VYPR

Camel

by Apache

Source repositories

CVEs (36)

  • CVE-2026-47323CriMay 19, 2026
    risk 0.64cvss 9.8epss 0.01

    Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in…

  • CVE-2026-40860CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.01

    JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist.…

  • CVE-2017-12633CriNov 15, 2017
    risk 0.64cvss 9.8epss 0.07

    The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.

  • CVE-2026-33453CriApr 27, 2026
    risk 0.58cvss 10.0epss 0.05

    Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP…

  • CVE-2016-8749CriMar 28, 2017
    risk 0.58cvss 9.8epss 0.11

    Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.

  • CVE-2026-40453CriApr 27, 2026
    risk 0.57cvss 9.9epss 0.01

    The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP…

  • CVE-2018-8027CriJul 31, 2018
    risk 0.57cvss 9.8epss 0.06

    Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.

  • CVE-2017-12634CriNov 15, 2017
    risk 0.57cvss 9.8epss 0.07

    The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.

  • CVE-2017-3159CriMar 7, 2017
    risk 0.57cvss 9.8epss 0.06

    Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.

  • CVE-2015-5344CriFeb 3, 2016
    risk 0.57cvss 9.8epss 0.07

    The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

  • CVE-2026-33454CriApr 27, 2026
    risk 0.54cvss 9.4epss 0.01

    The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via…

  • CVE-2026-27172HigApr 27, 2026
    risk 0.50cvss 8.8epss 0.00

    The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without…

  • CVE-2026-40858HigApr 27, 2026
    risk 0.50cvss 8.8epss 0.00

    The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel…

  • CVE-2026-40473HigApr 27, 2026
    risk 0.50cvss 8.8epss 0.01

    The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests…

  • CVE-2026-40022HigApr 27, 2026
    risk 0.46cvss 8.2epss 0.00

    When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and…

  • CVE-2015-5348HigApr 15, 2016
    risk 0.46cvss 8.1epss 0.06

    Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.

  • CVE-2026-40048HigApr 27, 2026
    risk 0.44cvss 7.8epss 0.00

    The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is…

  • CVE-2017-5643HigMar 16, 2017
    risk 0.41cvss 7.4epss 0.05

    Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.

  • CVE-2018-8041MedSep 17, 2018
    risk 0.28cvss 5.3epss 0.10

    Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.

  • CVE-2019-0194Apr 30, 2019
    risk 0.01cvss epss 0.08

    Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.

Page 1 of 2