CVE-2026-45205

NameCVE-2026-45205
DescriptionUncontrolled Recursion vulnerability in Apache Commons. When processi ...
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1136705

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
commons-configuration (PTS)bullseye1.10-5fixed
bookworm1.10-6fixed
forky, sid, trixie1.10-7fixed
commons-configuration2 (PTS)bullseye (security), bullseye2.8.0-1~deb11u1vulnerable
bookworm2.8.0-2vulnerable
trixie2.11.0-2vulnerable
forky, sid2.11.0-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
commons-configurationsource(unstable)(not affected)
commons-configuration2source(unstable)(unfixed)1136705

Notes

- commons-configuration <not-affected> (Vulnerable code not present)
https://www.openwall.com/lists/oss-security/2026/05/14/5
https://github.com/apache/commons-configuration/pull/634
https://github.com/apache/commons-configuration/commit/b51f6bf26e774f3416fdf782a5e1edf33f32ba82 (commons-configuration-2.15.0-RC1)
Search for package or bug name: Reporting problems