Maven package
org.apache.httpcomponents.client5/httpclient5
pkg:maven/org.apache.httpcomponents.client5/httpclient5
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40542 | Hig | 7.3 | >= 5.6-alpha1, < 5.6.1 | 5.6.1 | Apr 22, 2026 | Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue. | |
| CVE-2025-27820 | — | >= 5.4-alpha1, < 5.4.3 | 5.4.3 | Apr 24, 2025 | A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release |
- affected >= 5.6-alpha1, < 5.6.1fixed 5.6.1
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
- CVE-2025-27820Apr 24, 2025affected >= 5.4-alpha1, < 5.4.3fixed 5.4.3
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release