CVSS: 7.8EPSS: 0%CPEs: 25EXPL: 0CVE-2024-4027 – Undertow: outofmemoryerror in httpservletrequestimpl.getparameternames() can cause remote dos attacks
https://notcve.org/view.php?id=CVE-2024-4027
30 Jan 2026 — A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack. • https://access.redhat.com/security/cve/CVE-2024-4027 • CWE-20: Improper Input Validation •
CVSS: 3.1EPSS: 0%CPEs: 5EXPL: 0CVE-2026-1190 – Org.keycloak/keycloak-services: keycloak saml brokering: response delay due to unchecked notonorafter in subjectconfirmationdata
https://notcve.org/view.php?id=CVE-2026-1190
26 Jan 2026 — A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. • https://access.redhat.com/security/cve/CVE-2026-1190 • CWE-112: Missing XML Validation •
CVSS: 8.7EPSS: 0%CPEs: 18EXPL: 0CVE-2026-0603 – Org.hibernate/hibernate-core: hibernate: information disclosure and data deletion via second-order sql injection
https://notcve.org/view.php?id=CVE-2026-0603
23 Jan 2026 — A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service. • https://access.redhat.com/security/cve/CVE-2026-0603 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 28EXPL: 0CVE-2024-3884 – Undertow: outofmemory when parsing form data encoding with application/x-www-form-urlencoded
https://notcve.org/view.php?id=CVE-2024-3884
03 Dec 2025 — A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack. A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0 for Red Hat Enterprise Linux 9. Red Hat Product Securi... • https://access.redhat.com/security/cve/CVE-2024-3884 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12789 – Rhsso: open redirect
https://notcve.org/view.php?id=CVE-2025-12789
06 Nov 2025 — A flaw was found in Red Hat Single Sign-On. This issue is an Open Redirect vulnerability that occurs during the logout process. The redirect_uri parameter associated with the openid-connect logout protocol does not properly validate the provided URL. • https://access.redhat.com/security/cve/CVE-2025-12789 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.7EPSS: 0%CPEs: 5EXPL: 0CVE-2025-7784 – Org.keycloak/keycloak-services: privilege escalation in keycloak admin console (fgapv2 enabled)
https://notcve.org/view.php?id=CVE-2025-7784
18 Jul 2025 — A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. • https://access.redhat.com/security/cve/CVE-2025-7784 • CWE-269: Improper Privilege Management •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-3501 – Org.keycloak.protocol.services: keycloak hostname verification
https://notcve.org/view.php?id=CVE-2025-3501
29 Apr 2025 — A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. • https://access.redhat.com/errata/RHSA-2025:4335 • CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2559 – Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak
https://notcve.org/view.php?id=CVE-2025-2559
25 Mar 2025 — A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. New images are available for Red Hat build of Keycloak 26.0.11 and Red Hat build of Keycloak 26.0.11 Opera... • https://access.redhat.com/security/cve/CVE-2025-2559 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-23368 – Org.wildfly.core:wildfly-elytron-integration: wildfly elytron brute force attack via cli
https://notcve.org/view.php?id=CVE-2025-23368
04 Mar 2025 — A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. • https://access.redhat.com/security/cve/CVE-2025-23368 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-4028 – Keycloak-core: stored xss in keycloak when creating a items in admin console
https://notcve.org/view.php?id=CVE-2024-4028
18 Feb 2025 — A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. • https://access.redhat.com/security/cve/CVE-2024-4028 • CWE-20: Improper Input Validation •