VYPR

Shiro

by Apache

Source repositories

CVEs (12)

  • CVE-2016-4437CriKEVJun 7, 2016
    risk 0.79cvss 9.8epss 0.93

    Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

  • CVE-2016-6802HigSep 20, 2016
    risk 0.43cvss 7.5epss 0.10

    Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.

  • CVE-2026-43828MedMay 25, 2026
    risk 0.42cvss 6.5epss 0.00

    Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the…

  • CVE-2026-43827MedMay 25, 2026
    risk 0.42cvss 6.5epss 0.00

    Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions,…

  • CVE-2026-48589MedMay 25, 2026
    risk 0.35cvss 5.4epss 0.00

    Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the…

  • CVE-2026-44598MedMay 25, 2026
    risk 0.35cvss 5.4epss 0.00

    With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration…

  • CVE-2010-3863Nov 5, 2010
    risk 0.07cvss epss 0.55

    Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

  • CVE-2019-12422Nov 18, 2019
    risk 0.04cvss epss 0.09

    Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.

  • CVE-2026-56130Jun 28, 2026
    risk 0.00cvss epss 0.00

    "Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and…

  • CVE-2026-56091Jun 28, 2026
    risk 0.00cvss epss 0.00

    When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CVERecord , except that it…

  • CVE-2026-49268Jun 17, 2026
    risk 0.00cvss epss 0.00

    A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an…

  • CVE-2014-0074Oct 6, 2014
    risk 0.00cvss epss 0.05

    Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.