Apache Jackrabbit vulnerabilities

6 known vulnerabilities affecting apache/jackrabbit.

Total CVEs

6

CISA KEV

0

Public exploits

2

Exploited in wild

0

Severity breakdown

CRITICAL1HIGH2MEDIUM3

Vulnerabilities

Page 1 of 1

CVE-2025-58782MEDIUMCVSS 6.5≥ 1.0.0, < 2.22.22025-09-08

CVE-2025-58782 [MEDIUM] CWE-502 CVE-2025-58782: Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI refere

CVE-2025-53689HIGHCVSS 8.8≥ 2.20.0, < 2.20.17v2.22.0+2 more2025-07-14

CVE-2025-53689 [HIGH] CWE-611 CVE-2025-53689: Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23. Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not support

CVE-2023-37895CRITICALCVSS 9.8≥ 1.0.0, < 2.20.11≥ 2.21.0, < 2.21.182023-07-25

CVE-2023-37895 [CRITICAL] CWE-502 CVE-2023-37895: Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker t Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI. Users are advised to

CVE-2016-6801HIGHCVSS 8.8v2.4.0v2.4.1+24 more2016-09-21

CVE-2016-6801 [HIGH] CWE-352 CVE-2016-6801: Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a res

CVE-2015-1833MEDIUMCVSS 6.4PoC≤ 2.0.5v2.2.0+25 more2015-05-29

CVE-2015-1833 [MEDIUM] CWE-20 CVE-2015-1833: XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4. XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

CVE-2009-0026MEDIUMCVSS 4.3PoCv1.4v1.5.02009-01-21

CVE-2009-0026 [MEDIUM] CWE-79 CVE-2009-0026: Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote a Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.