VulnerableCode Package Details - pkg:maven/org.hibernate.validator/hibernate-validator@6.0.20.Final

Search for packages

Vulnerability	Summary	Fixed by
VCID-gghq-w7r9-57hs Aliases: CVE-2023-1932 GHSA-x83m-pf6f-pf9g	hibernate-validator Cross-site Scripting vulnerability A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.	6.2.0.Final Affected by 0 other vulnerabilities.
VCID-gvv3-4r9v-7kau Aliases: CVE-2025-35036 GHSA-7v6m-28jr-rg84	Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.	6.2.0.CR1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.0.0.CR1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-gghq-w7r9-57hs
Aliases:
CVE-2023-1932
GHSA-x83m-pf6f-pf9g

hibernate-validator Cross-site Scripting vulnerability A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

6.2.0.Final
Affected by 0 other vulnerabilities.

VCID-gvv3-4r9v-7kau
Aliases:
CVE-2025-35036
GHSA-7v6m-28jr-rg84

Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.

6.2.0.CR1
Affected by 1 other vulnerability.

7.0.0.CR1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-afkn-k8yk-w3dr	Improper Input Validation in Hibernate Validator A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.	CVE-2020-10693 GHSA-rmrm-75hp-phr2

Vulnerability

Summary

Aliases

VCID-afkn-k8yk-w3dr

Improper Input Validation in Hibernate Validator A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

CVE-2020-10693
GHSA-rmrm-75hp-phr2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T00:49:54.176668+00:00	GitLab Importer	Affected by	VCID-gvv3-4r9v-7kau	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2025-35036.yml	38.3.0
2026-04-12T00:32:06.082087+00:00	GitLab Importer	Affected by	VCID-gghq-w7r9-57hs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2023-1932.yml	38.3.0
2026-04-11T22:38:28.103932+00:00	GitLab Importer	Fixing	VCID-afkn-k8yk-w3dr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2020-10693.yml	38.3.0
2026-04-03T00:57:56.344832+00:00	GitLab Importer	Affected by	VCID-gvv3-4r9v-7kau	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2025-35036.yml	38.1.0
2026-04-03T00:39:49.957689+00:00	GitLab Importer	Affected by	VCID-gghq-w7r9-57hs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2023-1932.yml	38.1.0
2026-04-02T22:49:08.607666+00:00	GitLab Importer	Fixing	VCID-afkn-k8yk-w3dr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2020-10693.yml	38.1.0
2026-04-02T16:57:25.348018+00:00	GHSA Importer	Fixing	VCID-afkn-k8yk-w3dr	https://github.com/advisories/GHSA-rmrm-75hp-phr2	38.1.0
2026-04-01T17:07:01.871506+00:00	GitLab Importer	Fixing	VCID-afkn-k8yk-w3dr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.hibernate.validator/hibernate-validator/CVE-2020-10693.yml	38.0.0
2026-04-01T13:02:25.262535+00:00	GithubOSV Importer	Fixing	VCID-afkn-k8yk-w3dr	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rmrm-75hp-phr2/GHSA-rmrm-75hp-phr2.json	38.0.0