Shiro
This hub aggregates every CVE we track for Shiro, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
20
CVEs tracked
10
Critical
4
High
1
In CISA KEV
Severity distribution
CRITICAL10MEDIUM6HIGH4
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
4
1
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Shiro.
- CVE-2026-49268Apache Shiro: LDAP DN Injection in DefaultLdapRealm9.1
- CVE-2026-48589Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow5.4
- CVE-2026-44598Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)5.4
- CVE-2026-43828Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default6.5
- CVE-2026-43827Apache Shiro: Session fixation: new session is not created after login by default6.5
- CVE-2023-46749Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting 6.5
- CVE-2023-46750Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro.6.1
- CVE-2023-34478Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.9.8
- CVE-2022-40664Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher9.8
- CVE-2022-32532Authentication Bypass Vulnerability9.8
- CVE-2016-4437Уязвимость реализации функции «Remember Me» фреймворка Apache Shiro, позволяющая нарушителю выполнить произвольный код или обойти ограничения безопасности8.1
- CVE-2021-41303Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass9.8
- CVE-2020-17523Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.9.8
- CVE-2020-17510Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.9.8
- CVE-2020-13933Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.7.5
Product normalization is registry-driven with AI assist and human review. How it works