GHSA-j9h8-phrw-h4fh · Severity: high · Ecosystem: maven — XStream is vulnerable to a Remote Command Execution attack
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Conclusion & alert: CVE-2021-39144 is rated Critical Active Threat (93.6/100): CVSS High severity, with high exploitation likelihood (EPSS 98.12%, 100th percentile). Core evidence: CISA KEV confirms active exploitation (added 2023-03-10) affecting XStream / XStream. a weakness (CWE-306) Unauthenticated remote administrative access may be possible. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: XStream Remote Code Execution Vulnerability · CISA KEV detail
: 2023-03-10
: 2023-03-31
: Apply updates per vendor instructions.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-03 | 98.51% | 98.12% | -0.39% |
| 2 | 2026-06-15 | 94.25% | 98.51% | +4.25% |
| 3 | 2026-03-10 | — | 94.25% | — |
Full EPSS history (46 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.5 | 3.1 | HIGH |
|
1.8 | 6.0 | [email protected] |
| 8.5 | 3.1 | HIGH |
|
1.8 | 6.0 | [email protected] |
| 6.0 | 2.0 | MEDIUM |
|
6.8 | 6.4 | [email protected] |
GHSA-j9h8-phrw-h4fh · Severity: high · Ecosystem: maven — XStream is vulnerable to a Remote Command Execution attack
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2021-39144 not yet assigned priority: Debian including 1 source packages (libxstream-java), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2021-39144 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2021-39144 |
suse
|
high | CVE-2021-39144 severity important: SUSE including 247 source package names (5.0.0-beta1.2.122:xstream-1.4.18-3.14.1, 5.1.0.6.40:xstream-1.4.18-3.14.1, …), 282 product×package rows across 33 product lines (Container suse/manager/5.0/x86_64/server, Container suse/multi-linux-manager/5.1/x86_64/server, … (33 product lines)): Known Affected 231, Fixed 51. | https://www.suse.com/security/cve/CVE-2021-39144/ |
ubuntu
|
medium | CVE-2021-39144 medium priority: Ubuntu including 1 source packages (libxstream-java), 10 status rows across 10 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, trusty, upstream, xenial): not-affected 5, ignored 2, released 2, needs-triage 1. | https://ubuntu.com/security/CVE-2021-39144 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| xstream | xstream | < 1.4.18 | cpe:2.3:a:xstream:xstream:*:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| debian | debian_linux | 10.0 | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
| debian | debian_linux | 11.0 | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
| fedoraproject | fedora | 33 | cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
| fedoraproject | fedora | 34 | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
| fedoraproject | fedora | 35 | cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
| netapp | snapmanager | — | cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:* |
| netapp | snapmanager | — | cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:* |
| oracle | business_activity_monitoring | 12.2.1.4.0 | cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:* |
| oracle | commerce_guided_search | 11.3.2 | cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | 11.3 | cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:* |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | 12.0 | cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_automated_test_suite | 1.9.0 | cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_binding_support_function | 1.10.0 | cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_policy | 1.14.0 | cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.3.4 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.3.5 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.4.0 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.4.1 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:* |
| oracle | communications_unified_inventory_management | 7.4.2 | cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:* |
| oracle | retail_xstore_point_of_service | 16.0.6 | cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* |
| oracle | retail_xstore_point_of_service | 17.0.4 | cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:* |
| oracle | retail_xstore_point_of_service | 18.0.3 | cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* |
| oracle | retail_xstore_point_of_service | 19.0.2 | cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:* |
| oracle | retail_xstore_point_of_service | 20.0.1 | cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.2.0.2.0 | cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.2.0.3.0 | cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.3.0.1.0 | cpe:2.3:a:oracle:utilities_framework:4.3.0.1.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.3.0.6.0 | cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.4.0.0.0 | cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.4.0.2.0 | cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:* |
| oracle | utilities_framework | 4.4.0.3.0 | cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:* |
| oracle | utilities_testing_accelerator | 6.0.0.1.1 | cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* |
| oracle | webcenter_portal | 12.2.1.3.0 | cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* |
| oracle | webcenter_portal | 12.2.1.4.0 | cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* |