CVE-2026-56091
- EPSS 0.42%
- Veröffentlicht 25.06.2026 08:45:19
- Zuletzt bearbeitet 25.06.2026 13:27:40
When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CV...
- EPSS 0.2%
- Veröffentlicht 25.06.2026 08:44:30
- Zuletzt bearbeitet 25.06.2026 13:27:40
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from...
CVE-2026-49268
- EPSS 0.49%
- Veröffentlicht 17.06.2026 13:07:44
- Zuletzt bearbeitet 17.06.2026 13:07:44
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special cha...
CVE-2026-48589
- EPSS 0.35%
- Veröffentlicht 25.05.2026 20:20:03
- Zuletzt bearbeitet 28.05.2026 13:38:44
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect targe...
CVE-2026-44598
- EPSS 0.38%
- Veröffentlicht 25.05.2026 20:19:44
- Zuletzt bearbeitet 28.05.2026 13:44:45
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro...
CVE-2026-43828
- EPSS 0.27%
- Veröffentlicht 25.05.2026 20:19:26
- Zuletzt bearbeitet 28.05.2026 13:45:52
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 o...
CVE-2026-43827
- EPSS 0.41%
- Veröffentlicht 25.05.2026 20:19:03
- Zuletzt bearbeitet 28.05.2026 13:47:12
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue....
CVE-2026-23901
- EPSS 0.22%
- Veröffentlicht 10.02.2026 09:25:51
- Zuletzt bearbeitet 12.02.2026 15:30:25
Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-e...
CVE-2026-23903
- EPSS 0.36%
- Veröffentlicht 09.02.2026 09:26:21
- Zuletzt bearbeitet 11.02.2026 18:30:59
Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files ar...
CVE-2023-46749
- EPSS 1.18%
- Veröffentlicht 15.01.2024 10:15:26
- Zuletzt bearbeitet 03.11.2025 22:16:29
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `bloc...