Edgar Espina

5 exploits Active since Aug 2019
CVE-2019-15477 NOMISEC MEDIUM STUB
Jooby < 1.6.4 - Cross-Site Scripting via Default Error Handler
Jooby before 1.6.4 has XSS via the default error handler.
CVSS 6.1
CVE-2025-31129 WRITEUP HIGH WRITEUP
jooby-pac4j < 2.17.0 and 3.0.0.M1-3.6.1 - Deserialization of Untrusted Data in SessionStoreImpl
Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x).
CVSS 8.8
CVE-2025-31129 WRITEUP HIGH WRITEUP
jooby-pac4j < 2.17.0 and 3.0.0.M1-3.6.1 - Deserialization of Untrusted Data in SessionStoreImpl
Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x).
CVSS 8.8
CVE-2020-7622 WRITEUP MEDIUM WRITEUP
io.jooby:jooby-netty <1.6.9, <2.0.0-<2.2.1 - XSS
This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.
CVSS 6.5
CVE-2020-7647 WRITEUP MEDIUM WRITEUP
Jooby < 1.6.7 and 2.0.0-2.8.2 - Path Traversal
All versions before 1.6.7 and all versions after 2.0.0 inclusive and before 2.8.2 of io.jooby:jooby and org.jooby:jooby are vulnerable to Directory Traversal via two separate vectors.
CVSS 5.3