| mysql/mysql-connector-j | Remote code execution via abusing connection property propertiesTransform | fixed | CVE-2023-21971 | OSS-Fuzz |
| hsqldb | Remote code execution via prepared statement values | fixed | CVE-2022-41853 | OSS-Fuzz |
| spring-projects/spring-framework | OutOfMemoryError via specially crafted SpEL expressions | fixed | CVE-2023-20863 | OSS-Fuzz |
| spring-projects/spring-framework | OutOfMemoryError via specially crafted SpEL expressions | fixed | CVE-2023-20861 | OSS-Fuzz |
| protocolbuffers/protobuf | Small protobuf messages can consume minutes of CPU time | fixed | CVE-2022-3171 | OSS-Fuzz |
| OpenJDK | OutOfMemoryError via a small BMP image | fixed | CVE-2022-21360 | Code Intelligence |
| OpenJDK | OutOfMemoryError via a small TIFF image | fixed | CVE-2022-21366 | Code Intelligence |
| protocolbuffers/protobuf | Small protobuf messages can consume minutes of CPU time | fixed | CVE-2021-22569 | OSS-Fuzz |
| jhy/jsoup | More than 19 Bugs found in HTML and XML parser | fixed | CVE-2021-37714 | Code Intelligence |
| Apache/commons-compress | Infinite loop when loading a crafted 7z | fixed | CVE-2021-35515 | Code Intelligence |
| Apache/commons-compress | OutOfMemoryError when loading a crafted 7z | fixed | CVE-2021-35516 | Code Intelligence |
| Apache/commons-compress | Infinite loop when loading a crafted TAR | fixed | CVE-2021-35517 | Code Intelligence |
| Apache/commons-compress | OutOfMemoryError when loading a crafted ZIP | fixed | CVE-2021-36090 | Code Intelligence |
| Apache/PDFBox | Infinite loop when loading a crafted PDF | fixed | CVE-2021-27807 | Code Intelligence |
| Apache/PDFBox | OutOfMemoryError when loading a crafted PDF | fixed | CVE-2021-27906 | Code Intelligence |
netplex/json-smart-v1
netplex/json-smart-v2 | JSONParser#parse throws an undeclared exception | fixed | CVE-2021-27568 | @GanbaruTobi |
| OWASP/json-sanitizer | Output can contain</script> and ]]>, which allows XSS | fixed | CVE-2021-23899 | Code Intelligence |
| OWASP/json-sanitizer | Output can be invalid JSON and undeclared exceptions can be thrown | fixed | CVE-2021-23900 | Code Intelligence |
| alibaba/fastjson | JSON#parse throws undeclared exceptions | fixed | | Code Intelligence |
| Apache/commons-compress | Infinite loop and OutOfMemoryError in TarFile | fixed | | Code Intelligence |
| Apache/commons-compress | NullPointerException in ZipFile | fixed | | Code Intelligence |
| Apache/commons-imaging | Parsers for multiple image formats throw undeclared exceptions | reported | | Code Intelligence |
| Apache/PDFBox | Various undeclared exceptions | fixed | | Code Intelligence |
| cbeust/klaxon | Default parser throws runtime exceptions | fixed | | Code Intelligence |
| FasterXML/jackson-dataformats-binary | CBORParser throws an undeclared exception due to missing bounds checks when parsing Unicode | fixed | | Code Intelligence |
| FasterXML/jackson-dataformats-binary | CBORParser throws an undeclared exception on dangling arrays | fixed | | Code Intelligence |
| ngageoint/tiff-java | readTiff Index Out Of Bounds | fixed | | @raminfp |
| google/re2j | NullPointerException in Pattern.compile | reported | | @schirrmacher |
| google/gson | ArrayIndexOutOfBounds in ParseString | fixed | | @DavidKorczynski |
| snakeyaml | StackOverflowError in Composer | fixed | CVE-2022-38749 | Code Intelligence |
| snakeyaml | StackOverflowError in BaseConstructor | fixed | CVE-2022-38750 | Code Intelligence |
| snakeyaml | StackOverflowError caused by regex parse failure in java.util.regex | fixed | CVE-2022-38751 | Code Intelligence |
| snakeyaml | StackOverflowError caused by recursion in java.util.ArrayList | fixed | CVE-2022-38752 | Code Intelligence |
| snakeyaml | StackOverflowError caused by recursion in java.util.ArrayList | fixed | CVE-2022-41854 | Code Intelligence |
| jettison-json/jettison | StackOverflowError in JSONTokener | fixed | CVE-2022-40149 | Code Intelligence |
| jettison-json/jettison | OutOfMemoryError when parsing json objects | fixed | CVE-2022-40150 | Code Intelligence |
| x-stream/xstream | StackOverflowError in xstream.core | fixed | CVE-2022-40151 | Code Intelligence |
| FasterXML/woodstox | StackOverflowError in WordResolver | fixed | CVE-2022-40152 | Code Intelligence |
| HtmlUnit/htmlunit | StackOverflowError in DomNode | fixed | CVE-2023-2798 | OSS-Fuzz |
| alibaba/fastjson2 | StackOverflowError in DefaultJSONParser | not fixed | CVE-2022-40173 | Code Intelligence |
| alibaba/fastjson2 | StackOverflowError in JSONPath | not fixed | CVE-2022-40174 | Code Intelligence |
| alibaba/fastjson2 | StackOverflowError in JSONPath | not fixed | CVE-2022-40175 | Code Intelligence |
| alibaba/fastjson2 | StackOverflowError in DefaultJSONParser | not fixed | CVE-2022-41855 | Code Intelligence |
| alibaba/fastjson2 | StackOverflowError in SerialContext | not fixed | CVE-2022-41856 | Code Intelligence |
| Apache/commons-jxpath | Remote code execution via crafted XPath expression | not fixed | | Code Intelligence |
| airlift/aircompressor | Out-of-bounds memory access through sun.misc.Unsafe | fixed | CVE-2024-36114 | @Marcono1234 |
| lz4/lz4-java | Out-of-bounds memory access through sun.misc.Unsafe & JNI | fixed | CVE-2025-12183 | @yawkat, @Marcono1234 |
| lz4/lz4-java | Information leak in Java safe decompressor | fixed | CVE-2025-66566 | Code Intelligence |
| airlift/aircompressor | Information leak in lz4 and snappy decompressor | fixed | CVE-2025-67721 | Code Intelligence |