Medium severity5.3NVD Advisory· Published May 14, 2026· Updated May 15, 2026
CVE-2026-45205
CVE-2026-45205
Description
Uncontrolled Recursion vulnerability in Apache Commons.
When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue affects Apache Commons: from 2.2 before 2.15.0.
Users are recommended to upgrade to version 2.15.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.commons:commons-configuration2Maven | >= 2.2, < 2.15.0 | 2.15.0 |
Affected products
51(expand)+ 1 more
- (no CPE)
- cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:*range: >=2.2,<2.15.0
- osv-coords49 versionspkg:apk/chainguard/apache-activemq-artemispkg:apk/chainguard/apache-hoppkg:apk/chainguard/apache-hop-fipspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-pulsar-4.0pkg:apk/chainguard/apache-pulsar-4.2pkg:apk/chainguard/apache-pulsar-fips-4.0pkg:apk/chainguard/apache-pulsar-fips-4.2pkg:apk/chainguard/apicurio-registrypkg:apk/chainguard/cassandra-reaperpkg:apk/chainguard/druidpkg:apk/chainguard/flywaypkg:apk/chainguard/hadoop-client-modulespkg:apk/chainguard/hadoop-fips-3.4.2pkg:apk/chainguard/neo4j-5.26pkg:apk/chainguard/pinotpkg:apk/chainguard/pinot-fipspkg:apk/chainguard/spark-fips-4.1-scala-2.13pkg:apk/chainguard/tezpkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-rangerpkg:apk/chainguard/zipkinpkg:apk/chainguard/zipkin-slimpkg:apk/wolfi/apache-activemq-artemispkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-pulsar-4.2pkg:apk/wolfi/apicurio-registrypkg:apk/wolfi/cassandra-reaperpkg:apk/wolfi/druidpkg:apk/wolfi/flywaypkg:apk/wolfi/neo4j-5.26pkg:apk/wolfi/tezpkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-rangerpkg:apk/wolfi/zipkinpkg:apk/wolfi/zipkin-slimpkg:rpm/opensuse/apache-commons-configuration2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/apache-commons-cli&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/apache-commons-cli&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/apache-commons-codec&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/apache-commons-codec&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/apache-commons-configuration2&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/apache-commons-configuration2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/apache-commons-io&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/apache-commons-io&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/apache-commons-lang3&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/apache-commons-lang3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/apache-commons-text&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/apache-commons-text&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.54.0-r3+ 48 more
- (no CPE)range: < 2.54.0-r3
- (no CPE)range: < 2.17.0-r16
- (no CPE)range: < 2.17.0-r16
- (no CPE)range: < 2.9.0-r11
- (no CPE)range: < 4.0.10-r3
- (no CPE)range: < 4.2.1-r5
- (no CPE)range: < 4.0.10-r1
- (no CPE)range: < 4.2.1-r5
- (no CPE)range: < 3.2.4-r3
- (no CPE)range: < 4.2.3-r2
- (no CPE)range: < 37.0.0-r14
- (no CPE)range: < 12.8.1-r1
- (no CPE)range: < 3.3.6-r10
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 5.26.25-r3
- (no CPE)range: < 1.5.0-r11
- (no CPE)range: < 1.5.0-r10
- (no CPE)range: < 4.1.2-r1
- (no CPE)range: < 0.10.5-r18
- (no CPE)range: < 481-r4
- (no CPE)range: < 481-r4
- (no CPE)range: < 3.6.1-r8
- (no CPE)range: < 3.6.1-r8
- (no CPE)range: < 2.54.0-r3
- (no CPE)range: < 2.9.0-r11
- (no CPE)range: < 4.2.1-r5
- (no CPE)range: < 3.2.4-r3
- (no CPE)range: < 4.2.3-r2
- (no CPE)range: < 37.0.0-r14
- (no CPE)range: < 12.8.1-r1
- (no CPE)range: < 5.26.25-r3
- (no CPE)range: < 0.10.5-r18
- (no CPE)range: < 481-r4
- (no CPE)range: < 481-r4
- (no CPE)range: < 3.6.1-r8
- (no CPE)range: < 3.6.1-r8
- (no CPE)range: < 2.15.0-1.1
- (no CPE)range: < 1.11.0-160000.1.1
- (no CPE)range: < 1.11.0-160000.1.1
- (no CPE)range: < 1.22.0-160000.1.1
- (no CPE)range: < 1.22.0-160000.1.1
- (no CPE)range: < 2.15.0-160000.1.1
- (no CPE)range: < 2.15.0-160000.1.1
- (no CPE)range: < 2.22.0-160000.1.1
- (no CPE)range: < 2.22.0-160000.1.1
- (no CPE)range: < 3.20.0-160000.1.1
- (no CPE)range: < 3.20.0-160000.1.1
- (no CPE)range: < 1.15.0-160000.1.1
- (no CPE)range: < 1.15.0-160000.1.1
Patches
Vulnerability mechanics
References
5- github.com/apache/commons-configuration/pull/634nvdIssue TrackingPatchWEB
- www.openwall.com/lists/oss-security/2026/05/14/5nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-337m-mw94-2v6gghsaADVISORY
- lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkknvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-45205ghsaADVISORY
News mentions
0No linked articles in our index yet.