Vulnerability in Micronaut-projects Micronaut-core

CVE-2026-33013

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlenc…

EPSS: 0.003 (52.5th percentile) — read the EPSS interpretation.

Affected products

Micronaut-projects Micronaut-core — versions >= 4.0.0-M1, < 4.10.16, < 3.10.5

Weakness classification (CWE)

CWE-835 — Loop with Unreachable Exit Condition (Infinite Loop)

References

https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-43w5-mmxv-cpvh (x_refsource_CONFIRM)
https://github.com/micronaut-projects/micronaut-core/pull/12410 (x_refsource_MISC)
https://github.com/micronaut-projects/micronaut-core/commit/1afe509677c51b320041b7a2c177366d4a4deb55 (x_refsource_MISC)
https://github.com/micronaut-projects/micronaut-core/releases/tag/v3.10.5 (x_refsource_MISC)
https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.16 (x_refsource_MISC)