CVE-2025-10492
published 2025-09-16CVE-2025-10492: A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute…
PriorityP358critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.88%
54.5th percentile
A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cloud | jasperreports_io | <= 4.0.0 | — |
| cloud | jasperreports_library | <= 7.0.3 | — |
| cloud | jasperreports_library | <= 9.0.2 | — |
| cloud | jasperreports_server | <= 9.0.0 | — |
| cloud | jasperreports_studio | <= 7.0.3 | — |
| cloud | jasperreports_studio | <= 9.0.2 | — |
| cloud | jasperreports_web_studio | <= 3.0.1 | — |
| jaspersoft | jasperreports_io_at-scale | <= 4.0.0 | — |
| jaspersoft | jasperreports_io_professional | <= 4.0.0 | — |
| jaspersoft | jasperreports_library_community_edition | <= 7.0.3 | — |
| jaspersoft | jasperreports_library_professional | <= 9.0.2 | — |
| jaspersoft | jasperreports_server | <= 9.0.0 | — |
| jaspersoft | jasperreports_web_studio | <= 3.0.1 | — |
| jaspersoft | jaspersoft_studio_community_edition | <= 7.0.3 | — |
| jaspersoft | jaspersoft_studio_professional | <= 9.0.2 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
JasperReports has a Java deserialisation vulnerability
ghsa·2025-09-16
CVE-2025-10492 [HIGH] CWE-502 JasperReports has a Java deserialisation vulnerability
JasperReports has a Java deserialisation vulnerability
A Java deserialisation vulnerability has been discovered in the Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library.
OSV
JasperReports has a Java deserialisation vulnerability
osv·2025-09-16
CVE-2025-10492 [HIGH] JasperReports has a Java deserialisation vulnerability
JasperReports has a Java deserialisation vulnerability
A Java deserialisation vulnerability has been discovered in the Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library.
OSV
CVE-2025-10492: A Java deserialisation vulnerability has been discovered in Jaspersoft Library
osv·2025-09-16·CVSS 8.7
CVE-2025-10492 [HIGH] CVE-2025-10492: A Java deserialisation vulnerability has been discovered in Jaspersoft Library
A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library
CISA ICS
Hitachi Energy Ellipse
cisa_ics·2026-04-02·CVSS 8.7
[HIGH] Hitachi Energy Ellipse
ICS Advisory
##
Hitachi Energy Ellipse
Release DateApril 02, 2026
Alert CodeICSA-26-092-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Hitachi Energy is aware of a Jasper Report vulnerability that affects the Ellipse product versions mentioned in this document below. This vulnerability can be exploited to carry out remote code execution (RCE) attack on the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.
The following versions of Hitachi Energy Ellipse are affected:
- Ellipse vers:Ellipse/<=9.0.50 (CVE-2025-10492)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Hitachi Energy
| Hitachi Energy Ellipse
| Deserialization of Untrusted Da
CISA ICS
Hitachi Energy Asset Suite
cisa_ics·2026-01-08·CVSS 9.8
[CRITICAL] Hitachi Energy Asset Suite
ICS Advisory
##
Hitachi Energy Asset Suite
Release DateJanuary 08, 2026
Alert CodeICSA-26-008-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Hitachi Energy is aware of a Jasper Report vulnerability that affects the Asset Suite product versions mentioned in this document below. This vulnerability can be exploited to carry out remote code execution (RCE) attack on the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.
The following versions of Hitachi Energy Asset Suite are affected:
- Asset Suite (CVE-2025-10492)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Hitachi Energy
| Hitachi Energy Asset Suite
| Deserialization of Untrusted Da
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-16
Published