CVEFinder.io

CVE-2021-39144

⚠️ high
Summary

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS Score
8.5
High
EPSS Score
94.4
Exploit Probability
Published Date
2021-08-23
First Seen: 2026-01-05
Last Modified 2025-10-24
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-94 CWE-502 CWE-306

🔗 References 25

http://packetstormsecurity.com/files/169859/VMware-N...
Exploit Third Party Advisory VDB Entry
https://github.com/x-stream/xstream/security/advisor...
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/09...
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/packag...
Broken Link Mailing List Release Notes
https://lists.fedoraproject.org/archives/list/packag...
Broken Link Mailing List Release Notes
https://lists.fedoraproject.org/archives/list/packag...
Broken Link Mailing List Release Notes
https://security.netapp.com/advisory/ntap-20210923-0...
Third Party Advisory
https://www.debian.org/security/2021/dsa-5004
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch Third Party Advisory
https://x-stream.github.io/CVE-2021-39144.html
Exploit Vendor Advisory
http://packetstormsecurity.com/files/169859/VMware-N...
Exploit Third Party Advisory VDB Entry
https://github.com/x-stream/xstream/security/advisor...
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/09...
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/packag...
Broken Link Mailing List Release Notes
https://lists.fedoraproject.org/archives/list/packag...
Broken Link Mailing List Release Notes
https://lists.fedoraproject.org/archives/list/packag...
Broken Link Mailing List Release Notes
https://security.netapp.com/advisory/ntap-20210923-0...
Third Party Advisory
https://www.debian.org/security/2021/dsa-5004
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch Third Party Advisory
https://x-stream.github.io/CVE-2021-39144.html
Exploit Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities...
US Government Resource

📦 Affected Products 35

Vendor Product Status Affected Versions
debian debian_linux Affected
v10.0
debian debian_linux Affected
v11.0
debian debian_linux Affected
v9.0
fedoraproject fedora Affected
v33
fedoraproject fedora Affected
v34
fedoraproject fedora Affected
v35
oracle retail_xstore_point_of_service Affected
v16.0.6
oracle retail_xstore_point_of_service Affected
v17.0.4
oracle retail_xstore_point_of_service Affected
v18.0.3
oracle retail_xstore_point_of_service Affected
v19.0.2
oracle retail_xstore_point_of_service Affected
v20.0.1
oracle webcenter_portal Affected
v12.2.1.3.0
oracle webcenter_portal Affected
v12.2.1.4.0
netapp snapmanager Affected
v-
oracle utilities_framework Affected
v4.2.0.2.0
oracle utilities_framework Affected
v4.2.0.3.0
oracle utilities_framework Affected
v4.3.0.1.0
oracle utilities_framework Affected
v4.3.0.6.0
oracle utilities_framework Affected
v4.4.0.0.0
oracle utilities_framework Affected
v4.4.0.2.0
oracle utilities_framework Affected
v4.4.0.3.0
oracle communications_unified_inventory_management Affected
v7.3.4
oracle communications_unified_inventory_management Affected
v7.3.5
oracle communications_unified_inventory_management Affected
v7.4.0
oracle communications_unified_inventory_management Affected
v7.4.1
oracle communications_unified_inventory_management Affected
v7.4.2
oracle commerce_guided_search Affected
v11.3.2
oracle communications_billing_and_revenue_management_elastic_charging_engine Affected
v11.3
oracle communications_billing_and_revenue_management_elastic_charging_engine Affected
v12.0
oracle business_activity_monitoring Affected
v12.2.1.4.0
oracle communications_cloud_native_core_policy Affected
v1.14.0
oracle utilities_testing_accelerator Affected
v6.0.0.1.1
oracle communications_cloud_native_core_binding_support_function Affected
v1.10.0
oracle communications_cloud_native_core_automated_test_suite Affected
v1.9.0
xstream xstream Affected
< 1.4.18

💣 Public Exploits 1 PRO

Loading exploit information...

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-68670 ⛔ critical 9.1 0.3 xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerabi... 2026-01-27
CVE-2026-24061 ⛔ critical 9.8 29.6 telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment ... 2026-01-21
CVE-2026-21924 🔶 medium 5.4 0.0 Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: General... 2026-01-20
CVE-2025-6966 🔶 medium 5.5 0.0 NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause ... 2025-12-05
CVE-2025-63498 🔶 medium 6.1 0.1 alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. 2025-11-24
CVE-2025-64512 ⚠️ high 8.6 0.1 Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documen... 2025-11-10
These CVEs affect the same products