CVE-2016-15057
published 2026-01-26CVE-2016-15057: ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum. This…
PriorityP184critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.73%
88.5th percentile
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum.
This issue affects Apache Continuum: all versions.
Attackers with access to the installations REST API can use this to invoke arbitrary commands on the server.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache_software_foundation | apache_continuum | < * | * |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unexpected or unauthorized calls to the Apache Continuum REST API, particularly those that may carry command injection payloads in parameters. ↗
- ·Apache Continuum is fully retired/unsupported; no patch will be issued. All versions are affected. Users should migrate away or strictly restrict access to trusted users only. ↗
- ·The vulnerability affects all versions of Apache Continuum (cpe:2.3:a:apache:continuum / org.apache.continuum:continuum). There is no fixed version available. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache Continuum vulnerable to Command Injection through Installations REST API
osv·2026-01-26
CVE-2016-15057 [CRITICAL] Apache Continuum vulnerable to Command Injection through Installations REST API
Apache Continuum vulnerable to Command Injection through Installations REST API
***UNSUPPORTED WHEN ASSIGNED***
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum.
This issue affects Apache Continuum: all versions.
Attackers with access to the Installations REST API can use this to invoke arbitrary commands on the server.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
GHSA
Apache Continuum vulnerable to Command Injection through Installations REST API
ghsa·2026-01-26
CVE-2016-15057 [CRITICAL] CWE-77 Apache Continuum vulnerable to Command Injection through Installations REST API
Apache Continuum vulnerable to Command Injection through Installations REST API
***UNSUPPORTED WHEN ASSIGNED***
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum.
This issue affects Apache Continuum: all versions.
Attackers with access to the Installations REST API can use this to invoke arbitrary commands on the server.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
VulnCheck
Apache continuum Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2016·CVSS 9.9
CVE-2016-15057 [CRITICAL] Apache continuum Improper Neutralization of Special Elements used in a Command ('Command Injection')
Apache continuum Improper Neutralization of Special Elements used in a Command ('Command Injection')
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum.
This issue affects Apache Continuum: all versions.
Attackers with access to the installations REST API can use this to invoke arbitrary commands on the server.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Affected: Apache Software Foundation Apache Continuum
Required Action: Apply remediations or mitigati
No detection rules found.
No public exploits indexed.
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Wiz
CVE-2016-15057 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2016-15057 [CRITICAL] CVE-2016-15057 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2016-15057 :
Java vulnerability analysis and mitigation
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum.
This issue affects Apache Continuum: all versions.
Attackers with access to the installations REST API can use this to invoke arbitrary commands on the server.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Source : NVD
## 9.9
Score
Published January 26, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
Java
Apache Continuum
2026-01-26
Published
Exploited in the wild