Primekey
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Primekey product.
RSS Feeds for Primekey security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Primekey products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Primekey Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Primekey. Last year, in 2025 Primekey had 2 security vulnerabilities published. Right now, Primekey is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 2 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 4.80 |
| 2022 | 3 | 6.67 |
| 2021 | 4 | 3.15 |
| 2020 | 8 | 5.80 |
It may take a day or so for new Primekey vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Primekey Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-3026 | Mar 31, 2025 |
EJBCA 8.0 Enterprise HTTP Host Hdr RedirectionThe vulnerability exists in the EJBCA service, version 8.0 Enterprise. Not tested in higher versions. By modifying the Host header in an HTTP request, it is possible to manipulate the generated links and thus redirect the client to a different base URL. In this way, an attacker could insert his own server for the client to send HTTP requests, provided he succeeds in exploiting it. |
Ejbca
|
| CVE-2025-3027 | Mar 31, 2025 |
EJBCA 8.0 Enterprise Open Redirect via URL PATH ManipulationThe vulnerability exists in the EJBCA service, version 8.0 Enterprise. By making a small change to the PATH of the URL associated with the service, the server fails to find the requested file and redirects to an external page. This vulnerability could allow users to be redirected to potentially malicious external sites, which can be exploited for phishing or other social engineering attacks. |
Ejbca
|
| CVE-2022-40711 | Jan 01, 2023 |
PrimeKey EJBCA 7.9.0.2 Community XSS in End Entity (RA Admin)PrimeKey EJBCA 7.9.0.2 Community allows stored XSS in the End Entity section. A user with the RA Administrator role can inject an XSS payload to target higher-privilege users. |
Ejbca
|
| CVE-2022-39834 | Nov 17, 2022 |
EJBCA XSS via adminweb/ra/viewendentity.jsp through 7.9.0.2A stored XSS vulnerability was discovered in adminweb/ra/viewendentity.jsp in PrimeKey EJBCA through 7.9.0.2. A low-privilege user can store JavaScript in order to exploit a higher-privilege user. |
Ejbca
|
| CVE-2022-34831 | Sep 14, 2022 |
EJBCA ACME Certificate Issuance Bypass via Unvalidated DNS names (pre-7.9.0)An issue was discovered in Keyfactor PrimeKey EJBCA before 7.9.0, related to possible inconsistencies in DNS identifiers submitted in an ACME order and the corresponding CSR submitted during finalization. During the ACME enrollment process, an order is submitted containing an identifier for one or multiple dnsNames. These are validated properly in the ACME challenge. However, if the validation passes, a non-compliant client can include additional dnsNames the CSR sent to the finalize endpoint, resulting in EJBCA issuing a certificate including the identifiers that were not validated. This occurs even if the certificate profile is configured to not allow a DN override by the CSR. |
Ejbca
|
| CVE-2022-26494 | Mar 21, 2022 |
An XSS was identified in the Admin Web interface of PrimeKey SignServer before 5.8.1An XSS was identified in the Admin Web interface of PrimeKey SignServer before 5.8.1. JavaScript code must be used in a worker name before a Generate CSR request. Only an administrator can update a worker name. |
Signserver
|
| CVE-2021-40087 | Aug 25, 2021 |
An issue was discovered in PrimeKey EJBCA before 7.6.0An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an administrator). This affects use of any of the following protocols: SCEP, CMP, or EST. |
Ejbca
|
| CVE-2021-40089 | Aug 25, 2021 |
An issue was discovered in PrimeKey EJBCA before 7.6.0An issue was discovered in PrimeKey EJBCA before 7.6.0. The General Purpose Custom Publisher, which is normally run to invoke a local script upon a publishing operation, was still able to run if the System Configuration setting Enable External Script Access was disabled. With this setting disabled it's not possible to create new such publishers, but existing publishers would continue to run. |
Ejbca
|
| CVE-2021-40086 | Aug 25, 2021 |
An issue was discovered in PrimeKey EJBCA before 7.6.0An issue was discovered in PrimeKey EJBCA before 7.6.0. As part of the configuration of the aliases for SCEP, CMP, EST, and Auto-enrollment, the enrollment secret was reflected on a page (that can only be viewed by an administrator). While hidden from direct view, checking the page source would reveal the secret. |
Ejbca
|
| CVE-2021-40088 | Aug 25, 2021 |
An issue was discovered in PrimeKey EJBCA before 7.6.0An issue was discovered in PrimeKey EJBCA before 7.6.0. CMP RA Mode can be configured to use a known client certificate to authenticate enrolling clients. The same RA client certificate is used for revocation requests as well. While enrollment enforces multi tenancy constraints (by verifying that the client certificate has access to the CA and Profiles being enrolled against), this check was not performed when authenticating revocation operations, allowing a known tenant to revoke a certificate belonging to another tenant. |
Ejbca
|