CVE-2026-40557 (GCVE-0-2026-40557)

Vulnerability from cvelistv5 – Published: 2026-04-27 13:12 – Updated: 2026-04-30 15:21
VLAI?
Title
Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections
Summary
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description:  In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials. Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate.
Severity ?
No CVSS data available.
CWE
  • CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
Vendor Product Version
Apache Software Foundation Apache Storm Prometheus Reporter Affected: 2.6.3 , < 2.8.7 (semver)
Create a notification for this product.
Credits
K
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-27T13:36:44.872Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/25/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.8,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-40557",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-27T13:58:23.511144Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-30T15:21:01.170Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2/",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.storm:storm-metrics-prometheus",
          "product": "Apache Storm Prometheus Reporter",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.8.7",
              "status": "affected",
              "version": "2.6.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "K"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cstrong\u003eImproper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u003cb\u003eVersions Affected: \u003c/b\u003efrom 2.6.3 to 2.8.6\u003c/p\u003e\n\u003cp\u003e\u003cb\u003eDescription:\u0026nbsp;\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn production deployments where an administrator enables \u003c/span\u003e\u003ccode\u003estorm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation\u0026nbsp;\u003c/code\u003e(by default it is disabled)\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eintending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\u003c/span\u003e\u003cb\u003e\u003cbr\u003e\u003c/b\u003e\u003c/p\u003e\u003cp\u003eThe \u003ccode\u003ePrometheusPreparableReporter\u003c/code\u003e class implements an \u003ccode\u003eINSECURE_TRUST_MANAGER\u003c/code\u003e that accepts all SSL certificates without validation, with empty \u003ccode\u003echeckClientTrusted\u003c/code\u003e and \u003ccode\u003echeckServerTrusted\u003c/code\u003e methods. Most critically, when the \u003ccode\u003estorm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation\u003c/code\u003e configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the \u003ccode\u003eINSECURE_CONNECTION_FACTORY\u003c/code\u003e calls \u003ccode\u003eSSLContext.setDefault(sslContext)\u003c/code\u003e, which globally replaces the JVM\u0027s default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration \u2192 \u003ccode\u003ePrometheusPreparableReporter.prepare()\u003c/code\u003e \u2192 \u003ccode\u003eINSECURE_CONNECTION_FACTORY\u003c/code\u003e \u2192 \u003ccode\u003eSSLContext.setDefault()\u003c/code\u003e, resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\u003cbr\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003cb\u003eMitigation:\u003c/b\u003e 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the \u003ccode\u003estorm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true\u003c/code\u003e setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway\u0027s certificate.\u003cbr\u003e\u003c/p\u003e\n\u003cbr\u003e"
            }
          ],
          "value": "Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\n\n\nVersions Affected: from 2.6.3 to 2.8.6\n\n\nDescription:\u00a0\n\nIn production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation\u00a0(by default it is disabled)\u00a0intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\n\n\nThe PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM\u0027s default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration \u2192 PrometheusPreparableReporter.prepare() \u2192 INSECURE_CONNECTION_FACTORY \u2192 SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\n\n\n\n\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway\u0027s certificate."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T13:12:11.118Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-40557",
    "datePublished": "2026-04-27T13:12:11.118Z",
    "dateReserved": "2026-04-14T11:20:51.218Z",
    "dateUpdated": "2026-04-30T15:21:01.170Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40557",
      "date": "2026-05-03",
      "epss": "0.0002",
      "percentile": "0.05582"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40557\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-04-27T14:16:48.017\",\"lastModified\":\"2026-04-30T16:16:43.947\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\\n\\n\\nVersions Affected: from 2.6.3 to 2.8.6\\n\\n\\nDescription:\u00a0\\n\\nIn production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation\u00a0(by default it is disabled)\u00a0intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\\n\\n\\nThe PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM\u0027s default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration \u2192 PrometheusPreparableReporter.prepare() \u2192 INSECURE_CONNECTION_FACTORY \u2192 SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\\n\\n\\n\\n\\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway\u0027s certificate.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/04/25/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/04/25/2\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-27T13:36:44.872Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40557\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-27T13:58:23.511144Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-27T13:58:20.052Z\"}}], \"cna\": {\"title\": \"Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"K\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Storm Prometheus Reporter\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.6.3\", \"lessThan\": \"2.8.7\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.storm:storm-metrics-prometheus\", \"collectionURL\": \"https://repo.maven.apache.org/maven2/\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\\n\\n\\nVersions Affected: from 2.6.3 to 2.8.6\\n\\n\\nDescription:\\u00a0\\n\\nIn production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation\\u00a0(by default it is disabled)\\u00a0intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\\n\\n\\nThe PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM\u0027s default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration \\u2192 PrometheusPreparableReporter.prepare() \\u2192 INSECURE_CONNECTION_FACTORY \\u2192 SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\\n\\n\\n\\n\\nMitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway\u0027s certificate.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003cstrong\u003eImproper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter\u003c/strong\u003e\u003c/p\u003e\\n\u003cp\u003e\u003cb\u003eVersions Affected: \u003c/b\u003efrom 2.6.3 to 2.8.6\u003c/p\u003e\\n\u003cp\u003e\u003cb\u003eDescription:\u0026nbsp;\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eIn production deployments where an administrator enables \u003c/span\u003e\u003ccode\u003estorm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation\u0026nbsp;\u003c/code\u003e(by default it is disabled)\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eintending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon.\u003c/span\u003e\u003cb\u003e\u003cbr\u003e\u003c/b\u003e\u003c/p\u003e\u003cp\u003eThe \u003ccode\u003ePrometheusPreparableReporter\u003c/code\u003e class implements an \u003ccode\u003eINSECURE_TRUST_MANAGER\u003c/code\u003e that accepts all SSL certificates without validation, with empty \u003ccode\u003echeckClientTrusted\u003c/code\u003e and \u003ccode\u003echeckServerTrusted\u003c/code\u003e methods. Most critically, when the \u003ccode\u003estorm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation\u003c/code\u003e configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the \u003ccode\u003eINSECURE_CONNECTION_FACTORY\u003c/code\u003e calls \u003ccode\u003eSSLContext.setDefault(sslContext)\u003c/code\u003e, which globally replaces the JVM\u0027s default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration \\u2192 \u003ccode\u003ePrometheusPreparableReporter.prepare()\u003c/code\u003e \\u2192 \u003ccode\u003eINSECURE_CONNECTION_FACTORY\u003c/code\u003e \\u2192 \u003ccode\u003eSSLContext.setDefault()\u003c/code\u003e, resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials.\u003cbr\u003e\u003c/p\u003e\\n\\n\u003cp\u003e\u003cb\u003eMitigation:\u003c/b\u003e 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the \u003ccode\u003estorm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true\u003c/code\u003e setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway\u0027s certificate.\u003cbr\u003e\u003c/p\u003e\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295 Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-04-27T13:12:11.118Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40557\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-30T15:21:01.170Z\", \"dateReserved\": \"2026-04-14T11:20:51.218Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-04-27T13:12:11.118Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.