CVE-2016-4437

Critical · CVSS 9.8EPSS 93.1%CISA KEVCWE-321

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

References

NVD MITRE CVE.org CISA KEV

Published Jun 7, 2016

Community ground truth

Community verdict

2 verdicts

Not a real issue

to add your verdict.

Community real-world severity: Critical (Critical 2) — CVSS base score 9.8

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

No notes yet — be the first to share what you saw or a fix that worked.

Same weakness — CWE-321.

CVE-2025-30406CVSS 9KEVEPSS 92%
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.

CVE-2016-4437

Community ground truth

Field notes & remediation

Related CVEs