| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Known vulnerabilities affecting Java products and systems
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2026-4258 | All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a... | 7.5 | 487 | Neutral | Yes |
| Yes |
| CVE-2026-35568 | ### Summary The java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either ... | 5.7 | 135 | Neutral | No | Yes |
| CVE-2026-35229 | Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker... | 7.5 | 428 | Neutral | No | Yes |
| CVE-2026-34237 | ### Summary **Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * )** - https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport... | 6.1 | 165 | Neutral | No | Yes |
| CVE-2026-33728 | In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier... | 9.8 | 717 | Neutral | No | Yes |
| CVE-2026-33701 | In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RM... | 9.8 | 717 | Neutral | No | Yes |
| CVE-2026-33117 | The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected ap... | 9.1 | 568 | Neutral | No | Yes |
| CVE-2026-27727 | ### Impact mchange-commons-java includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and ... | 9.8 | 819 | Neutral | Yes | Yes |
| CVE-2026-27674 | Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and caus... | 6.1 | 328 | Neutral | No | Yes |
| CVE-2026-25526 | ## Impact **Vulnerability Type**: Sandbox Bypass / Remote Code Execution **Affected Component**: Jinjava **Affected Users**: - Organizations using HubSpot's Jinjava template rendering engine for us... | 9.8 | 588 | Neutral | No | Yes |
| CVE-2026-23686 | Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If proce... | 3.4 | 160 | Neutral | No | Yes |
| CVE-2026-23685 | Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processe... | 4.4 | 218 | Neutral | No | Yes |
| CVE-2026-21975 | Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. Easily exploitable vulnerability allows high privileged attacker... | 4.5 | 84 | Neutral | No | Yes |
| CVE-2026-21452 | ### Summary Affected Components: ``` org.msgpack.core.MessageUnpacker.readPayload() org.msgpack.core.MessageUnpacker.unpackValue() org.msgpack.value.ExtensionValue.getData() ``` A denial-of-service vu... | 7.5 | 487 | Neutral | Yes | Yes |
| CVE-2026-2141 | A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.j... | 8.8 | 718 | Neutral | Yes | No |
| CVE-2025-8991 | A vulnerability was identified in linlinjava litemall up to 1.8.0. Affected by this vulnerability is an unknown functionality of the file /admin/config/express of the component Business Logic Handler.... | 4.3 | 99 | Neutral | No | Yes |
| CVE-2025-8974 | A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHel... | 9.8 | 717 | Neutral | No | Yes |
| CVE-2025-8965 | A vulnerability has been found in linlinjava litemall up to 1.8.0. This vulnerability affects the function create of the file litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminSt... | 8.8 | 587 | Neutral | No | Yes |
| CVE-2025-8764 | A vulnerability classified as critical has been found in linlinjava litemall up to 1.8.0. Affected is the function Upload of the file /wx/storage/upload. The manipulation of the argument File leads to... | 5.4 | 269 | Neutral | Yes | No |
| CVE-2025-8753 | A vulnerability, which was classified as critical, has been found in linlinjava litemall up to 1.8.0. Affected by this issue is the function delete of the file /admin/storage/delete of the component F... | 5.4 | 243 | Neutral | No | Yes |