CVEFinder.io

CVE-2021-39145

⚠️ high
Summary

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

CVSS Score
8.5
High
EPSS Score
0.5
Exploit Probability
Published Date
2021-08-23
First Seen: 2026-01-05
Last Modified 2025-05-23
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-434 CWE-502

🔗 References 22

https://github.com/x-stream/xstream/security/advisor...
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09...
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/packag...
Mailing List
https://lists.fedoraproject.org/archives/list/packag...
Mailing List
https://lists.fedoraproject.org/archives/list/packag...
Mailing List
https://security.netapp.com/advisory/ntap-20210923-0...
Third Party Advisory
https://www.debian.org/security/2021/dsa-5004
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch Third Party Advisory
https://x-stream.github.io/CVE-2021-39145.html
Vendor Advisory
https://github.com/x-stream/xstream/security/advisor...
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09...
Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/packag...
Mailing List
https://lists.fedoraproject.org/archives/list/packag...
Mailing List
https://lists.fedoraproject.org/archives/list/packag...
Mailing List
https://security.netapp.com/advisory/ntap-20210923-0...
Third Party Advisory
https://www.debian.org/security/2021/dsa-5004
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch Third Party Advisory
https://x-stream.github.io/CVE-2021-39145.html
Vendor Advisory

📦 Affected Products 35

Vendor Product Status Affected Versions
debian debian_linux Affected
v10.0
debian debian_linux Affected
v11.0
debian debian_linux Affected
v9.0
fedoraproject fedora Affected
v33
fedoraproject fedora Affected
v34
fedoraproject fedora Affected
v35
oracle retail_xstore_point_of_service Affected
v16.0.6
oracle retail_xstore_point_of_service Affected
v17.0.4
oracle retail_xstore_point_of_service Affected
v18.0.3
oracle retail_xstore_point_of_service Affected
v19.0.2
oracle retail_xstore_point_of_service Affected
v20.0.1
oracle webcenter_portal Affected
v12.2.1.3.0
oracle webcenter_portal Affected
v12.2.1.4.0
netapp snapmanager Affected
v-
oracle utilities_framework Affected
v4.2.0.2.0
oracle utilities_framework Affected
v4.2.0.3.0
oracle utilities_framework Affected
v4.3.0.1.0
oracle utilities_framework Affected
v4.3.0.6.0
oracle utilities_framework Affected
v4.4.0.0.0
oracle utilities_framework Affected
v4.4.0.2.0
oracle utilities_framework Affected
v4.4.0.3.0
oracle communications_unified_inventory_management Affected
v7.3.4
oracle communications_unified_inventory_management Affected
v7.3.5
oracle communications_unified_inventory_management Affected
v7.4.0
oracle communications_unified_inventory_management Affected
v7.4.1
oracle communications_unified_inventory_management Affected
v7.4.2
oracle commerce_guided_search Affected
v11.3.2
oracle communications_billing_and_revenue_management_elastic_charging_engine Affected
v11.3
oracle communications_billing_and_revenue_management_elastic_charging_engine Affected
v12.0
oracle business_activity_monitoring Affected
v12.2.1.4.0
oracle communications_cloud_native_core_policy Affected
v1.14.0
oracle utilities_testing_accelerator Affected
v6.0.0.1.1
oracle communications_cloud_native_core_binding_support_function Affected
v1.10.0
oracle communications_cloud_native_core_automated_test_suite Affected
v1.9.0
xstream xstream Affected
< 1.4.18

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-68670 ⛔ critical 9.1 0.3 xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerabi... 2026-01-27
CVE-2026-24061 ⛔ critical 9.8 29.6 telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment ... 2026-01-21
CVE-2026-21924 🔶 medium 5.4 0.0 Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: General... 2026-01-20
CVE-2025-6966 🔶 medium 5.5 0.0 NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause ... 2025-12-05
CVE-2025-63498 🔶 medium 6.1 0.1 alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. 2025-11-24
CVE-2025-64512 ⚠️ high 8.6 0.1 Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documen... 2025-11-10
These CVEs affect the same products