CVE-2026-25747

CWE-502 — Deserialization of Untrusted Data7 documents7 sources

Severity

8.8HIGH

EPSS

0.1%

top 82.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Camel Leveldb Apache Camel

Timeline

PublishedFeb 23

Description

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, r…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.camel:camel-leveldb3.0.0 — 4.10.9+2

▶CVEListV5apache_software_foundation/apache_camel_leveldb3.0.0 — 4.10.9+2

▶NVDapache/camel3.0.0 — 4.10.9+2

🔴Vulnerability Details

OSV

Apache Camel Deserializes Untrusted Data in its LevelDB Component↗2026-02-23

▶

GHSA

Apache Camel Deserializes Untrusted Data in its LevelDB Component↗2026-02-23

▶

CVEList

Apache Camel LevelDB: Deserialization of Untrusted Data in Camel LevelDB↗2026-02-23

▶

📋Vendor Advisories

Red Hat

org.apache.camel/camel-leveldb: Apache Camel LevelDB: Arbitrary code execution via deserialization of untrusted data↗2026-02-23

▶

Apache

Apache camel: CVE-2026-25747↗

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25747 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