CVE-2022-40146

CVE-2022-40146: Jar url should be blocked by DefaultScriptSecurity

Vendor Apache Software Foundation
Product Apache XML Graphics
Weakness CWE-918 · SSRF
Published September 22, 2022
Last update November 3, 2025

CVSS base score

What the vulnerability does

01Description

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.

Key dates

02Disclosure timeline

September 22, 2022 CVE published
November 3, 2025 Record updated