CVSS: 7.8EPSS: %CPEs: 25EXPL: 0CVE-2024-3884 – Undertow: outofmemory when parsing form data encoding with application/x-www-form-urlencoded
https://notcve.org/view.php?id=CVE-2024-3884
03 Dec 2025 — A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack. • https://access.redhat.com/security/cve/CVE-2024-3884 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-9784 – Undertow: undertow madeyoureset http/2 ddos vulnerability
https://notcve.org/view.php?id=CVE-2025-9784
02 Sep 2025 — A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS). • https://access.redhat.com/security/cve/CVE-2025-9784 • CWE-404: Improper Resource Shutdown or Release CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.7EPSS: 0%CPEs: 5EXPL: 0CVE-2025-7784 – Org.keycloak/keycloak-services: privilege escalation in keycloak admin console (fgapv2 enabled)
https://notcve.org/view.php?id=CVE-2025-7784
18 Jul 2025 — A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. • https://access.redhat.com/security/cve/CVE-2025-7784 • CWE-269: Improper Privilege Management •
CVSS: 6.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-5731 – Infinispan: credential leakage in infinispan cli
https://notcve.org/view.php?id=CVE-2025-5731
26 Jun 2025 — A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found. An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from t... • https://access.redhat.com/security/cve/CVE-2025-5731 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.4EPSS: 2%CPEs: 2EXPL: 0CVE-2025-2251 – Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution
https://notcve.org/view.php?id=CVE-2025-2251
07 Apr 2025 — A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication. A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0 for Red Hat Enterprise Linux 9. Red Hat ... • https://access.redhat.com/security/cve/CVE-2025-2251 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-2240 – Smallrye-fault-tolerance: smallrye fault tolerance
https://notcve.org/view.php?id=CVE-2025-2240
12 Mar 2025 — A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue. An update is now available for Red Hat build of Quarkus. • https://access.redhat.com/security/cve/CVE-2025-2240 • CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-23368 – Org.wildfly.core:wildfly-elytron-integration: wildfly elytron brute force attack via cli
https://notcve.org/view.php?id=CVE-2025-23368
04 Mar 2025 — A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. • https://access.redhat.com/security/cve/CVE-2025-23368 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-24970 – SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine
https://notcve.org/view.php?id=CVE-2025-24970
10 Feb 2025 — Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually. A flaw was found in Netty's SslHandler. • https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 47EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 11EXPL: 0CVE-2025-23367 – Org.wildfly.core:wildfly-server: wildfly improper rbac permission
https://notcve.org/view.php?id=CVE-2025-23367
30 Jan 2025 — A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whet... • https://access.redhat.com/security/cve/CVE-2025-23367 • CWE-284: Improper Access Control •