Threat Intelligence Database
Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threat Intelligence
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-41000: CWE-294: Authentication Bypass by Capture-replay in Spring Spring Web ServicesCVE-2026-41000 0 Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. Join the discussion | CVE Database V5 | 06/11/2026, 05:04:24 UTC Added: 06/11/2026, 06:46:22 UTC |
CVE-2026-40999: CWE-918: Server-Side Request Forgery (SSRF) in Spring Spring Web ServicesCVE-2026-40999 0 When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. Join the discussion | CVE Database V5 | 06/11/2026, 05:04:17 UTC Added: 06/11/2026, 06:46:18 UTC |
CVE-2026-40998: CWE-611: Improper Restriction of XML External Entity Reference in Spring Spring Web ServicesCVE-2026-40998 0 Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. Join the discussion | CVE Database V5 | 06/11/2026, 05:04:12 UTC Added: 06/11/2026, 06:46:18 UTC |
CVE-2026-40997: CWE-209: Generation of Error Message Containing Sensitive Information in Spring Spring Web ServicesCVE-2026-40997 0 Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. Join the discussion | CVE Database V5 | 06/11/2026, 05:04:08 UTC Added: 06/11/2026, 06:46:18 UTC |
CVE-2026-40996: CWE-327: Use of a Broken or Risky Cryptographic Algorithm in Spring Spring Web ServicesCVE-2026-40996 0 Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly reconfigured the flag. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. Join the discussion | CVE Database V5 | 06/11/2026, 05:04:05 UTC Added: 06/11/2026, 06:46:18 UTC |
CVE-2026-40995: CWE-287: Improper Authentication in Spring Spring Web ServicesCVE-2026-40995 0 X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. Join the discussion | CVE Database V5 | 06/11/2026, 05:04:01 UTC Added: 06/11/2026, 06:46:18 UTC |
CVE-2026-40994: CWE-1188: Initialization of a Resource with an Insecure Default in Spring Spring Web ServicesCVE-2026-40994 0 Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. Join the discussion | CVE Database V5 | 06/11/2026, 05:03:57 UTC Added: 06/11/2026, 06:46:18 UTC |
Showing 1 to 7 of 7 results