Eclipse Eclipse

  1. Vendors
  2. Eclipse

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Eclipse product.

RSS Feeds for Eclipse security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Eclipse products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Eclipse Sorted by Most Security Vulnerabilities since 2018

Eclipse Jetty39 vulnerabilities
Jetty is a HTTP Server and Servlet Container

Eclipse Mosquitto21 vulnerabilities

Eclipse Openj920 vulnerabilities

Eclipse Glassfish10 vulnerabilities

Eclipse Threadx Netx Duo8 vulnerabilities

Eclipse Vert X8 vulnerabilities

Eclipse Threadx7 vulnerabilities

Eclipse Omr6 vulnerabilities

Eclipse Kura5 vulnerabilities

Eclipse Jgit3 vulnerabilities

Eclipse Cyclone Data Distribution Service3 vulnerabilities

Eclipse Open Vsx2 vulnerabilities

Eclipse Parsson2 vulnerabilities

Eclipse Dataspace Components2 vulnerabilities

Eclipse Target Management1 vulnerability

Eclipse Ditto1 vulnerability

Eclipse Edc Connector1 vulnerability

Eclipse Jakarta Mail1 vulnerability

Eclipse Nextx Duo1 vulnerability

By the Year

In 2026 there have been 9 vulnerabilities in Eclipse with an average score of 7.4 out of ten. Last year, in 2025 Eclipse had 49 security vulnerabilities published. Right now, Eclipse is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.20.




Year Vulnerabilities Average Score
2026 9 7.44
2025 49 7.24
2024 23 6.72
2023 24 6.88
2022 18 6.81
2021 35 7.13
2020 13 7.17
2019 34 7.85
2018 15 7.76

