CVE-2022-40146

HIGH

Apache Batik < 1.15 - SSRF

Title source: rule

Description

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.

Exploits (2)

nomisec WORKING POC 30 stars

by cckuailong · poc

https://github.com/cckuailong/CVE-2022-40146_Exploit_Jar

View Code ZIP pw:eip

nomisec WORKING POC

by soulfoodisgood · poc

https://github.com/soulfoodisgood/CVE-2022-40146

View Code ZIP pw:eip

References (4)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html

[Third Party Advisory] https://security.gentoo.org/glsa/202401-11

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/07/msg00006.html

Scores

CVSS v3 7.5

EPSS 0.4778

EPSS Percentile 97.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-918

Status published

Products (3)

apache/batik 1.14

debian/debian_linux 10.0

org.apache.xmlgraphics/batik 1.0 - 1.15Maven

Published Sep 22, 2022

Tracked Since Feb 18, 2026