org.apache.httpcomponents.client5:httpclient5

Maven2 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting org.apache.httpcomponents.client5:httpclient5page 1 of 1

CVE-2025-27820HIGHCVSS 7.5EG 7.5✓ Fixed in 5.4.3
2025-04-24
vulnerable: 5.4 ... 5.4.2 (6 versions)
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release
CVE-2026-40542HIGHCVSS 7.3EG 7.3✓ Fixed in 5.6.1
2026-04-22
vulnerable: 5.6, 5.6-alpha1
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5…

Check whether org.apache.httpcomponents.client5:httpclient5 is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.httpcomponents.client5:httpclient5 CVEs against the assets you own.

Start Free Scan →