CVE-2026-45205

EUVD-2026-30267
Uncontrolled Recursion vulnerability in Apache Commons.

When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.
This issue affects Apache Commons: from 2.2 before 2.15.0.

Users are recommended to upgrade to version 2.15.0, which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
Affected Products (NVD)
VendorProductVersion
apachecommons_configuration
2.2 ≤
𝑥
< 2.15.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
commons-configuration
bookworm
1.10-6
fixed
bullseye
1.10-5
fixed
forky
1.10-7
fixed
sid
1.10-7
fixed
trixie
1.10-7
fixed
commons-configuration2
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
no-dsa
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
apache-commons-configuration2
suse enterprise desktop 15 SP7
2.15.0-150200.5.11.1
fixed
suse enterprise sap 15 SP4
2.15.0-150200.5.11.1
fixed
suse enterprise sap 15 SP5
2.15.0-150200.5.11.1
fixed
suse enterprise sap 15 SP6
2.15.0-150200.5.11.1
fixed
suse enterprise sap 15 SP7
2.15.0-150200.5.11.1
fixed
suse enterprise server 15 SP4
2.15.0-150200.5.11.1
fixed
suse enterprise server 15 SP5
2.15.0-150200.5.11.1
fixed
suse enterprise server 15 SP6
2.15.0-150200.5.11.1
fixed
suse enterprise server 15 SP7
2.15.0-150200.5.11.1
fixed
apache-commons-text
suse enterprise desktop 15 SP7
1.15.0-150200.5.14.1
fixed
suse enterprise sap 15 SP4
1.15.0-150200.5.14.1
fixed
suse enterprise sap 15 SP5
1.15.0-150200.5.14.1
fixed
suse enterprise sap 15 SP6
1.15.0-150200.5.14.1
fixed
suse enterprise sap 15 SP7
1.15.0-150200.5.14.1
fixed
suse enterprise server 15 SP4
1.15.0-150200.5.14.1
fixed
suse enterprise server 15 SP5
1.15.0-150200.5.14.1
fixed
suse enterprise server 15 SP6
1.15.0-150200.5.14.1
fixed
suse enterprise server 15 SP7
1.15.0-150200.5.14.1
fixed
Common Weakness Enumeration
References
https://github.com/apache/commons-configuration/pull/634
https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk
http://www.openwall.com/lists/oss-security/2026/05/14/5