GHSA-92cv-wv2c-8899 · Severity: medium · Ecosystem: maven — Apache MyFaces Cross-site Scripting vulnerability
Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.
Conclusion & alert: CVE-2010-2086 is rated Moderate Risk (43/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.12%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 2.95% | 2.12% | -0.83% |
| 2 | 2025-10-28 | 1.30% | 2.95% | +1.65% |
| 3 | 2025-03-30 | — | 1.30% | — |
Full EPSS history (12 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.0 | 2.0 | MEDIUM |
|
4.9 | 4.9 | [email protected] |
GHSA-92cv-wv2c-8899 · Severity: medium · Ecosystem: maven — Apache MyFaces Cross-site Scripting vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2010-2086 |