Every CVE whose affected-product data names Apache Tapestry, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (10)
CVE-2022-46366 — CVSS 9.8 (critical): Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from…
CVE-2019-0195 — CVSS 9.8 (critical): Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the…
CVE-2019-10071 — CVSS 9.8 (critical): The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the…
CVE-2020-17531 — CVSS 9.8 (critical): A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even…
CVE-2021-27850 — CVSS 9.8 (critical): A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions…
CVE-2014-1972 — CVSS 7.8 (high): Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows…
CVE-2022-31781 — CVSS 7.5 (high): Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types…
CVE-2019-0207 — CVSS 7.5 (high): Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter…
CVE-2021-30638 — CVSS 7.5 (high): Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if…
CVE-2020-13953 — CVSS 5.3 (medium): In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being…