CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2559 – Org.keycloak/keycloak-services: jwt token cache exhaustion leading to denial of service (dos) in keycloak
https://notcve.org/view.php?id=CVE-2025-2559
25 Mar 2025 — A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. • https://access.redhat.com/security/cve/CVE-2025-2559 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-23368 – Org.wildfly.core:wildfly-elytron-integration: wildfly elytron brute force attack via cli
https://notcve.org/view.php?id=CVE-2025-23368
04 Mar 2025 — A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. • https://access.redhat.com/security/cve/CVE-2025-23368 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-4028 – Keycloak-core: stored xss in keycloak when creating a items in admin console
https://notcve.org/view.php?id=CVE-2024-4028
18 Feb 2025 — A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. • https://access.redhat.com/security/cve/CVE-2024-4028 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 46EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-23367 – Org.wildfly.core:wildfly-server: wildfly improper rbac permission
https://notcve.org/view.php?id=CVE-2025-23367
30 Jan 2025 — A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whet... • https://access.redhat.com/security/cve/CVE-2025-23367 • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-0604 – Keycloak-ldap-federation: authentication bypass due to missing ldap bind after password reset in keycloak
https://notcve.org/view.php?id=CVE-2025-0604
22 Jan 2025 — A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions. New images are available for Red Hat build of Keycloak 26.0.10 and Red Hat build of Keycloak 26.0.... • https://access.redhat.com/security/cve/CVE-2025-0604 • CWE-287: Improper Authentication •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-10270 – Org.keycloak:keycloak-services: keycloak denial of service
https://notcve.org/view.php?id=CVE-2024-10270
25 Nov 2024 — A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. • https://access.redhat.com/errata/RHSA-2024:10175 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2232 – Keycloak: ldap injection on username input
https://notcve.org/view.php?id=CVE-2022-2232
14 Nov 2024 — A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions. • https://access.redhat.com/errata/RHSA-2024:0094 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 28EXPL: 0CVE-2023-1932 – Hibernate-validator: rendering of invalid html with safehtml leads to html injection and xss
https://notcve.org/view.php?id=CVE-2023-1932
07 Nov 2024 — A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks. Se encontró una falla en el método 'isValid' de hibernate-validator en la clase org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator, que se puede evitar omitiendo la ... • https://access.redhat.com/security/cve/CVE-2023-1932 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 0%CPEs: 7EXPL: 0CVE-2024-10234 – Wildfly: wildfly vulnerable to cross-site scripting (xss)
https://notcve.org/view.php?id=CVE-2024-10234
22 Oct 2024 — A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. This flaw allows an attacker or insider to execute a deployment with a malicious payload, which could trigger undesired behavior against the server. A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0 for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring Syste... • https://access.redhat.com/security/cve/CVE-2024-10234 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •