Fork me on GitHub

Security Reports

Security Updates

Please note that binary patches are not produced for individual vulnerabilities. To obtain the fix for a particular vulnerability you should upgrade to the officially released version where that vulnerability has been fixed.

List of Vulnerabilities

Note: the vulnerability reports linked below will provide additional details including reference to the public announcement and a short description.

CVE Number Type Fix Versions
CVE-2009-0026 Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp. 1.5.2
CVE-2015-1833 XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request. 2.2.14, 2.4.6, 2.6.6, 2.8.1, 2.10.1
CVE-2016-6801 Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header. 2.4.6, 2.6.6, 2.8.3, 2.10.4, 2.12.4, 2.13.3
CVE-2023-37895 Apache Jackrabbit RMI access can lead to RCE 2.20.11, 2.21.18

Reporting Vulnerabilities with Apache Jackrabbit

The Apache Software Foundation takes an active stance in eliminating security problems. We strongly encourage everyone to report vulnerabilities to the Apache security mailing list security(at), before disclosing them in a public forum.

Please note that the security mailing list should only be used for reporting undisclosed vulnerabilities and managing the process of fixing them. We cannot accept regular bug reports or other queries at this address. If you wish to report a bug that isn't an undisclosed security vulnerability, please use

Errors and Omissions

Please report any errors or omissions to security(at)