24h | 7d | 30d

Overview

  • Apache Software Foundation
  • Apache Tomcat

19 Sep 2017
Published
21 Oct 2025
Updated

CVSS
Pending
EPSS
94.22%

Description

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Statistics

  • 1 Post

Last activity: 8 hours ago

Fediverse

Profile picture fallback

Apache Tomcat is far and away the most likely intended target given port 8080 and the Java exception body content. The DefaultServlet with readonly=false in web.xml is the textbook case (CVE-2017-12615, CVE-2017-12617). Eclipse Jetty can also expose similar behavior if its DefaultServlet or WebDAV module is configured to allow PUT writes. Apache TomEE, being Tomcat-based with Jakarta EE extensions, inherits all of the same misconfigurations. (5/15)

  • 0
  • 0
  • 0
  • 8h ago

Overview

  • @react-native-community/cli-server-api

03 Nov 2025
Published
06 Feb 2026
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
6.95%

Description

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Statistics

  • 1 Post

Last activity: 13 hours ago

Bluesky

Profile picture fallback
The latest update for #Indusface includes "CVE-2025-11953 – Metro4Shell RCE in React Native Metro Server" and "CVE-2026-22610: Angular Template Compiler XSS Vulnerability Enabling Client-Side Script Execution". #cybersecurity #infosec https://opsmtrs.com/3ySs2VF
  • 0
  • 0
  • 0
  • 13h ago
Showing 31 to 32 of 32 CVEs