0--commons-lang-2.6.jar00-/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/commons-lang-2.6.jarFALLBACK-f48ad3a611CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)trivyTrivy Security Scanner-1396NORMALcommons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)CVE-2025-489240--spring-security-web-5.8.16.jar00-/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/spring-security-web-5.8.16.jarFALLBACK-db203dab11CVE-2026-22732: LanguageSpecificPackageVulnerability Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers For additional help see: **Vulnerability CVE-2026-22732** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. Package: org.springframework.security:spring-security-web Installed Version: 5.8.16 Vulnerability CVE-2026-22732 Severity: CRITICAL Fixed Version: 6.5.9, 7.0.4 Link: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)trivyTrivy Security Scanner-1396HIGHspring-security-web-5.8.16.jar(1,0): CVE-2026-22732: : CVE-2026-22732: LanguageSpecificPackageVulnerability Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers For additional help see: **Vulnerability CVE-2026-22732** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. Package: org.springframework.security:spring-security-web Installed Version: 5.8.16 Vulnerability CVE-2026-22732 Severity: CRITICAL Fixed Version: 6.5.9, 7.0.4 Link: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)CVE-2026-227320--struts-core-1.3.10.jar00-/usr/local/tomcat/webapps/govwayAPIConfig.war/WEB-INF/lib/struts-core-1.3.10.jarFALLBACK-1907267611CVE-2023-34396: LanguageSpecificPackageVulnerability Apache Struts vulnerable to memory exhaustion For additional help see: **Vulnerability CVE-2023-34396** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)| Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Package: org.apache.struts:struts-core Installed Version: 1.3.10 Vulnerability CVE-2023-34396 Severity: HIGH Fixed Version: Link: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)trivyTrivy Security Scanner-1396HIGHstruts-core-1.3.10.jar(1,0): CVE-2023-34396: : CVE-2023-34396: LanguageSpecificPackageVulnerability Apache Struts vulnerable to memory exhaustion For additional help see: **Vulnerability CVE-2023-34396** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|org.apache.struts:struts-core||[CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)| Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Package: org.apache.struts:struts-core Installed Version: 1.3.10 Vulnerability CVE-2023-34396 Severity: HIGH Fixed Version: Link: [CVE-2023-34396](https://avd.aquasec.com/nvd/cve-2023-34396)CVE-2023-3439633 warnings (high: 2, normal: 1)