QSearchQSearch

CVE-2021-39139

8.5 HIGH

XStream is a simple library to serialize objects to XML and back again

Published: 2021-08-23 · Last updated: 2026-06-17

Severity and scoring

CVSS
8.5 HIGH
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-434, CWE-502

Affected products

VendorProduct
debianbusiness_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine
fedoraprojectbusiness_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine
netappbusiness_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine
oraclebusiness_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine
xstreambusiness_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-35273 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) (9.8 CRITICAL)
  • CVE-2026-49975 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
  • CVE-2026-46843 Vulnerability in Oracle REST Data Services (component: Core) (5.3 MEDIUM)
  • CVE-2026-46842 Vulnerability in Oracle REST Data Services (component: Core) (5.3 MEDIUM)
  • CVE-2026-46841 Vulnerability in Oracle REST Data Services (component: General) (5.3 MEDIUM)

Same CWE

  • CVE-2026-48775 LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite) (6.8 MEDIUM)
  • CVE-2026-10748 An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating s...
  • CVE-2026-24228 NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data (7.8 HIGH)
  • CVE-2026-40750 Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
  • CVE-2026-6933 The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and inclu... (8.8 HIGH)