VYPR

Vendor CVEs

Eclipse

All CVEs

209 total · sorted by risk
  • CVE-2025-12548CriJan 13, 2026
    risk 0.65cvss 9.0epss 0.01

    A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API…

  • CVE-2023-44487HigKEVOct 10, 2023
    risk 0.65cvss 7.5epss 1.00

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2017-7658CriJun 26, 2018
    risk 0.65cvss 9.8epss 0.21

    In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the…

  • CVE-2017-7657CriJun 26, 2018
    risk 0.65cvss 9.8epss 0.16

    In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size…

  • CVE-2023-54344CriMay 5, 2026
    risk 0.64cvss 9.8epss 0.01

    Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash…

  • CVE-2023-54342CriMay 5, 2026
    risk 0.64cvss 9.8epss 0.00

    Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the fork command functionality. Attackers can establish a telnet connection to the…

  • CVE-2026-22886CriMar 3, 2026
    risk 0.64cvss 9.8epss 0.00

    OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login,…

  • CVE-2017-7649CriSep 11, 2017
    risk 0.64cvss 9.8epss 0.02

    The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is left open, allowing to log into Kura without any user credentials over unencrypted…

  • CVE-2016-4800CriApr 13, 2017
    risk 0.64cvss 9.8epss 0.06

    The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.

  • CVE-2026-2587CriMay 19, 2026
    risk 0.62cvss 9.6epss 0.01

    A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL)…

  • CVE-2026-2586CriMay 19, 2026
    risk 0.59cvss 9.1epss 0.01

    An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application…

  • CVE-2026-24457CriMar 5, 2026
    risk 0.59cvss 9.1epss 0.01

    An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ’s host OS. In some scenarios RCE could be achieved.

  • CVE-2015-2080HigOct 7, 2016
    risk 0.58cvss 7.5epss 0.75

    The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

  • CVE-2026-12856impJun 29, 2026
    risk 0.57cvss 8.8epss 0.00

    vscode-java: vscode: Command Injection vulnerability in the JavaDoc hover provider of the vscode-java extension

  • CVE-2018-12538HigJun 22, 2018
    risk 0.57cvss 8.8epss 0.03

    In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the…

  • CVE-2026-6272HigApr 24, 2026
    risk 0.55cvss epss 0.00

    A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any valid token with only read scope. 2. Connect to the normal production gRPC API…

  • CVE-2026-0648HigJan 27, 2026
    risk 0.51cvss 7.8epss 0.00

    The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to…

  • CVE-2018-12539HigAug 14, 2018
    risk 0.51cvss 7.8epss 0.00

    In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled…

  • CVE-2025-55102HigJan 27, 2026
    risk 0.49cvss 7.5epss 0.00

    A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet…

  • CVE-2017-7656HigJun 26, 2018
    risk 0.49cvss 7.5epss 0.06

    In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was…

  • CVE-2017-7654HigJun 5, 2018
    risk 0.49cvss 7.5epss 0.02

    In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.

  • CVE-2017-7652HigApr 25, 2018
    risk 0.49cvss 7.5epss 0.02

    In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets…

  • CVE-2017-7651HigApr 24, 2018
    risk 0.49cvss 7.5epss 0.05

    In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.

  • CVE-2017-7243HigMar 24, 2017
    risk 0.49cvss 7.5epss 0.02

    Eclipse tinydtls 0.8.2 for Eclipse IoT allows remote attackers to cause a denial of service (DTLS peer crash) by sending a "Change cipher spec" packet without pre-handshake.

  • CVE-2026-2332HigApr 14, 2026
    risk 0.48cvss 7.4epss 0.01

    In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty…

  • CVE-2026-5795HigApr 8, 2026
    risk 0.48cvss 7.4epss 0.01

    In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.…

  • CVE-2024-8642HigSep 11, 2024
    risk 0.46cvss 8.1epss 0.00

    In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The…

  • CVE-2026-6918HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.01

    In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.

  • CVE-2017-7650MedSep 11, 2017
    risk 0.42cvss 6.5epss 0.02

    In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party…

  • CVE-2017-9735HigJun 16, 2017
    risk 0.42cvss 7.5epss 0.06

    Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

  • CVE-2017-9868MedJun 25, 2017
    risk 0.36cvss 5.5epss 0.00

    In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.

  • CVE-2024-1023MedMar 27, 2024
    risk 0.35cvss 6.5epss 0.02

    A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate…

  • CVE-2018-12536MedJun 27, 2018
    risk 0.35cvss 5.3epss 0.04

    In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a…

  • CVE-2017-7653MedJun 5, 2018
    risk 0.35cvss 5.3epss 0.01

    The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and…

  • CVE-2026-6860MedMay 6, 2026
    risk 0.27cvss 5.3epss 0.00

    A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.

  • CVE-2025-55095MedJan 27, 2026
    risk 0.27cvss 4.2epss 0.00

    The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs…

  • CVE-2021-34429Jul 15, 2021
    risk 0.11cvss epss 0.99

    For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in…

  • CVE-2021-28164Apr 1, 2021
    risk 0.10cvss epss 0.82

    In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the…

  • CVE-2021-28169Jun 9, 2021
    risk 0.07cvss epss 0.78

    For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml…

  • CVE-2020-27223Feb 26, 2021
    risk 0.06cvss epss 0.78

    In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU…

  • CVE-2024-10525Oct 30, 2024
    risk 0.05cvss epss 0.58

    In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and…

  • CVE-2021-34427Jun 25, 2021
    risk 0.05cvss epss 0.58

    In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance.

  • CVE-2002-1178Oct 11, 2002
    risk 0.04cvss epss 0.09

    Directory traversal vulnerability in the CGIServlet for Jetty HTTP server before 4.1.0 allows remote attackers to execute arbitrary commands via ..\ (dot-dot backslash) sequences in an HTTP request to the cgi-bin directory.

  • CVE-2010-4647Jan 13, 2011
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.

  • CVE-2008-7271Jan 13, 2011
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2)…

  • CVE-2009-4612Jan 13, 2010
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) jspsnoop/, (2) jspsnoop/ERROR/, and (3)…

  • CVE-2009-4610Jan 13, 2010
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to jsp/dump.jsp in the JSP Dump feature, or the (2) Name or (3) Value parameter to the default URI for the…

  • CVE-2009-4521Dec 31, 2009
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.

  • CVE-2006-2758Jun 2, 2006
    risk 0.03cvss epss 0.04

    Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary files via a %2e%2e%5c (encoded ../) in the URL. NOTE: this might be the same issue as CVE-2005-3747.

  • CVE-2005-3747Nov 22, 2005
    risk 0.03cvss epss 0.04

    Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters. NOTE: this might be the same issue as CVE-2006-2758.

Page 1 of 5