Remote Code Execution Vulnerability in mchange-commons-java Library
CVE-2026-27727

8.9HIGH

Key Information:

Vendor

Swaldman

Vendor
CVE Published:
25 February 2026

What is CVE-2026-27727?

The mchange-commons-java library, which provides essential utilities for Java applications, contains a vulnerability stemming from its implementation of JNDI functionality. This flaw allows for the potential execution of malicious code if an attacker induces an application to read a specially crafted jaxax.naming.Reference or serialized object. Unlike JDK's default settings that restrict such capabilities, mchange-commons-java's independent JNDI dereferencing could empower attackers to exploit this vulnerability. While newer versions (post-0.4.0) introduce configurations to reduce risk, applications still using older versions remain susceptible. Strictly avoid including these vulnerable versions in application CLASSPATHs as no workarounds are available.

Affected Version(s)

mchange-commons-java < 0.4.0

References

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.