VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
Advisories the vendor has revised
Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream) This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSerializedObject=true) and throwExceptionOnFailure is left at its default value of true; in that case a backend HTTP response with a 5xx status and the application/x-java-serialized-object content type has its body deserialized with no class restrictions. An attacker who controls the backend the Camel producer talks to - through a man-in-the-middle position on an unencrypted (plain HTTP) connection, or by compromising the backend service - can return a crafted serialized Java object and, if a suitable gadget chain is present on the classpath, achieve remote code execution on the Camel application host. The path is not reachable in the default configuration, where transferException is false. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue.
Uncontrolled Resource Consumption vulnerability in Apache IoTDB. Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters (e.g., a very large time range combined with a minimal interval). This forces the DataNode to build an enormous result set in memory, which exhausts the Java heap and causes the DataNode process to crash. This issue affects Apache IoTDB: from 1.3.3 before 2.0.8. Users are recommended to upgrade to version 2.0.8, which fixes the issue.
Unbounded GraphQL query depth allows authenticated denial of service. Red Hat rates this important (CVSS 7.7). Weakness: CWE-400. Red Hat lists fixing advisory RHSA-2026:36319 with package advanced-cluster-security/rhacs-main-rhel8:1783357140, advanced-cluster-security/rhacs-main-rhel9:1783352589, advanced-cluster-security/rhacs-main-rhel8:1783357116.
Apache Camel JMS components: Arbitrary Exchange state injection. Red Hat rates this important (CVSS 8.1). Weakness: CWE-502.
Server-Side Request Forgery and sensitive data exposure. Red Hat rates this important (CVSS 8.2). Weakness: CWE-918.
Remote attacker can execute unintended operations via header manipulation. Red Hat rates this important (CVSS 7.5). Weakness: CWE-639.
Credential exposure and information disclosure via improper input validation of mail headers. Red Hat rates this moderate (CVSS 7.5). Weakness: CWE-918.
Apache Camel (camel-vertx-http): Remote Code Execution via Deserialization of Untrusted Data. Red Hat rates this important (CVSS 8.1). Weakness: CWE-502.
Stored Cross-Site Scripting via unescaped table header ID attributes in markdown. Red Hat rates this moderate (CVSS 6.1). Weakness: CWE-79.
Cross-site scripting via unescaped metadata title allows arbitrary code execution. Red Hat rates this moderate (CVSS 6.1). Weakness: CWE-79.
Denial of Service via crafted prompt in /v1/completions request. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-617.
Denial of Service due to excessive memory allocation via oversized audio file uploads. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-770.
Arbitrary command injection via shell metacharacters in file paths. Red Hat rates this moderate (CVSS 4.5). Weakness: CWE-78.
From CVEorg collector. Red Hat rates this moderate (CVSS 5.3). Weakness: CWE-617.
Information Disclosure via Arbitrary Server-Side File Read. Red Hat rates this moderate (CVSS 5).
NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size. Red Hat rates this moderate (CVSS 5.3). Weakness: CWE-22.
From CVEorg collector. Red Hat rates this moderate (CVSS 4.9).
Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component. The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks.
Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false because the backing field was an uninitialised primitive boolean (Java's default of false), whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain (via DefaultNettyHttpBinding) instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks.
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component. The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig (for example SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod, and the apexQueryParam. prefix) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange.