Redhat Jboss_enterprise_application_platform_expansion_pack
17 CVEs affecting Redhat Jboss_enterprise_application_platform_expansion_pack. Latest disclosed: 2026-03-27. Critical: 1, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-12543 | Critical | 9.6 | 2026-01-07 | A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly val… |
CVE-2026-28369 | High | 8.7 | 2026-03-27 | A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the r… |
CVE-2026-28368 | High | 8.7 | 2026-03-27 | A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by… |
CVE-2026-28367 | High | 8.7 | 2026-03-27 | A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request s… |
CVE-2026-3009 | High | 8.1 | 2026-03-05 | A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it… |
CVE-2025-9784 | High | 7.5 | 2025-09-02 | A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to a… |
CVE-2023-1108 | High | 7.5 | 2023-09-14 | A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the lo… |
CVE-2022-1278 | High | 7.5 | 2022-09-13 | A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. |
CVE-2022-0853 | High | 7.5 | 2022-03-11 | A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to in… |
CVE-2023-4503 | Medium | 6.8 | 2024-02-06 | An improper initialization vulnerability was found in Galleon. When using Galleon to provision custom EAP or EAP-XP servers, the servers are created unsecured… |
CVE-2026-3121 | Medium | 6.5 | 2026-03-26 | A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-p… |
CVE-2026-3260 | Medium | 5.9 | 2026-03-24 | A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the… |
CVE-2026-4366 | Medium | 5.8 | 2026-03-18 | A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client config… |
CVE-2025-5731 | Medium | 5.5 | 2025-06-26 | A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command… |
CVE-2021-3642 | Medium | 5.3 | 2021-08-05 | A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to… |
CVE-2021-20250 | Medium | 4.3 | 2021-05-13 | A flaw was found in wildfly. The JBoss EJB client has publicly accessible privileged actions which may lead to information disclosure on the server it is deplo… |
CVE-2026-4874 | Low | 3.1 | 2026-03-26 | A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter duri… |