Advisory Database
  • Advisories
  • Dependency Scanning
  1. maven
  2. ›
  3. com.thoughtworks.xstream/xstream
  4. ›
  5. CVE-2020-26217

CVE-2020-26217: XStream can be used for Remote Code Execution

November 16, 2020 (updated September 3, 2025)

The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream.

References

  • github.com/advisories/GHSA-mw36-7c6c-q4q2
  • github.com/x-stream/xstream
  • github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
  • github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2
  • lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E
  • lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E
  • lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E
  • lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E
  • lists.debian.org/debian-lts-announce/2020/12/msg00001.html
  • nvd.nist.gov/vuln/detail/CVE-2020-26217
  • security.netapp.com/advisory/ntap-20210409-0004
  • www.debian.org/security/2020/dsa-4811
  • www.oracle.com//security-alerts/cpujul2021.html
  • www.oracle.com/security-alerts/cpuApr2021.html
  • www.oracle.com/security-alerts/cpuapr2022.html
  • www.oracle.com/security-alerts/cpujan2022.html
  • www.oracle.com/security-alerts/cpuoct2021.html
  • x-stream.github.io/CVE-2020-26217.html

Code Behaviors & Features

Detect and mitigate CVE-2020-26217 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.4.14-java7

Fixed versions

  • 1.4.14-java7

Solution

Upgrade to version 1.4.14-java7 or above.

Impact 8 HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Source file

maven/com.thoughtworks.xstream/xstream/CVE-2020-26217.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Tue, 09 Sep 2025 00:18:08 +0000.