VulnerableCode Package Details - pkg:maven/org.hibernate.validator/hibernate-validator@6.0.17.Final

Search for packages

Vulnerability	Summary	Fixed by
VCID-d4z1-hdkt-r7g1 Aliases: CVE-2019-10219 GHSA-m8p2-495h-ccmh	The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.	6.0.18.Final Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.1.0.Alpha6 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gghq-w7r9-57hs Aliases: CVE-2023-1932 GHSA-x83m-pf6f-pf9g	hibernate-validator Cross-site Scripting vulnerability A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.	6.2.0.Final Affected by 0 other vulnerabilities.
VCID-gvv3-4r9v-7kau Aliases: CVE-2025-35036 GHSA-7v6m-28jr-rg84	Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.	6.2.0.CR1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.0.0.CR1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-d4z1-hdkt-r7g1
Aliases:
CVE-2019-10219
GHSA-m8p2-495h-ccmh

The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

6.0.18.Final
Affected by 2 other vulnerabilities.

6.1.0.Alpha6
Affected by 2 other vulnerabilities.

VCID-gghq-w7r9-57hs
Aliases:
CVE-2023-1932
GHSA-x83m-pf6f-pf9g

hibernate-validator Cross-site Scripting vulnerability A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

6.2.0.Final
Affected by 0 other vulnerabilities.

VCID-gvv3-4r9v-7kau
Aliases:
CVE-2025-35036
GHSA-7v6m-28jr-rg84

Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.

6.2.0.CR1
Affected by 1 other vulnerability.

7.0.0.CR1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:30:12.323105+00:00	GitLab Importer	Affected by	VCID-gvv3-4r9v-7kau	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2025-35036.yml	38.4.0
2026-04-16T23:13:34.492719+00:00	GitLab Importer	Affected by	VCID-gghq-w7r9-57hs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2023-1932.yml	38.4.0
2026-04-12T00:49:54.165274+00:00	GitLab Importer	Affected by	VCID-gvv3-4r9v-7kau	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2025-35036.yml	38.3.0
2026-04-12T00:32:06.069826+00:00	GitLab Importer	Affected by	VCID-gghq-w7r9-57hs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2023-1932.yml	38.3.0
2026-04-03T00:57:56.333819+00:00	GitLab Importer	Affected by	VCID-gvv3-4r9v-7kau	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2025-35036.yml	38.1.0
2026-04-03T00:39:49.946705+00:00	GitLab Importer	Affected by	VCID-gghq-w7r9-57hs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2023-1932.yml	38.1.0
2026-04-01T15:57:51.469097+00:00	GHSA Importer	Affected by	VCID-d4z1-hdkt-r7g1	https://github.com/advisories/GHSA-m8p2-495h-ccmh	38.0.0