QSearchQSearch

CVE-2021-39144

8.5 HIGH

XStream is a simple library to serialize objects to XML and back again

Published: 2021-08-23 · Last updated: 2026-06-17

Severity and scoring

CVSS
8.5 HIGH
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-306, CWE-502, CWE-94

Affected products

VendorProduct
debianbusiness_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine
fedoraprojectbusiness_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine
netappbusiness_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine
oraclebusiness_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine
xstreambusiness_activity_monitoring, commerce_guided_search, communications_billing_and_revenue_management_elastic_charging_engine

Description

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-35273 Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) (9.8 CRITICAL)
  • CVE-2026-49975 Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
  • CVE-2026-46843 Vulnerability in Oracle REST Data Services (component: Core) (5.3 MEDIUM)
  • CVE-2026-46842 Vulnerability in Oracle REST Data Services (component: Core) (5.3 MEDIUM)
  • CVE-2026-46841 Vulnerability in Oracle REST Data Services (component: General) (5.3 MEDIUM)

Same CWE

  • CVE-2026-48775 LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite) (6.8 MEDIUM)
  • CVE-2026-10748 An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating s...
  • CVE-2026-24228 NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data (7.8 HIGH)
  • CVE-2026-24155 NVIDIA NeMo Framework for all platforms contains a code injection vulnerability (7.8 HIGH)
  • CVE-2026-0647 An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server