Vulnerable Library - artemis-java-test-sandbox-1.15.0.jar
Path to dependency file: /artemis-java-template/build.gradle
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (artemis-java-test-sandbox version) |
Remediation Possible** |
| CVE-2026-24400 |
 High |
7.3 |
assertj-core-3.27.3.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-11226 |
 Medium |
6.9 |
logback-core-1.5.18.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-1225 |
Medium |
5.0 |
logback-core-1.5.18.jar |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-24400
Vulnerable Library - assertj-core-3.27.3.jar
Rich and fluent assertions for testing in Java
Library home page: https://assertj.github.io/doc/#assertj-core
Path to dependency file: /artemis-java-template/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.assertj/assertj-core/3.27.3/31f5d58a202bd5df4993fb10fa2cffd610c20d6f/assertj-core-3.27.3.jar,/artemis-java-template/pom.xml
Dependency Hierarchy:
- artemis-java-test-sandbox-1.15.0.jar (Root Library)
- ❌ assertj-core-3.27.3.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in "org.assertj.core.util.xml.XmlStringPrettyFormatter": the "toXmlDocument(String)" method initializes "DocumentBuilderFactory" with default settings, without disabling DTDs or external entities. This formatter is used by the "isXmlEqualTo(CharSequence)" assertion for "CharSequence" values. An application is vulnerable only when it uses untrusted XML input with either "isXmlEqualTo(CharSequence)" from "org.assertj.core.api.AbstractCharSequenceAssert" or "xmlPrettyFormat(String)" from "org.assertj.core.util.xml.XmlStringPrettyFormatter". If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via "file://" URIs (e.g., "/etc/passwd", application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. "isXmlEqualTo(CharSequence)" has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace "isXmlEqualTo(CharSequence)" with XMLUnit, upgrade to version 3.27.7, or avoid using "isXmlEqualTo(CharSequence)" or "XmlStringPrettyFormatter" with untrusted input. "XmlStringPrettyFormatter" has historically been considered a utility for "isXmlEqualTo(CharSequence)" rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
Publish Date: 2026-01-26
URL: CVE-2026-24400
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rqfh-9r24-8c9r
Release Date: 2026-01-26
Fix Resolution: org.assertj:assertj-core:3.27.7,https://github.com/assertj/assertj.git - assertj-build-3.27.7
Step up your Open Source Security Game with Mend here
CVE-2025-11226
Vulnerable Library - logback-core-1.5.18.jar
logback-core module
Library home page: http://logback.qos.ch
Dependency Hierarchy:
- artemis-java-test-sandbox-1.15.0.jar (Root Library)
- logback-classic-1.5.18.jar
- ❌ logback-core-1.5.18.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Publish Date: 2025-10-01
URL: CVE-2025-11226
CVSS 3 Score Details (6.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-25qh-j22f-pwp8
Release Date: 2025-10-01
Fix Resolution: ch.qos.logback:logback-core:1.5.19,https://github.com/qos-ch/logback.git - v_1.5.19,ch.qos.logback:logback-core:1.3.16
Step up your Open Source Security Game with Mend here
CVE-2026-1225
Vulnerable Library - logback-core-1.5.18.jar
logback-core module
Library home page: http://logback.qos.ch
Dependency Hierarchy:
- artemis-java-test-sandbox-1.15.0.jar (Root Library)
- logback-classic-1.5.18.jar
- ❌ logback-core-1.5.18.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.
The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a
configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
Publish Date: 2026-01-22
URL: CVE-2026-1225
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-22
Fix Resolution: https://github.com/qos-ch/logback.git - v_1.5.25
Step up your Open Source Security Game with Mend here
Path to dependency file: /artemis-java-template/build.gradle
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - assertj-core-3.27.3.jar
Rich and fluent assertions for testing in Java
Library home page: https://assertj.github.io/doc/#assertj-core
Path to dependency file: /artemis-java-template/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.assertj/assertj-core/3.27.3/31f5d58a202bd5df4993fb10fa2cffd610c20d6f/assertj-core-3.27.3.jar,/artemis-java-template/pom.xml
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in "org.assertj.core.util.xml.XmlStringPrettyFormatter": the "toXmlDocument(String)" method initializes "DocumentBuilderFactory" with default settings, without disabling DTDs or external entities. This formatter is used by the "isXmlEqualTo(CharSequence)" assertion for "CharSequence" values. An application is vulnerable only when it uses untrusted XML input with either "isXmlEqualTo(CharSequence)" from "org.assertj.core.api.AbstractCharSequenceAssert" or "xmlPrettyFormat(String)" from "org.assertj.core.util.xml.XmlStringPrettyFormatter". If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via "file://" URIs (e.g., "/etc/passwd", application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. "isXmlEqualTo(CharSequence)" has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace "isXmlEqualTo(CharSequence)" with XMLUnit, upgrade to version 3.27.7, or avoid using "isXmlEqualTo(CharSequence)" or "XmlStringPrettyFormatter" with untrusted input. "XmlStringPrettyFormatter" has historically been considered a utility for "isXmlEqualTo(CharSequence)" rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
Publish Date: 2026-01-26
URL: CVE-2026-24400
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rqfh-9r24-8c9r
Release Date: 2026-01-26
Fix Resolution: org.assertj:assertj-core:3.27.7,https://github.com/assertj/assertj.git - assertj-build-3.27.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - logback-core-1.5.18.jar
logback-core module
Library home page: http://logback.qos.ch
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Publish Date: 2025-10-01
URL: CVE-2025-11226
CVSS 3 Score Details (6.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-25qh-j22f-pwp8
Release Date: 2025-10-01
Fix Resolution: ch.qos.logback:logback-core:1.5.19,https://github.com/qos-ch/logback.git - v_1.5.19,ch.qos.logback:logback-core:1.3.16
Step up your Open Source Security Game with Mend here
Vulnerable Library - logback-core-1.5.18.jar
logback-core module
Library home page: http://logback.qos.ch
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.
The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a
configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
Publish Date: 2026-01-22
URL: CVE-2026-1225
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-22
Fix Resolution: https://github.com/qos-ch/logback.git - v_1.5.25
Step up your Open Source Security Game with Mend here