Maven package
org.pf4j/pf4j
pkg:maven/org.pf4j/pf4j
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-70952 | Hig | 7.5 | < 3.14.1 | 3.14.1 | Mar 25, 2026 | pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation. | |
| CVE-2023-40828 | — | <= 3.9.0 | — | Aug 28, 2023 | An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the expandIfZip method in the extract function. | ||
| CVE-2023-40827 | — | <= 3.9.0 | — | Aug 28, 2023 | An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the loadpluginPath parameter. | ||
| CVE-2023-40826 | — | <= 3.9.0 | — | Aug 28, 2023 | An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the zippluginPath parameter. |
- affected < 3.14.1fixed 3.14.1
pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.
- CVE-2023-40828Aug 28, 2023affected <= 3.9.0
An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the expandIfZip method in the extract function.
- CVE-2023-40827Aug 28, 2023affected <= 3.9.0
An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the loadpluginPath parameter.
- CVE-2023-40826Aug 28, 2023affected <= 3.9.0
An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the zippluginPath parameter.