Every CVE whose affected-product data names Apache Shiro, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (24)
CVE-2020-1957 — CVSS 9.8 (critical): Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication…
CVE-2023-34478 — CVSS 9.8 (critical): Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when…
CVE-2022-40664 — CVSS 9.8 (critical): Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
CVE-2022-32532 — CVSS 9.8 (critical): Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using…
CVE-2020-11989 — CVSS 9.8 (critical): Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication…
CVE-2021-41303 — CVSS 9.8 (critical): Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass…
CVE-2020-17510 — CVSS 9.8 (critical): Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CVE-2020-17523 — CVSS 9.8 (critical): Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CVE-2026-49268 — CVSS 9.1 (critical): A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied…
CVE-2019-12422 — CVSS 7.5 (high): Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2020-13933 — CVSS 7.5 (high): Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CVE-2016-6802 — CVSS 7.5 (high): Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet…
CVE-2023-22602 — CVSS 7.5 (high): When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass…
CVE-2014-0074 — CVSS 7.5 (high): Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass…
CVE-2026-43828 — CVSS 6.5 (medium): Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro…
CVE-2023-46749 — CVSS 6.5 (medium): Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when…
CVE-2026-43827 — CVSS 6.5 (medium): Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and…
CVE-2023-46750 — CVSS 6.1 (medium): URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to…
CVE-2026-44598 — CVSS 5.4 (medium): With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in…
CVE-2026-48589 — CVSS 5.4 (medium): Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected…
CVE-2026-23903 — CVSS 5.3 (medium): Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended…
CVE-2010-3863 — CVSS 5.0 (medium): Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file…
CVE-2026-23901 — CVSS 2.5 (low): Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are…