CVE-2022-42890
HIGHApache Batik < 1.16 - Remote Code Execution via Untrusted SVG JavaScript
Title source: llmDescription
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
References (5)
Core 5
Core References
Vendor Advisory
https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/10/25/3
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5264
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202401-11
Scores
CVSS v3
7.5
EPSS
0.0053
EPSS Percentile
67.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (5)
apache/batik
1.0 - 1.16
debian/debian_linux
10.0
debian/debian_linux
11.0
org.apache.xmlgraphics/batik
0 - 1.16Maven
org.apache.xmlgraphics/batik-bridge
0 - 1.16Maven
Published
Oct 25, 2022
Tracked Since
Feb 18, 2026