Apache Shiro
8 CVEs affecting Apache Shiro. Latest disclosed: 2026-05-25. Critical: 0, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2016-6802 | High | 7.5 | 2016-09-20 | Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path. |
CVE-2026-43828 | Medium | 6.5 | 2026-05-25 | Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0… |
CVE-2026-43827 | Medium | 6.5 | 2026-05-25 | Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are… |
CVE-2026-48589 | Medium | 5.4 | 2026-05-25 | Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validat… |
CVE-2026-44598 | Medium | 5.4 | 2026-05-25 | With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This i… |
CVE-2019-12422 | | 2019-11-18 | Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack. | |
CVE-2014-0074 | | 2014-10-06 | Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) u… | |
CVE-2010-3863 | | 2010-11-05 | Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote att… |