Your dependencies cross-checked against the OSV vulnerability database.
-
Serious GHSA-5m62-pw8w-7w9f Apache Tomcat - Security constraints not correctly applied
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-43515). Fix: Update that package to its patched version.
-
Serious GHSA-h6fc-48rj-7qqh Apache Tomcat - Digest authenticator will authenticate any unknown user
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-43512). Fix: Update that package to its patched version.
-
Serious GHSA-r29c-68gh-xp6x Apache Tomcat - HTTP/2 request headers not validated
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-41293). Fix: Update that package to its patched version.
-
Serious GHSA-5m62-pw8w-7w9f Apache Tomcat - Security constraints not correctly applied
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
A package you depend on has a known security hole (CVE-2026-43515). Fix: Update that package to its patched version.
-
Serious GHSA-h6fc-48rj-7qqh Apache Tomcat - Digest authenticator will authenticate any unknown user
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
A package you depend on has a known security hole (CVE-2026-43512). Fix: Update that package to its patched version.
-
Serious GHSA-r29c-68gh-xp6x Apache Tomcat - HTTP/2 request headers not validated
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
A package you depend on has a known security hole (CVE-2026-41293). Fix: Update that package to its patched version.
-
Worth fixing GHSA-5hh8-q8hv-fr38 jackson-databind has @JsonView bypass for setterless creator properties
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-54517). Fix: Update that package to its patched version.
-
Worth fixing GHSA-5jmj-h7xm-6q6v jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-54515). Fix: Update that package to its patched version.
-
Worth fixing GHSA-9fxm-vc8v-hj55 jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-54516). Fix: Update that package to its patched version.
-
Worth fixing GHSA-hgj6-7826-r7m5 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-54514). Fix: Update that package to its patched version.
-
Worth fixing GHSA-j3rv-43j4-c7qm jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-54512). Fix: Update that package to its patched version.
-
Worth fixing GHSA-rcqc-6cw3-h962 jackson-databind has a @JsonView bypass for unwrapped creator parameters
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-54518). Fix: Update that package to its patched version.
-
Worth fixing GHSA-rmj7-2vxq-3g9f jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-54513). Fix: Update that package to its patched version.
-
Worth fixing GHSA-mj4r-2hfc-f8p6 Netty Lz4FrameDecoder is vulnerable to resource exhaustion
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-42583). Fix: Update that package to its patched version.
-
Worth fixing GHSA-3qp7-7mw8-wx86 Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-44249). Fix: Update that package to its patched version.
-
Worth fixing GHSA-c653-97m9-rcg9 Netty: Wrapping plain trust manager silently disables hostname verification
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-50010). Fix: Update that package to its patched version.
-
Worth fixing GHSA-x4gw-5cx5-pgmh Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-45416). Fix: Update that package to its patched version.
-
Worth fixing GHSA-5mp6-jrq3-r938 Apache Tomcat: LockOutRealm treats user names as case-sensitive
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-43513). Fix: Update that package to its patched version.
-
Worth fixing GHSA-fv25-8xcx-gqjc Apache Tomcat - WebSocket authentication header exposure
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-42498). Fix: Update that package to its patched version.
-
Worth fixing GHSA-gx5v-xp9w-j4cg Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-41284). Fix: Update that package to its patched version.
-
Worth fixing GHSA-c3fc-8qff-9hwx Bouncy Castle has an LDAP injection
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
A package you depend on has a known security hole (CVE-2026-0636). Fix: Update that package to its patched version.
-
Worth fixing GHSA-5hh8-q8hv-fr38 jackson-databind has @JsonView bypass for setterless creator properties
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
A package you depend on has a known security hole (CVE-2026-54517). Fix: Update that package to its patched version.
-
Worth fixing GHSA-5jmj-h7xm-6q6v jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
A package you depend on has a known security hole (CVE-2026-54515). Fix: Update that package to its patched version.
-
Worth fixing GHSA-9fxm-vc8v-hj55 jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
A package you depend on has a known security hole (CVE-2026-54516). Fix: Update that package to its patched version.
-
Worth fixing GHSA-hgj6-7826-r7m5 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
/workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
A package you depend on has a known security hole (CVE-2026-54514). Fix: Update that package to its patched version.