GHSA-64xx-cq4q-mf44 · Severity: high · Ecosystem: maven — XStream is vulnerable to an Arbitrary Code Execution attack
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Conclusion & alert: CVE-2021-39139 is rated Moderate Risk (59.5/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.74%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-09 | 0.84% | 0.74% | -0.10% |
| 2 | 2026-02-25 | 0.87% | 0.84% | -0.02% |
| 3 | 2026-02-18 | — | 0.87% | — |
Full EPSS history (33 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.5 | 3.1 | HIGH |
|
1.8 | 6.0 | [email protected] |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 6.5 | 2.0 | MEDIUM |
|
8.0 | 6.4 | [email protected] |
GHSA-64xx-cq4q-mf44 · Severity: high · Ecosystem: maven — XStream is vulnerable to an Arbitrary Code Execution attack
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2021-39139 not yet assigned priority: Debian including 1 source packages (libxstream-java), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2021-39139 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2021-39139 |
suse
|
high | CVE-2021-39139 severity important: SUSE including 247 source package names (5.0.0-beta1.2.122:xstream-1.4.18-3.14.1, 5.1.0.6.40:xstream-1.4.18-3.14.1, …), 282 product×package rows across 33 product lines (Container suse/manager/5.0/x86_64/server, Container suse/multi-linux-manager/5.1/x86_64/server, … (33 product lines)): Known Affected 231, Fixed 51. | https://www.suse.com/security/cve/CVE-2021-39139/ |
ubuntu
|
medium | CVE-2021-39139 medium priority: Ubuntu including 1 source packages (libxstream-java), 10 status rows across 10 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, trusty, upstream, xenial): not-affected 5, ignored 2, released 2, needs-triage 1. | https://ubuntu.com/security/CVE-2021-39139 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| xstream | xstream | < 1.4.18 | cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| debian | debian_linux | 10.0 | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
| debian | debian_linux | 11.0 | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
| fedoraproject | fedora | 33 | cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
| fedoraproject | fedora | 34 | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
| fedoraproject | fedora | 35 | cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
| netapp | snapmanager | — | cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:* |
| netapp | snapmanager | — | cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:* |
| oracle | business_activity_monitoring | 12.2.1.4.0 | cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:* |
| oracle | commerce_guided_search | 11.3.2 | cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | 11.3 | cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:* |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | 12.0 | cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_automated_test_suite | 1.9.0 | cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_binding_support_function | 1.10.0 | cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_policy | 1.14.0 | cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.3.4 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.3.5 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.4.0 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.4.1 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.4.2 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:* |
| oracle | retail_xstore_point_of_service | 16.0.6 | cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* |
| oracle | retail_xstore_point_of_service | 17.0.4 | cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* |
| oracle | retail_xstore_point_of_service | 18.0.3 | cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* |
| oracle | retail_xstore_point_of_service | 19.0.2 | cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* |
| oracle | retail_xstore_point_of_service | 20.0.1 | cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.2.0.2.0 | cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.2.0.3.0 | cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.3.0.1.0 | cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.3.0.6.0 | cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.4.0.0.0 | cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.4.0.2.0 | cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.4.0.3.0 | cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:* |
| oracle | utilities_testing_accelerator | 6.0.0.1.1 | cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* |
| oracle | webcenter_portal | 12.2.1.3.0 | cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* |
| oracle | webcenter_portal | 12.2.1.4.0 | cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* |