DNA View

High Severity Vulnerability

This vulnerability has been rated as High severity. Immediate action is recommended.

CVE-2025-33042

High

Low Medium High Critical

7.3

CVSS Score

Published: Feb 13, 2026

Last Modified: Feb 20, 2026

CWE: CWE-94

Vulnerability Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

1 configuration(s) from 1 vendor(s)

avro

Version:

1.12.0

CPE:

cpe:2.3:a:apache:avro:1.12.0:-:*:*:*:-:*:*

This vulnerability affects 1 software configuration(s). Ensure you patch all affected systems.

Available Security Patches

1 patch available from vendors

View All Patches

Oracle

CPUAPR2026

Oracle Critical Patch Update Advisory - April 2026

Severity

Critical

Released

Apr 21, 2026

Restart Required

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

Severity Details

7.3

out of 10.0

High

Weakness Type (CWE)

CWE-94 Top 25 #7

Improper Control of Generation of Code ('Code Injection')

Description: The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Exploit Likelihood: Medium
Typical Severity: High
OWASP Top 10: A03:2021-Injection
Abstraction Level: Base