org.apache.shiro:shiro-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.apache.shiro:shiro-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2020-11989 — CVSS 9.8 (critical): Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication…
CVE-2020-1957 — CVSS 9.8 (critical): Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication…
CVE-2021-41303 — CVSS 9.8 (critical): Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass…
CVE-2022-32532 — CVSS 9.8 (critical): Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using…
CVE-2022-40664 — CVSS 9.8 (critical): Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
CVE-2026-49268 — CVSS 9.1 (critical): A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied…
CVE-2019-12422 — CVSS 7.5 (high): Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2020-13933 — CVSS 7.5 (high): Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CVE-2023-46749 — CVSS 6.5 (medium): Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when…
CVE-2026-23901 — CVSS 2.5 (low): Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are…