CVE-2026-25747

HIGH EPSS 66.3%
Published Feb 23, 20264mo ago · Modified Jun 17, 20261w ago
8.8 CVSS 3.1
High
Find Similar
Published Feb 23, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0. Users are recommended to upgrade to version 4.18.0, which fixes the issue. For the 4.10.x LTS releases, users are recommended to upgrade to 4.10.9, while for 4.14.x LTS releases, users are recommended to upgrade to 4.14.5

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
66.3% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 3

VendorProductVersionRange
apachecamel*≥3.0.0  –  <4.10.9
apachecamel*≥4.11.0  –  <4.14.5
apachecamel*≥4.15.0  –  <4.18.0

References 3

  • openwall.com http://www.openwall.com/lists/oss-security/2026/02/18/6
    Mailing ListThird Party Advisory
  • camel.apache.org https://camel.apache.org/security/CVE-2026-25747.html
    Vendor Advisory
  • github.com https://github.com/oscerd/CVE-2026-25747
    ExploitThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.