CVE-2025-5878Improper Input Validation in Esapi-java-legacy

CWE-20Improper Input ValidationCWE-138Improper Neutralization of Special Elements7 documents7 sources
Severity
6.9MEDIUMNVD
EPSS
0.2%
top 58.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Esapi Esapi-java-legacy
Timeline
PublishedJun 29
Latest updateApr 16

Description

A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5esapi/esapi-java-legacy28 versions+27

🔴Vulnerability Details

3
GHSA
GHSA-hxjw-v2v5-hpcr: A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic2025-06-29
CVEList
ESAPI esapi-java-legacy SQL Injection Defense Encoder.encodeForSQL special element2025-06-29
OSV
CVE-2025-5878: A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic2025-06-29

📋Vendor Advisories

3
Ubuntu
ESAPI vulnerabilities2026-04-16
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Platform (Enterprise Security API for Java (Legacy)) — CVE-2025-58782025-10-15
Debian
CVE-2025-5878: libowasp-esapi-java - A vulnerability was found in ESAPI esapi-java-legacy and classified as problemat...2025
CVE-2025-5878 — Improper Input Validation | cvebase