Aggregates CVE and security vulnerability intelligence across all Eclipse Foundation-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues involve various input-handling and memory-safety problems that may affect software stability and security.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-55089 | In FileX before 6.4.2, the file support module for Eclipse Foundation ThreadX, there was a possible buffer overflow in the FileX RAM disk driver. It could cause a remote execurtion after receiving a crafted sequence of packets | [email protected] | 9.2 | 0.47% | 2025-10-16 | 2026-06-17 |
| CVE-2025-55084 | In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check in_nx_secure_tls_proc_clienthello_supported_versions_extension() in the extension version field. | [email protected] | 6.9 | 0.30% | 2025-10-16 | 2026-06-17 |
| CVE-2025-55083 | In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check resulting it out by two out of bound read. | [email protected] | 6.9 | 0.23% | 2025-10-15 | 2026-06-17 |
| CVE-2025-55082 | In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was a potential out of bound read in _nx_secure_tls_process_clienthello() because of a missing validation of PSK length provided in the user message. | [email protected] | 6.9 | 0.23% | 2025-10-15 | 2026-06-17 |
| CVE-2025-55081 | In Eclipse Foundation NextX Duo before 6.4.4, a module of ThreadX, the _nx_secure_tls_process_clienthello() function was missing length verification of certain SSL/TLS client hello message: the ciphersuite length and compression method length. In case of an attacker-crafted message with values outside of the expected range, it could cause an out-of-bound read. | [email protected] | 6.9 | 0.34% | 2025-10-15 | 2026-06-17 |
| CVE-2025-55080 | In Eclipse ThreadX before 6.4.3, when memory protection is enabled, syscall parameters verification wasn't enough, allowing an attacker to obtain an arbitrary memory read/write. | [email protected] | 7.2 | 0.13% | 2025-10-15 | 2026-06-17 |
| CVE-2025-55079 | In Eclipse ThreadX before version 6.4.3, the thread module has a setting of maximum priority. In some cases the check of that maximum priority wasn't performed, allowing, as a result, to obtain a thread with higher priority than expected and causing a possible denial of service. | [email protected] | 5.7 | 0.16% | 2025-10-15 | 2026-06-17 |
| CVE-2025-55078 | In Eclipse ThreadX before version 6.4.3, an attacker can cause a denial of service (crash) by providing a pointer to a reserved or unmapped memory region. Vulnerable system calls had a check of pointers, but that check wasn't verifying whether the pointer is outside the module memory region. | [email protected] | 5.7 | 0.16% | 2025-10-14 | 2026-06-17 |
| CVE-2025-5115 | In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-edi | [email protected] | 7.7 | 1.57% | 2025-08-20 | 2026-06-17 |
| CVE-2025-7962 | In Jakarta Mail versions prior to 2.0.2 it is possible to perform an SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages. | [email protected] | 6.0 | 0.76% | 2025-07-21 | 2026-06-23 |
| CVE-2024-9408 | In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints. | [email protected] | 8.9 | 0.30% | 2025-07-16 | 2026-06-17 |
| CVE-2024-9343 | In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. | [email protected] | 6.1 | 0.15% | 2025-07-16 | 2026-06-17 |
| CVE-2024-9342 | In Eclipse GlassFish versions before 8.0.3 it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. GlassFish 8.0.3 adds automatic attack protection documented in https://glassfish.org/docs/latest/security-guide.html#brute-force-attack-protection . | [email protected] | 6.3 | 0.40% | 2025-07-16 | 2026-06-18 |
| CVE-2024-10032 | In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. | [email protected] | 6.1 | 0.19% | 2025-07-16 | 2026-06-17 |
| CVE-2024-10031 | In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system. | [email protected] | 5.8 | 0.15% | 2025-07-16 | 2026-06-17 |
| CVE-2024-10029 | In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console. | [email protected] | 4.5 | 0.15% | 2025-07-16 | 2026-06-17 |
| CVE-2025-6705 | A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administ | [email protected] | 7.6 | 0.21% | 2025-06-27 | 2026-06-17 |
| CVE-2025-4949 | In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues. | [email protected] | 6.8 | 1.08% | 2025-05-21 | 2026-06-17 |
| CVE-2025-4447 | In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a file on disk that is read when the JVM starts. | [email protected] | 7.0 | 0.23% | 2025-05-09 | 2026-06-17 |
| CVE-2025-1948 | In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting. | [email protected] | 7.5 | 0.58% | 2025-05-08 | 2026-06-17 |