Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-27727 is a critical severity vulnerability with a CVSS score of 9.8. Exploits are available; patches have been released and should be applied urgently.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
mchange-commons-java includes code that mirrors early implementations of JNDI functionality, including support for remote factoryClassLocation values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted jaxax.naming.Reference or serialized object, they can provoke the download and execution of malicious code.
Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to false, com.sun.jndi.ldap.object.trustURLCodebase. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened.
Mirroring the JDK patch, mchange-commons-java's JNDI functionality is now gated by configuration parameters that default to restrictive values. Those parameters are documented here.
No. Users should upgrade to mchange-commons-java >= 0.4.0. Earlier versions should be avoided on application CLASSPATHs.
c3p0, you little rascal — Hans-Martin Münch c3p0 documentation, security note c3p0 documentation, configuring security
| Vendor | Product |
|---|---|
| Mchange | Mchange Commons Java |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.