[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-47065":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-03T20:53:27.442Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":24,"aliases":25,"duplicate_of":9,"upstream":26,"downstream":27,"duplicates":28,"related":29,"reserved_at":9,"published_at":30,"modified_at":31,"state":32,"summary":33,"references_raw":42,"kevs":49,"epss":50,"epss_history":53,"metrics":55,"affected":62},"CVE-2026-47065","ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy\n\n\nAssessment: Fully addressed.\n\n\nWhen the serialised stream contains a TC_PROXYCLASSDESC (the marker \nfor a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc()\n is\ndispatched. JDK then calls the default \nObjectInputStream.resolveProxyClass(interfaces) implementation, which \nperforms Class.forName(intf, false, latestUserDefinedLoader()) for EACH \ninterface name and constructs the proxy class — bypassing the accepted\n classes list .\n\n\nZDRES-233: Class.forName(name, initialize=true, classLoader) in \nreadClassDescriptor Triggers Static Initialiser of Allow-Listed Classes\n\n\nAssessment: Fully addressed.\n\n\nFor ANY class on the allow-list, deserialising a stream that names it triggers the class’s \n (static initialiser) BEFORE any instance is constructed. This means an \nattacker who supplies a class name on the allow-list (e.g., the \ndeveloper wrote accept(“com.myapp.*\") , attacker supplies \ncom.myapp.SomeClass ) causes \u003Cclinit> of SomeClass — and many \nreal-world classes have side-effecting static initialisers\n\n\nBoth issues have been fixed.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-502","Deserialization of Untrusted Data","The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.","weakness","Draft","Base","Medium",[20],{"id":21,"name":22,"techniques":23},"CAPEC-586","Object Injection",[],[],[],[],[],[],[],"2026-06-03T09:39:41.629Z","2026-06-03T12:46:58.145Z","Received",{"cisa_kev":34,"cisa_ransomware":34,"cisa_vendor":9,"epss_severity":35,"epss_score":36,"severity":37,"severity_score":38,"severity_version":39,"severity_source":40,"severity_vector":41,"severity_status":32},false,"low",0.00046,"critical",9.8,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",[43],{"url":44,"sources":45,"tags":47},"https://lists.apache.org/thread/y7xj1bl8qo47p9bktb11hg5v6k1d4dyj",[40,46],"nvd",[48],"Vendor Advisory",[],{"date":51,"score":36,"percentile":52},"2026-06-03",0.14545,[54],{"date":51,"score":36,"percentile":52},[56,60],{"source":40,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":57,"cvss_v4_0":9},{"baseScore":38,"baseSeverity":58,"vectorString":41,"impactScore":38,"exploitabilityScore":59},"CRITICAL",10,{"source":46,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":61,"cvss_v4_0":9},{"baseScore":38,"baseSeverity":58,"vectorString":41,"impactScore":38,"exploitabilityScore":59},[63],{"ecosystem":9,"name":64,"vendor":65,"product":66,"cpe_part":67,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":68},"Apache MINA","apache software foundation","apache mina","a",[69,76,80],{"version":70,"is_range":71,"range_type":40,"version_start":72,"version_start_type":73,"version_end":74,"version_end_type":75,"fixed_in":9},">= 2.2.0, \u003C 2.2.8",true,"2.2.0","including","2.2.8","excluding",{"version":77,"is_range":71,"range_type":40,"version_start":78,"version_start_type":73,"version_end":79,"version_end_type":75,"fixed_in":9},">= 2.1.0, \u003C 2.1.13","2.1.0","2.1.13",{"version":81,"is_range":71,"range_type":40,"version_start":82,"version_start_type":73,"version_end":83,"version_end_type":75,"fixed_in":9},">= 2.0.0, \u003C 2.0.29","2.0.0","2.0.29"]