Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
Apache Kafka disclosed an important auth flaw where the default OAUTHBEARER JWT validator can accept forged tokens, enabling user impersonation in Kafka 4.1.0 through 4.1.1.
CVE-2026-40458 discloses a High-severity CSRF bypass in `pac4j-core` where `String.hashCode()` collisions let attackers forge state-changing requests in PAC4J 5.x/6.x lines.
CVE-2026-40478 reports a critical Thymeleaf expression-engine bypass enabling SSTI when apps pass unvalidated input, affecting `thymeleaf` and Spring integrations before `3.1.4.RELEASE`.
CVE-2024-2374 reports a High-severity XXE in multiple WSO2 products, enabling unauthenticated file reads, limited HTTP resource access, and denial of service via XML entity expansion.
Eclipse Jetty disclosed and patched a High-severity HTTP/1.1 request-smuggling flaw in chunk-extension parsing, impacting multiple Jetty branches used behind proxies and load balancers.
A GitHub security advisory discloses Critical rules-engine expression injection in OpenRemote `openremote-manager` <=1.21.0, where `write:rules` users can execute arbitrary server code.
Apache Storm disclosed an unsafe-deserialization RCE in `org.apache.storm:storm-client` Kerberos TGT credential handling, affecting versions before `2.8.6` when submitting topologies via Nimbus.
Apache disclosed a Moderate Log4j Core TLS hostname-verification bypass where `<Ssl verifyHostName>` is ignored, impacting SMTP/Socket/Syslog appenders in 2.12.0–2.25.3.
Apache Log4j Core fixed a Medium XmlLayout sanitization flaw (CVE-2026-34480) that can drop log events or trigger logging exceptions when messages contain XML 1.0-forbidden characters.
CVE-2026-40180 reports a High Zip Slip path traversal in `quarkus-openapi-generator`, enabling crafted ZIP entries to write outside the intended output directory during code generation.
Spring disclosed CVE-2026-22750 where `spring.ssl.bundle` is silently ignored in Spring Cloud Gateway `4.2.0`, causing gateways to use default SSL settings instead of intended bundles.
CVE-2026-29145 is a Critical Apache Tomcat/Tomcat Native flaw where CLIENT_CERT authentication may not fail as expected when soft-fail is disabled, impacting multiple supported branches.
Apache Tomcat disclosed an important CBC padding-oracle flaw in the clustering `EncryptInterceptor`, impacting Tomcat 9.0.13+, 10.0.0-M1+, and 11.0.0-M1+ deployments using default configuration.
A new High-severity Jetty flaw can leak JASPI authentication state across requests on the same thread, breaking access control and enabling privilege escalation in affected branches.
CVE-2026-33229 reports a High-severity XWiki Platform sandbox bypass where users with Script right can execute arbitrary scripts and fully compromise the XWiki instance.
CVE-2026-33439 is a critical pre-auth Java deserialization RCE in OpenIdentityPlatform OpenAM <16.0.6, where jato.clientSession can execute commands via crafted serialized objects.
CVE-2026-34214 allows Trino users with SQL write privileges to extract Iceberg REST catalog object-storage credentials from query JSON, risking data exposure in shared clusters.
CVE-2026-33728 discloses critical unsafe RMI deserialization in Datadog’s `dd-trace-java` agent, risking JMX/RMI-port remote code execution on JDK 16 and earlier.
Spring’s advisory warns `SimpleVectorStore` can execute attacker-supplied SpEL via filter keys, enabling remote code execution in Spring AI 1.0.x and 1.1.x apps.
A critical pac4j-jwt flaw lets remote attackers forge authentication tokens via JWE-wrapped PlainJWTs, enabling login as arbitrary users (including admins) in affected versions.
NVD published a Critical Apache Artemis/ActiveMQ Artemis auth-bypass where unauthenticated Core protocol clients can coerce outbound federation connections for queue message injection or exfiltration.