hs-web CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW hs-web CVE published 2026-06-08

CVE-2026-11477

A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used.

LOW hs-web CVE published 2026-06-08

CVE-2026-11470

A path traversal vulnerability has been discovered in hsweb-framework, affecting versions up to 5.0.1. The vulnerability is located in the `denied` function of the `FileUploadProperties.java` file, where an attacker can manipulate the `filename` argument to traverse the file system. The vulnerability can be exploited remotely and has been publicly disclosed.