Apache shiro
This hub aggregates every CVE we track for Apache shiro, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
11
CVEs tracked
6
Critical
0
High
0
In CISA KEV
Severity distribution
CRITICAL6MEDIUM5
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
3
1
0
2024-082026-07
Latest CVEs
The 11 most recently published vulnerabilities affecting Apache shiro.
- CVE-2026-49268Apache Shiro: LDAP DN Injection in DefaultLdapRealm9.1
- CVE-2026-48589Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow5.4
- CVE-2026-43828Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default6.5
- CVE-2026-43827Apache Shiro: Session fixation: new session is not created after login by default6.5
- CVE-2023-46749Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting 6.5
- CVE-2023-46750Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro.6.1
- CVE-2023-34478Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.9.8
- CVE-2022-40664Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher9.8
- CVE-2022-32532Authentication Bypass Vulnerability9.8
- CVE-2021-41303Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass9.8
- CVE-2020-11989Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.9.8
Product normalization is registry-driven with AI assist and human review. How it works