Maven package
org.hibernate/hibernate-validator
pkg:maven/org.hibernate/hibernate-validator
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-35036 | — | < 6.2.0.CR1 | 6.2.0.CR1 | Jun 3, 2025 | Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibern | ||
| CVE-2023-1932 | — | < 6.2.0.Final | 6.2.0.Final | Nov 7, 2024 | A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML inject | ||
| CVE-2020-10693 | — | >= 6.1.0.Final, < 6.1.5.Final | 6.1.5.Final | May 6, 2020 | A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may | ||
| CVE-2019-10219 | — | >= 6.1.0.Alpha1, < 6.1.0.Alpha6 | 6.1.0.Alpha6 | Nov 8, 2019 | A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. | ||
| CVE-2017-7536 | — | >= 5.2.0, < 5.2.5.Final | 5.2.5.Final | Jan 10, 2018 | In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By | ||
| CVE-2014-3558 | — | >= 4.1.0, < 4.2.1 | 4.2.1 | Sep 30, 2014 | ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted applicati |
- CVE-2025-35036Jun 3, 2025affected < 6.2.0.CR1fixed 6.2.0.CR1
Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibern
- CVE-2023-1932Nov 7, 2024affected < 6.2.0.Finalfixed 6.2.0.Final
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML inject
- CVE-2020-10693May 6, 2020affected >= 6.1.0.Final, < 6.1.5.Finalfixed 6.1.5.Final
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may
- CVE-2019-10219Nov 8, 2019affected >= 6.1.0.Alpha1, < 6.1.0.Alpha6fixed 6.1.0.Alpha6
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
- CVE-2017-7536Jan 10, 2018affected >= 5.2.0, < 5.2.5.Finalfixed 5.2.5.Final
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By
- CVE-2014-3558Sep 30, 2014affected >= 4.1.0, < 4.2.1fixed 4.2.1
ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted applicati