Infinispan

This hub aggregates every CVE we track for Infinispan, a product in the operating systems space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 13 most recently published vulnerabilities affecting Infinispan.

• CVE-2025-5731Infinispan: credential leakage in infinispan cli5.5Jun 26, 2025
• CVE-2025-0736Org.infinispan-infinispan-parent: exposure of sensitive information in application logs5.5Jan 28, 2025
• CVE-2023-5236Infinispan: circular reference on marshalling leads to dos4.4Dec 18, 2023
• CVE-2023-5384Infinispan: credentials returned from configuration as clear text7.2Dec 18, 2023
• CVE-2023-3628Infispan: rest bulk ops don't check permissions6.5Dec 18, 2023
• CVE-2023-3629Infinispan: non-admins should not be able to get cache config via rest api4.3Dec 18, 2023
• CVE-2020-25711A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication c...6.5Dec 3, 2020
• CVE-2019-10158A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.9.8Jan 2, 2020
• CVE-2019-10174A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispa...8.8Nov 25, 2019
• CVE-2016-0750The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-cr...4.2Sep 11, 2018
• CVE-2017-2638It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or ...6.5Jul 16, 2018
• CVE-2018-1131Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious o...8.8May 15, 2018
• CVE-2017-15089It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object int...8.8Feb 15, 2018