Shiro

This hub aggregates every CVE we track for Shiro, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Shiro.

• CVE-2026-49268Apache Shiro: LDAP DN Injection in DefaultLdapRealm9.1Jun 17, 2026
• CVE-2026-48589Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow5.4May 25, 2026
• CVE-2026-44598Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)5.4May 25, 2026
• CVE-2026-43828Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default6.5May 25, 2026
• CVE-2026-43827Apache Shiro: Session fixation: new session is not created after login by default6.5May 25, 2026
• CVE-2026-23901Apache Shiro: Brute force attack possible to determine valid user names2.5Feb 10, 2026
• CVE-2026-23903Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems5.3Feb 9, 2026
• CVE-2023-46749Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting 6.5Jan 15, 2024
• CVE-2023-46750Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro.6.1Dec 14, 2023
• CVE-2023-34478Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests.9.8Jul 24, 2023
• CVE-2023-22602Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request7.5Jan 14, 2023
• CVE-2022-40664Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher9.8Oct 12, 2022
• CVE-2022-32532Authentication Bypass Vulnerability9.8Jun 28, 2022
• CVE-2016-4437​Уязвимость реализации функции «Remember Me» фреймворка Apache Shiro, позволяющая нарушителю выполнить произвольный код или обойти ограничения безопасности8.1Nov 25, 2021
• CVE-2021-41303Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass9.8Sep 17, 2021