io.openremote:openremote-manager

Maven3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting io.openremote:openremote-managerpage 1 of 1

CVE-2026-39842CRITICALCVSS 9.9EG 9.9✓ Fixed in 1.22.0
2026-04-15
vulnerable: 1.10.0 ... 1.9.0 (47 versions)
OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes …
CVE-2026-40882HIGHCVSS 7.6EG 7.6✓ Fixed in 1.22.0
2026-04-22
vulnerable: 1.10.0 ... 1.9.0 (47 versions)
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigg…
CVE-2026-41166HIGHCVSS 7.0EG 7.0✓ Fixed in 1.22.1
2026-04-22
vulnerable: 1.10.0 ... 1.9.0 (48 versions)
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. T…

Check whether io.openremote:openremote-manager is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for io.openremote:openremote-manager CVEs against the assets you own.

Start Free Scan →