Hibernate Validator vulnerabilities

CVE-2025-35036 [HIGH] CWE-94 hibernate-validator insecure default Expression Language interpolation hibernate-validator insecure default Expression Language interpolation Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer in

CVE-2020-5245 [HIGH] CWE-74 CVE-2020-5245: Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.