CVE-2016-6802

HIGH

Apache Shiro < 1.3.2 - Filter Bypass via Non-Root Servlet Context Path

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-6802. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary The repository contains only partial source code files from Apache Shiro, with no exploit code or technical analysis. The README is a standard Apache license notice, and the files are legitimate Shiro components but do not demonstrate or explain the vulnerability.

Description

Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2016-6802-shiro-vulnerable

The repository contains only partial source code files from Apache Shiro, with no exploit code or technical analysis. The README is a standard Apache license notice, and the files are legitimate Shiro components but do not demonstrate or explain the vulnerability.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Apache Shiro
No auth needed
Prerequisites: none
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2016-6802-shiro-vulnerable

The repository contains only partial source code files from Apache Shiro without any exploit code or technical analysis related to CVE-2016-6802. It lacks a functional PoC, scanner, or writeup.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Apache Shiro
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/539397/100/0/threaded
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/92947

Scores

CVSS v3 7.5
EPSS 0.1351
EPSS Percentile 94.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-284
Status published
Products (3)
apache/shiro 1.3.1
org.apache.shiro/shiro-all 0 - 1.3.2Maven
org.apache.shiro/shiro-web 0 - 1.3.2Maven
Published Sep 20, 2016
Tracked Since Feb 18, 2026