0--commons-lang-2.6.jar00-/usr/local/tomcat/webapps/govwayAPIMonitor.war/WEB-INF/lib/commons-lang-2.6.jarFALLBACK-f48ad3a611CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)trivyTrivy Security Scanner-1398NORMALcommons-lang-2.6.jar(1,0): CVE-2025-48924: : CVE-2025-48924: LanguageSpecificPackageVulnerability commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang For additional help see: **Vulnerability CVE-2025-48924** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|commons-lang:commons-lang||[CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)| Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. Package: commons-lang:commons-lang Installed Version: 2.6 Vulnerability CVE-2025-48924 Severity: MEDIUM Fixed Version: Link: [CVE-2025-48924](https://avd.aquasec.com/nvd/cve-2025-48924)CVE-2025-489240--jasperreports-6.20.0.jar00-/usr/local/tomcat/webapps/govwayAPIMonitor.war/WEB-INF/lib/jasperreports-6.20.0.jarFALLBACK-b0f3610311CVE-2025-10492: LanguageSpecificPackageVulnerability JasperReports has a Java deserialisation vulnerability For additional help see: **Vulnerability CVE-2025-10492** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|net.sf.jasperreports:jasperreports|7.0.4|[CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)| A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library Package: net.sf.jasperreports:jasperreports Installed Version: 6.20.0 Vulnerability CVE-2025-10492 Severity: HIGH Fixed Version: 7.0.4 Link: [CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)trivyTrivy Security Scanner-1398HIGHjasperreports-6.20.0.jar(1,0): CVE-2025-10492: : CVE-2025-10492: LanguageSpecificPackageVulnerability JasperReports has a Java deserialisation vulnerability For additional help see: **Vulnerability CVE-2025-10492** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |HIGH|net.sf.jasperreports:jasperreports|7.0.4|[CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)| A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library Package: net.sf.jasperreports:jasperreports Installed Version: 6.20.0 Vulnerability CVE-2025-10492 Severity: HIGH Fixed Version: 7.0.4 Link: [CVE-2025-10492](https://avd.aquasec.com/nvd/cve-2025-10492)CVE-2025-104920--log4j-core-2.25.3.jar00-/usr/local/tomcat/webapps/govwayAPIMonitor.war/WEB-INF/lib/log4j-core-2.25.3.jarFALLBACK-6610c7f611CVE-2026-34480: LanguageSpecificPackageVulnerability Apache Log4j Core's XmlLayout fails to sanitize characters For additional help see: **Vulnerability CVE-2026-34480** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|org.apache.logging.log4j:log4j-core|2.25.4, 3.0.0-beta3|[CVE-2026-34480](https://avd.aquasec.com/nvd/cve-2026-34480)| Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output. Package: org.apache.logging.log4j:log4j-core Installed Version: 2.25.3 Vulnerability CVE-2026-34480 Severity: MEDIUM Fixed Version: 2.25.4, 3.0.0-beta3 Link: [CVE-2026-34480](https://avd.aquasec.com/nvd/cve-2026-34480)trivyTrivy Security Scanner-1398NORMALlog4j-core-2.25.3.jar(1,0): CVE-2026-34480: : CVE-2026-34480: LanguageSpecificPackageVulnerability Apache Log4j Core's XmlLayout fails to sanitize characters For additional help see: **Vulnerability CVE-2026-34480** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|org.apache.logging.log4j:log4j-core|2.25.4, 3.0.0-beta3|[CVE-2026-34480](https://avd.aquasec.com/nvd/cve-2026-34480)| Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output. Package: org.apache.logging.log4j:log4j-core Installed Version: 2.25.3 Vulnerability CVE-2026-34480 Severity: MEDIUM Fixed Version: 2.25.4, 3.0.0-beta3 Link: [CVE-2026-34480](https://avd.aquasec.com/nvd/cve-2026-34480)CVE-2026-344800--log4j-layout-template-json-2.25.3.jar00-/usr/local/tomcat/webapps/govwayAPIMonitor.war/WEB-INF/lib/log4j-layout-template-json-2.25.3.jarFALLBACK-78a9f3ba11CVE-2026-34481: LanguageSpecificPackageVulnerability Apache Log4j's JsonTemplateLayout produces invalid JSON output when log events contain non-finite floating-point values For additional help see: **Vulnerability CVE-2026-34481** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|org.apache.logging.log4j:log4j-layout-template-json|2.25.4, 3.0.0-beta3|[CVE-2026-34481](https://avd.aquasec.com/nvd/cve-2026-34481)| Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. Package: org.apache.logging.log4j:log4j-layout-template-json Installed Version: 2.25.3 Vulnerability CVE-2026-34481 Severity: MEDIUM Fixed Version: 2.25.4, 3.0.0-beta3 Link: [CVE-2026-34481](https://avd.aquasec.com/nvd/cve-2026-34481)trivyTrivy Security Scanner-1398NORMALlog4j-layout-template-json-2.25.3.jar(1,0): CVE-2026-34481: : CVE-2026-34481: LanguageSpecificPackageVulnerability Apache Log4j's JsonTemplateLayout produces invalid JSON output when log events contain non-finite floating-point values For additional help see: **Vulnerability CVE-2026-34481** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |MEDIUM|org.apache.logging.log4j:log4j-layout-template-json|2.25.4, 3.0.0-beta3|[CVE-2026-34481](https://avd.aquasec.com/nvd/cve-2026-34481)| Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. Package: org.apache.logging.log4j:log4j-layout-template-json Installed Version: 2.25.3 Vulnerability CVE-2026-34481 Severity: MEDIUM Fixed Version: 2.25.4, 3.0.0-beta3 Link: [CVE-2026-34481](https://avd.aquasec.com/nvd/cve-2026-34481)CVE-2026-344810--spring-security-web-5.8.16.jar00-/usr/local/tomcat/webapps/govwayAPIMonitor.war/WEB-INF/lib/spring-security-web-5.8.16.jarFALLBACK-db203dab11CVE-2026-22732: LanguageSpecificPackageVulnerability Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers For additional help see: **Vulnerability CVE-2026-22732** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. Package: org.springframework.security:spring-security-web Installed Version: 5.8.16 Vulnerability CVE-2026-22732 Severity: CRITICAL Fixed Version: 6.5.9, 7.0.4 Link: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)trivyTrivy Security Scanner-1398HIGHspring-security-web-5.8.16.jar(1,0): CVE-2026-22732: : CVE-2026-22732: LanguageSpecificPackageVulnerability Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers For additional help see: **Vulnerability CVE-2026-22732** | Severity | Package | Fixed Version | Link | | --- | --- | --- | --- | |CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)| When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. Package: org.springframework.security:spring-security-web Installed Version: 5.8.16 Vulnerability CVE-2026-22732 Severity: CRITICAL Fixed Version: 6.5.9, 7.0.4 Link: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)CVE-2026-2273255 warnings (high: 2, normal: 3)