Total CVEs

143,081

Critical Severity

4,044

High Severity

14,530

Last 7 Days

1,278
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 41 - 48 of 48 CVEs
CVE-2026-33454 CRITICAL - 9.4

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilter...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Apr 27, 2026
Source: NVD
CVE-2026-40860 CRITICAL - 9.8

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is ...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Apr 27, 2026
Source: NVD
CVE-2026-40473 HIGH - 8.8

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInp...

Vendor: Apache Software Foundation
Product: Apache Camel Mina
Published: Apr 27, 2026
Source: NVD
CVE-2026-40453 CRITICAL - 9.9

The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP Header...

Vendor: Apache Software Foundation
Product: Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub
Published: Apr 27, 2026
Source: NVD
CVE-2026-40048 HIGH - 7.8

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `r...

Vendor: Apache Software Foundation
Product: Apache Camel PQC
Published: Apr 27, 2026
Source: NVD
CVE-2026-25747 HIGH - 8.8

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Feb 23, 2026
Source: NVD
CVE-2026-23552 CRITICAL - 9.1

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.  The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy config...

Vendor: Apache Software Foundation
Product: Apache Camel
Published: Feb 23, 2026
Source: NVD
CVE-2025-66169 MEDIUM - 5.3

Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0.

Vendor: apache
Product: camel
Published: Jan 14, 2026
Source: NVD