It may take a day or so for new Eclipse vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Eclipse Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-24457 Mar 05, 2026
OpenMQ Config Parsing Flaw Enables Remote File Read & RCE An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQs host OS. In some scenarios RCE could be achieved.
CVE-2026-1605 Mar 05, 2026
Jetty GzipHandler resource leak before v12.0.31/12.1.0 due to JDK Inflater In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Jetty
CVE-2025-11143 Mar 05, 2026
Jetty URI Parser Differential Parsing Bypass info leak The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.
Jetty
CVE-2026-22886 Mar 03, 2026
OpenMQ TCP mgmt service default admin credentials vulnerability OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocols administrative features.
CVE-2026-1699 Jan 30, 2026
Eclipse Theia Website CI Executes Untrusted PR Code via pull_request_target In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.
CVE-2026-1188 Jan 29, 2026
Buffer Overflow in Eclipse OMR 0.2.0-0.7.9 via Feature Name API fixed in 0.8.0 In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0.
Omr
CVE-2026-0648 Jan 27, 2026
DoS via Wild Pointer in ThreadX OSEK's CreateCounter() The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted. As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption. This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access.
Threadx
CVE-2025-55095 Jan 27, 2026
Stack overflow via unchecked recursion in USBX Host Storage mount The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries. If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes: _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...)); There is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs.
Threadx
CVE-2025-55102 Jan 27, 2026
Eclipse NetX Duo IPv6 'Packet Too Big' DoS Vulnerability A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Threadx Netx Duo
CVE-2025-2515 Dec 24, 2025
BlueChi rootpriv escalation by overwrite systemd units on RHIVOS A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise.
CVE-2025-14549 Dec 15, 2025
Eclipse OMR 0.8.0: UTF-8 NUL truncation bug fixed (Z processors) In the Eclipse OMR compiler component, since release 0.7.0, an optimization enabled for Eclipse OpenJ9 consumers of OMR on Z processors incorrectly handles NUL (0x00) characters during the Latin-compatible charset (UTF-8, ISO8859-1, ASCII, etc) to IBM-1047/037 translation sequence. This can cause the output byte array to be truncated, discarding the first NUL byte and all subsequent characters, and thereby exposing a possible buffer over-read problem. This issue is fixed in Eclipse OMR version 0.8.0.
Omr
CVE-2025-10543 Dec 02, 2025
Eclipse Paho Go MQTT <=1.5.0: UTF-8 Length Overflow in PUBLISH Packets In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body).
CVE-2025-12383 Nov 18, 2025
Eclipse Jersey 2.45/3.0.16/3.1.9 Race Cond Ignoring SSL Configs In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)
CVE-2025-11965 Oct 22, 2025
Eclipse Vert.x StaticHandler flaw: hidden dirs not blocked v4.0.0-5.0.4 In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').
Vert X
CVE-2025-11966 Oct 22, 2025
Stored XSS via Unescaped Filenames in Vert.x Directory Listing (4.0-5.0) In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.
Vert X
CVE-2025-55086 Oct 20, 2025
NetXDuo <6.4.4 DHCPV6 OOM via Unchecked DUID Index In NetXDuo version before 6.4.4, a networking support module for Eclipse Foundation ThreadX, in the DHCPV6 client there was an unchecked index extracting the server DUID from the server reply. With a crafted packet, an attacker could cause an out of memory read.
CVE-2025-55085 Oct 17, 2025
NextX Duo <6.4.4 HTTP Header Parse Bypass (UB) In NextX Duo before 6.4.4, in the HTTP client module, the network support code for Eclipse Foundation ThreadX, the parsing of HTTP header fields was missing bounds verification. A crafted server response could cause undefined behavior.
CVE-2025-55087 Oct 17, 2025
Out-of-Bound Read in NextX Duo SNMP Addon (<6.4.4) via SNMPv3 Params In NextX Duo's snmp addon versions before 6.4.4, a part of the Eclipse Foundation ThreadX, an attacker could cause an out-of-bound read by a crafted SNMPv3 security parameters.
Nextx Duo
CVE-2025-55100 Oct 17, 2025
USBX <6.4.3 OOB Read in _ux_host_class_audio10_sam_parse_func() Eclipse In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio10_sam_parse_func() when parsing a list of sampling frequencies.
CVE-2025-55099 Oct 17, 2025
USBX OOB Read in _ux_host_class_audio_alternate_setting_locate before 6.4.3 In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_alternate_setting_locate() when parsing a descriptor with attacker-controlled frequency fields.
CVE-2025-55098 Oct 17, 2025
USBX OOB Read in _ux_host_class_audio_device_type_get() before 6.4.3 In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_device_type_get() when parsing a descriptor of an USB audio device.
CVE-2025-55097 Oct 17, 2025
USBX <6.4.3 OOB Read in _ux_host_class_audio_streaming_sampling_get() In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_audio_streaming_sampling_get() when parsing a descriptor of an USB streaming device.
CVE-2025-55096 Oct 17, 2025
USBX<=6.4.2 OOB Read in HID Descriptor Parsing In USBX before 6.4.3, the USB support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _ux_host_class_hid_report_descriptor_get()  when parsing a descriptor of an USB HID device.
CVE-2025-55094 Oct 17, 2025
NetX Duo 6.4.4 OOB Read in _nx_icmpv6_validate_options ICMP6 options In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_icmpv6_validate_options() when handling a packet with ICMP6 options.
CVE-2025-55093 Oct 17, 2025
NetX Duo <6.4.4 OOB Read in _nx_ipv4_packet_receive ThreadX networking module In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() when handling unicast DHCP messages that could cause corruption of 4 bytes of memory.
CVE-2025-55092 Oct 17, 2025
NetX Duo <6.4.4 OOB Read in IPv4 Timestamp Option In Eclipse Foundation NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_option_process() when processing an IPv4 packet with the timestamp option.
