PT-2026-54850 · Unknown · Mchange-Commons-Java

4Ra1N

+1

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-55153

CVSS v3.1

7.1

High

VectorAV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions mchange-commons-java versions prior to 0.6.0
Description The JNDI ObjectFactory implementation com.mchange.v2.naming.JavaBeanObjectFactory allows the construction of objects from arbitrary classes and the initialization of JavaBean-style properties. This behavior enables JNDI injection and the use of deserialization gadgets, which are sequences of executable code that can be triggered during the deserialization of an object. For instance, configuring the contentType property of a Swing JEditorPane to text/html and the text property to HTML containing a stylesheet <link> can trigger an HTTP GET request to an arbitrary URL. This risk is increased by the ReferenceIndirector, which allows malicious JNDI Reference objects to be smuggled and dereferenced when an application reads a Java-serialized object.
Recommendations Update to version 0.6.0.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55153

Affected Products

Mchange-Commons-Java