VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-jcpa-9yka-2ugy

Essentials
Severities (17)
References (11)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-jcpa-9yka-2ugy
Aliases	CVE-2025-53689 GHSA-44c3-38h8-9fh9
Summary	Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-611	Improper Restriction of XML External Entity Reference
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53689.json
epss	0.00212	https://api.first.org/data/v1/epss?cve=CVE-2025-53689
epss	0.00212	https://api.first.org/data/v1/epss?cve=CVE-2025-53689
epss	0.00212	https://api.first.org/data/v1/epss?cve=CVE-2025-53689
epss	0.00212	https://api.first.org/data/v1/epss?cve=CVE-2025-53689
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-44c3-38h8-9fh9
cvssv3.1	8.8	https://github.com/apache/jackrabbit
generic_textual	HIGH	https://github.com/apache/jackrabbit
cvssv3.1	8.8	https://github.com/apache/jackrabbit/pull/263/commits/02786c0a01838580252bdab79bfa54026c30294e
generic_textual	HIGH	https://github.com/apache/jackrabbit/pull/263/commits/02786c0a01838580252bdab79bfa54026c30294e
cvssv3.1	8.8	https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
generic_textual	HIGH	https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
ssvc	Track	https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
cvssv3.1	8.8	https://nvd.nist.gov/vuln/detail/CVE-2025-53689
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-53689
cvssv3.1	8.8	http://www.openwall.com/lists/oss-security/2025/07/14/1
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2025/07/14/1

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53689.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-53689
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53689
		https://github.com/apache/jackrabbit
		https://github.com/apache/jackrabbit/pull/263/commits/02786c0a01838580252bdab79bfa54026c30294e
		https://nvd.nist.gov/vuln/detail/CVE-2025-53689
		http://www.openwall.com/lists/oss-security/2025/07/14/1
1109335		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109335
2379885		https://bugzilla.redhat.com/show_bug.cgi?id=2379885
5pf9n76ny13pzzk765og2h3gxdxw7p24		https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
GHSA-44c3-38h8-9fh9		https://github.com/advisories/GHSA-44c3-38h8-9fh9

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53689.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/jackrabbit

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/jackrabbit/pull/263/commits/02786c0a01838580252bdab79bfa54026c30294e

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-14T15:45:32Z/ Found at https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-53689

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2025/07/14/1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.43855
EPSS Score	0.00212
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:05:29.470409+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/53xxx/CVE-2025-53689.json	38.6.0