i % 9))); } sb.append('}'); return sb.toString().getBytes(StandardCharsets.UTF_8); } } ``` ### Impact A malicious actor can send a JSON document with an arbitrarily long number to an application using the async parser (e.g., in a Spring WebFlux or other reactive application). This can cause: 1. **Memory Exhaustion:** Unbounded allocation of memory in the `TextBuffer` to store the number's digits, leading to an `OutOfMemoryError`. 2. **CPU Exhaustion:** If the application subsequently calls `getBigIntegerValue()` or `getDecimalValue()`, the JVM can be tied up in O(n^2) `BigInteger` parsing operations, leading to a CPU-based DoS. ### Suggested Remediation The async parsing path should be updated to respect the `maxNumberLength` constraint. The simplest fix appears to ensure that `_valueComplete()` or a similar method in the async path calls the appropriate validation methods (`resetInt()` or `resetFloat()`) already present in `ParserBase`, mirroring the behavior of the synchronous parsers. **NOTE:** This research was performed in collaboration with [rohan-repos](https://github.com/rohan-repos)

Reference: https://github.com/advisories/GHSA-72hv-8253-57qq

GHSA-72hv-8253-57qq - com.fasterxml.jackson.core:jackson-core

Severity: MEDIUM

Installed Version: 2.15.2

Fixed Version: 2.21.1, 2.18.6

Target: clients/java/pom.xml

Title: jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition

Reference: https://github.com/advisories/GHSA-72hv-8253-57qq

CVE-2024-12798 - ch.qos.logback:logback-core

Severity: MEDIUM

Installed Version: 1.2.11

Fixed Version: 1.5.13, 1.3.15

Target: commons/pom.xml

Title: ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core ...

Description:
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

Reference: https://avd.aquasec.com/nvd/cve-2024-12798

CVE-2025-11226 - ch.qos.logback:logback-core

Severity: MEDIUM

Severity: MEDIUM

Severity: MEDIUM

Severity: MEDIUM

Installed Version: 4.17.21

Fixed Version: 4.17.23

Target: webapps/frontend/package-lock.json

Title: lodash: prototype pollution in _.unset and _.omit functions

Description:
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Reference: https://avd.aquasec.com/nvd/cve-2025-13465

CVE-2026-2950 - lodash

Severity: MEDIUM

Installed Version: 4.17.21

Fixed Version: 4.18.0

Target: webapps/frontend/package-lock.json

Title: lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass

Description:
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

Reference: https://avd.aquasec.com/nvd/cve-2026-2950

CVE-2025-15284 - qs

Severity: MEDIUM

Installed Version: 6.13.0

Fixed Version: 6.14.1

Target: webapps/frontend/package-lock.json

Title: Improper Input Validation vulnerability in qs (parse modules) allows H ...

Description:
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly. Details The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoC const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000. Impact Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.

Reference: https://avd.aquasec.com/nvd/cve-2025-15284

CVE-2026-8723 - qs

Severity: MEDIUM

Installed Version: 6.13.0

Fixed Version: 6.15.2

Target: webapps/frontend/package-lock.json

Title: ### Summary `qs.stringify` throws `TypeError` when called with `arr ...

Description:
### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`). ### Details In the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array through the raw encoder before joining: ```js obj = utils.maybeMap(obj, encoder); ``` `utils.encode` (`lib/utils.js:195`) reads `str.length` with no null guard, so a `null` or `undefined` element throws `TypeError`. `skipNulls` and `strictNullHandling` are both checked in the per-element loop below this line and never get a chance to run. Same class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + `encodeValuesOnly` branch was introduced in 4c4b23d ("encode comma values more consistently", PR #463, 2023-01-19), first released in v6.11.1. #### PoC ```js const qs = require('qs'); qs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true }); qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true }); qs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true }); // TypeError: Cannot read properties of null (reading 'length') // at encode (lib/utils.js:195:13) // at Object.maybeMap (lib/utils.js:322:37) // at stringify (lib/stringify.js:145:25) ``` #### Fix `lib/stringify.js:145`, applied in 21f80b3 on `main` and released as v6.15.2: ```diff - obj = utils.maybeMap(obj, encoder); + obj = utils.maybeMap(obj, function (v) { + return v == null ? v : encoder(v); + }); ``` `null` and `undefined` now pass through `maybeMap` unchanged and reach the `join(',')` step as-is. For `{ a: [null, 'b'] }` this produces `a=,b`, matching the non-`encodeValuesOnly` comma path (which already joins before encoding and produces `a=%2Cb` for the same input). Single-element `[null]` arrays still collapse via the existing `obj.join(',') || null` and remain subject to `skipNulls` / `strictNullHandling` in the main loop. ### Affected versions `>=6.11.1 <6.15.2` — fixed in v6.15.2. The vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma + `encodeValuesOnly` path differently (joining before encoding) and are not affected. Empirically verified across released versions. ### Impact Application code that calls `qs.stringify` with both `arrayFormat: 'comma'` and `encodeValuesOnly: true` (both non-default) on input that may contain a `null` or `undefined` array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The "kills the worker process" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled. The vulnerable input is a `null` or `undefined` entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal `null`).

