Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.camel/camel-mail@3.21.1

Type maven

Namespace org.apache.camel

Name camel-mail

Version 3.21.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 4.14.6

Latest_non_vulnerable_version 4.18.1

Affected_by_vulnerabilities

url VCID-7zbq-4hgd-ybhv

vulnerability_id VCID-7zbq-4hgd-ybhv

summary

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891).

This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1.

Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33454.json

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33454.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33454

reference_id

reference_type

scores

value	0.00326
scoring_system	epss
scoring_elements	0.56126
published_at	2026-06-13T12:55:00Z

value	0.00326
scoring_system	epss
scoring_elements	0.56111
published_at	2026-06-12T12:55:00Z

value	0.00326
scoring_system	epss
scoring_elements	0.55991
published_at	2026-06-11T12:55:00Z

value	0.00326
scoring_system	epss
scoring_elements	0.56113
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33454

reference_url

https://github.com/apache/camel

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel

reference_url

https://github.com/apache/camel/commit/0307dd4709a8136eba3206701004bcb528bc47fd

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/commit/0307dd4709a8136eba3206701004bcb528bc47fd

reference_url

https://github.com/apache/camel/commit/05cffa5ec05ff2ec3c50a77825625da6e426e7a8

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/commit/05cffa5ec05ff2ec3c50a77825625da6e426e7a8

reference_url

https://github.com/apache/camel/commit/3926ab2b7745e36da2cd8e0dc019018bc415aff9

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/commit/3926ab2b7745e36da2cd8e0dc019018bc415aff9

reference_url

https://github.com/apache/camel/commit/540d48e1cb5e492bd1c74bfc5a6e929fcf24fe3b

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/commit/540d48e1cb5e492bd1c74bfc5a6e929fcf24fe3b

reference_url

https://github.com/apache/camel/commit/5c20de8f047de725e0b32a874cdb5108c3e46558

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/commit/5c20de8f047de725e0b32a874cdb5108c3e46558

reference_url

https://github.com/apache/camel/commit/e074c01a719cccf3b1c2efbd2ff31e60fd6220ce

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/commit/e074c01a719cccf3b1c2efbd2ff31e60fd6220ce

reference_url

https://github.com/apache/camel/pull/22146

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/pull/22146

reference_url

https://github.com/apache/camel/pull/22147

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/pull/22147

reference_url

https://github.com/apache/camel/pull/22148

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/pull/22148

reference_url

https://github.com/apache/camel/pull/22149

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/pull/22149

reference_url

https://github.com/apache/camel/pull/22150

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/pull/22150

reference_url

https://github.com/apache/camel/pull/22151

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/pull/22151

reference_url

https://github.com/apache/camel/pull/22152

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/apache/camel/pull/22152

reference_url

https://issues.apache.org/jira/browse/CAMEL-23222

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://issues.apache.org/jira/browse/CAMEL-23222

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33454

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33454

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2463181
reference_id	2463181
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2463181

reference_url

https://camel.apache.org/security/CVE-2026-33454.html

reference_id

CVE-2026-33454.html

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-27T14:56:56Z/

url

https://camel.apache.org/security/CVE-2026-33454.html

reference_url

https://github.com/advisories/GHSA-2vqf-x7g4-7c2g

reference_id

GHSA-2vqf-x7g4-7c2g

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2vqf-x7g4-7c2g

reference_url	https://access.redhat.com/errata/RHSA-2026:17668
reference_id	RHSA-2026:17668
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17668

reference_url	https://access.redhat.com/errata/RHSA-2026:19835
reference_id	RHSA-2026:19835
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19835

fixed_packages

url	pkg:maven/org.apache.camel/camel-mail@4.14.6
purl	pkg:maven/org.apache.camel/camel-mail@4.14.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.camel/camel-mail@4.14.6

url	pkg:maven/org.apache.camel/camel-mail@4.18.1
purl	pkg:maven/org.apache.camel/camel-mail@4.18.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.camel/camel-mail@4.18.1

aliases CVE-2026-33454, GHSA-2vqf-x7g4-7c2g

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7zbq-4hgd-ybhv

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.camel/camel-mail@3.21.1

Package Instance