CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 1CVE-2025-46701 – Apache Tomcat: Security constraint bypass for CGI scripts
https://notcve.org/view.php?id=CVE-2025-46701
29 May 2025 — Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue. This update for tomcat fixes the following issues. Fixed refactor CGI servl... • https://github.com/gregk4sec/CVE-2025-46701 • CWE-178: Improper Handling of Case Sensitivity •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48734 – Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
https://notcve.org/view.php?id=CVE-2025-48734
28 May 2025 — Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. • https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9 • CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27528 – Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read
https://notcve.org/view.php?id=CVE-2025-27528
28 May 2025 — Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747 Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. • https://github.com/apache/inlong/pull/11747 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27526 – Apache InLong: JDBC Vulnerability For URLEncode and backspace bypass
https://notcve.org/view.php?id=CVE-2025-27526
28 May 2025 — Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability which can lead to JDBC Vulnerability URLEncdoe and backspace bypass. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747 • https://github.com/apache/inlong/pull/11747 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27522 – Apache InLong: JDBC Vulnerability during verification processing
https://notcve.org/view.php?id=CVE-2025-27522
28 May 2025 — Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11732 Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. • https://github.com/apache/inlong/pull/11732 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-35003 – Apache NuttX RTOS: NuttX Bluetooth Stack HCI and UART DoS/RCE Vulnerabilities.
https://notcve.org/view.php?id=CVE-2025-35003
26 May 2025 — Improper Restriction of Operations within the Bounds of a Memory Buffer and Stack-based Buffer Overflow vulnerabilities were discovered in Apache NuttX RTOS Bluetooth Stack (HCI and UART components) that may result in system crash, denial of service, or arbitrary code execution, after receiving maliciously crafted packets. NuttX's Bluetooth HCI/UART stack users are advised to upgrade to version 12.9.0, which fixes the identified implementation issues. This issue affects Apache NuttX: from 7.25 before 12.9.0... • https://github.com/apache/nuttx/pull/16179 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-47436 – Apache ORC: Potential Heap Buffer Overflow during C++ LZO Decompression
https://notcve.org/view.php?id=CVE-2025-47436
14 May 2025 — Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption. This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1. Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and ... • https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrn • CWE-122: Heap-based Buffer Overflow •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-26864 – Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication
https://notcve.org/view.php?id=CVE-2025-26864
14 May 2025 — Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue. Vulnerabilidad de exposición de información confidencial a un agente no autorizado e inserción de información confidencial en archivos de registro en OpenIdAuthorizer de Apache... • https://lists.apache.org/thread/2kcjnlypppk8qjh17dpz0jvkcpn6l162 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-26795 – Apache IoTDB JDBC driver: Exposure of Sensitive Information in IoTDB JDBC driver
https://notcve.org/view.php?id=CVE-2025-26795
14 May 2025 — Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue. Vulnerabilidad de exposición de información confidencial a un agente no autorizado e inserción de información confidencial en archivos de registro en el controlador JDBC de Apache IoTDB. Est... • https://lists.apache.org/thread/bj0ytxr5wg0c4jw8xm7rhfd8ogho0r91 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24780 – Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function
https://notcve.org/view.php?id=CVE-2024-24780
14 May 2025 — Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue. Vulnerabilidad de ejecución remota de código con URI no confiable de UDF en Apache IoTDB. • https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj • CWE-94: Improper Control of Generation of Code ('Code Injection') •