org.apache.shiro:shiro-spring

Maven3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting org.apache.shiro:shiro-springpage 1 of 1

CVE-2020-17510CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.7.0
2020-11-05
vulnerable: 1.0.0-incubating ... 1.6.0 (21 versions)
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CVE-2020-17523CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.7.1
2021-02-03
vulnerable: 1.0.0-incubating ... 1.7.0 (22 versions)
Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CVE-2026-23903MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.1.0
2026-02-09
vulnerable: 1.0.0-incubating ... 2.0.6 (42 versions)
Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If stat…

Check whether org.apache.shiro:shiro-spring is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.shiro:shiro-spring CVEs against the assets you own.

Start Free Scan →