CVE-2025-55091 Oct 16, 2025
NetX Duo (<=6.4.3) OOB Read in _nx_ip_packet_receive() In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ip_packet_receive() function when received an Ethernet with type set as IP but no IP data.
CVE-2025-55090 Oct 16, 2025
NetX Duo <6.4.4 OOB Read in _nx_ipv4_packet_receive() potential memory leak In NetX Duo before 6.4.4, the networking support module for Eclipse Foundation ThreadX, there was a potential out of bound read issue in _nx_ipv4_packet_receive() function when received an Ethernet frame with less than 4 bytes of IP packet.
CVE-2025-55089 Oct 16, 2025
Buf overflow in FileX <6.4.2 causing remote execution In FileX before 6.4.2, the file support module for Eclipse Foundation ThreadX, there was a possible buffer overflow in the FileX RAM disk driver. It could cause a remote execurtion after receiving a crafted sequence of packets
CVE-2025-55084 Oct 16, 2025
NetX Duo <6.4.4: Incorrect bound check in TLS ext. version field (ThreadX) In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check in_nx_secure_tls_proc_clienthello_supported_versions_extension() in the extension version field.
CVE-2025-55083 Oct 15, 2025
OOB Read in NetX Duo <6.4.4 via Eclipse ThreadX In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was an incorrect bound check resulting it out by two out of bound read.
CVE-2025-55082 Oct 15, 2025
NetX Duo <6.4.4: OOB Read in ThreadX TLS PSK ClientHello In NetX Duo version before 6.4.4, the component of Eclipse Foundation ThreadX, there was a potential out of bound read in _nx_secure_tls_process_clienthello() because of a missing validation of PSK length provided in the user message.
CVE-2025-55081 Oct 15, 2025
Eclipse NextX Duo <6.4.4 OOB Read via Missing Length Check in TLS Client Hello In Eclipse Foundation NextX Duo before 6.4.4, a module of ThreadX, the _nx_secure_tls_process_clienthello() function was missing length verification of certain SSL/TLS client hello message: the ciphersuite length and compression method length. In case of an attacker-crafted message with values outside of the expected range, it could cause an out-of-bound read.
CVE-2025-55080 Oct 15, 2025
ThreadX <6.4.3 Arbitrary Mem Read/Write via Weak Syscall Verification In Eclipse ThreadX before 6.4.3, when memory protection is enabled, syscall parameters verification wasn't enough, allowing an attacker to obtain an arbitrary memory read/write.
Threadx
CVE-2025-55079 Oct 15, 2025
ThreadX DoS via Thread Priority Escalation (<6.4.3) In Eclipse ThreadX before version 6.4.3, the thread module has a setting of maximum priority. In some cases the check of that maximum priority wasn't performed, allowing, as a result, to obtain a thread with higher priority than expected and causing a possible denial of service.
Threadx
CVE-2025-55078 Oct 14, 2025
Eclipse ThreadX <6.4.3: DoS via Unchecked Memory Pointer In Eclipse ThreadX before version 6.4.3, an attacker can cause a denial of service (crash) by providing a pointer to a reserved or unmapped memory region. Vulnerable system calls had a check of pointers, but that check wasn't verifying whether the pointer is outside the module memory region.
Threadx
CVE-2025-7962 Jul 21, 2025
Jakarta Mail 2.0.2 SMTP Injection via UTF-8 CR/NL In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
Jakarta Mail
CVE-2024-9408 Jul 16, 2025
GlassFish 6.2.5+ SSRF in specific endpoints In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints.
Glassfish
CVE-2024-9342 Jul 16, 2025
Eclipse GlassFish <=7.0.16 Brute Force Login In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts.
Glassfish
CVE-2024-9343 Jul 16, 2025
Eclipse GlassFish 7.0.15 S2S XSS in Admin Console In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console.
Glassfish
CVE-2024-10032 Jul 16, 2025
Eclipse GlassFish 7.0.15: Stored XSS in Admin Console In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console.
Glassfish
CVE-2024-10031 Jul 16, 2025
Eclipse GlassFish 7.0.15 Stored XSS via OS config file mod In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system.
Glassfish
CVE-2024-10029 Jul 16, 2025
Eclipse GlassFish 7.0.15 Reflected XSS in Admin Console In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console.
Glassfish
CVE-2025-6705 Jun 27, 2025
Eclipse Open VSX: Unauthorized Extension Uploads via Unisolated Build Scripts A vulnerability in the Eclipse Open VSX Registrys automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the systems build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.
Open Vsx
CVE-2025-4949 May 21, 2025
Eclipse JGit XXE in ManifestParser & AmazonS3 before 7.2.0.202503040940-r In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
Jgit
CVE-2025-4447 May 09, 2025
Eclipse OpenJ9 <0.51: Stack Buffer Overflow via Disk File on JVM Startup In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a file on disk that is read when the JVM starts.
Openj9
CVE-2024-13009 May 08, 2025
Jetty 9.4.x Gzip Inflate Buffer Release Vulnerability In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
Jetty
CVE-2025-1948 May 08, 2025
Jetty HTTP/2 Server OOM via SETTINGS_MAX_HEADER_LIST_SIZE (12.0.0-12.0.16) In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting.
Jetty
CVE-2025-2260 Apr 06, 2025
NetX Duo HTTP DoS via Missing File Closure before v6.4.3 (Eclipse ThreadX) In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further file request. Users can work-around the issue by disabling the PUT request support. This issue follows an incomplete fix of CVE-2025-0726.
Threadx Netx Duo
CVE-2025-2259 Apr 06, 2025
Eclipse ThreadX NetX Duo <6.4.3 HTTP int underflow DoS In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.3, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length in one packet smaller than the data request size of the other packet. A possible workaround is to disable HTTP PUT support. This issue follows an incomplete fix of CVE-2025-0727
Threadx Netx Duo
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.