Reference: https://avd.aquasec.com/nvd/cve-2026-8723

GHSA-72hv-8253-57qq - com.fasterxml.jackson.core:jackson-core

Severity: MEDIUM

Installed Version: 2.15.2

Fixed Version: 2.21.1, 2.18.6

Target: webapps/pom.xml

Title: jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition

Reference: https://github.com/advisories/GHSA-72hv-8253-57qq

CVE-2024-12801 - ch.qos.logback:logback-core

Severity: LOW

Installed Version: 1.2.11

Fixed Version: 1.5.13, 1.3.15

Target: commons/pom.xml

Title: Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logba ...

Description:
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.

Reference: https://avd.aquasec.com/nvd/cve-2024-12801

CVE-2026-1225 - ch.qos.logback:logback-core

Severity: LOW

Installed Version: 1.2.11

Fixed Version: 1.5.25

Target: commons/pom.xml

Title: ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes

Description:
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.

Reference: https://avd.aquasec.com/nvd/cve-2026-1225

CVE-2024-12801 - ch.qos.logback:logback-core

Severity: LOW

Installed Version: 1.2.11

Fixed Version: 1.5.13, 1.3.15

Target: commons/testing/pom.xml

Title: Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logba ...

Reference: https://avd.aquasec.com/nvd/cve-2024-12801

CVE-2026-1225 - ch.qos.logback:logback-core

Severity: LOW

Installed Version: 1.2.11

Fixed Version: 1.5.25

Target: commons/testing/pom.xml

Title: ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes

Reference: https://avd.aquasec.com/nvd/cve-2026-1225

Severity: LOW

Installed Version: 4.3.4

Fixed Version: 5.3.8, 4.5.4

Target: webapps/frontend/package-lock.json

Title: fast-xml-parser: fast-xml-parser: Stack overflow leads to Denial of Service

Reference: https://avd.aquasec.com/nvd/cve-2026-27942

CVE-2026-2391 - qs

Severity: LOW

Installed Version: 6.13.0

Fixed Version: 6.14.2

Target: webapps/frontend/package-lock.json

Title: qs: qs's arrayLimit bypass in comma parsing allows denial of service

Description:
### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284). ### Details When the `comma` option is set to `true` (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., `?param=a,b,c` becomes `['a', 'b', 'c']`). However, the limit check for `arrayLimit` (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in `parseArrayValue`, enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation. **Vulnerable code** (lib/parse.js: lines ~40-50): ```js if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) { return val.split(','); } if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) { throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.'); } return val; ``` The `split(',')` returns the array immediately, skipping the subsequent limit check. Downstream merging via `utils.combine` does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., `?param=,,,,,,,,...`), allocating massive arrays in memory without triggering limits. It bypasses the intent of `arrayLimit`, which is enforced correctly for indexed (`a[0]=`) and bracket (`a[]=`) notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p). ### PoC **Test 1 - Basic bypass:** ``` npm install qs ``` ```js const qs = require('qs'); const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit: 5) const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true }; try { const result = qs.parse(payload, options); console.log(result.a.length); // Outputs: 26 (bypass successful) } catch (e) { console.log('Limit enforced:', e.message); // Not thrown } ``` **Configuration:** - `comma: true` - `arrayLimit: 5` - `throwOnLimitExceeded: true` Expected: Throws "Array limit exceeded" error. Actual: Parses successfully, creating an array of length 26. ### Impact Denial of Service (DoS) via memory exhaustion.

Reference: https://avd.aquasec.com/nvd/cve-2026-2391