Apache Camel security information

Security model and report scope

Before reporting, please read the Apache Camel Security Model.

It is the canonical reference the Apache Camel PMC uses when triaging security reports. It documents who is trusted, where the trust boundaries sit, which vulnerability classes are accepted as framework vulnerabilities, and which categories are out of scope — route-author or operator responsibility, explicit opt-ins, denial of service through unthrottled routes, third-party transitive CVEs not reachable through Camel code, management surfaces placed on an untrusted network, and automated-scanner output with no proof of concept. Reports that fall outside the documented scope are closed with a reference to that page.

The Camel subprojects — Camel Quarkus, Camel Spring Boot, Camel Karaf, Camel Kamelets, Camel Kafka Connector and Camel K — inherit the same trust model; report scope for them is governed by the same document unless a subproject publishes its own security model.

Software Bill of Materials (SBOM)

Every Camel release since 4.0.3 ships with PGP-signed CycloneDX SBOMs that list all dependencies, enabling supply chain risk analysis alongside the CVE advisories below. See Generating SBOMs for details.

Reporting new security problems with Apache Camel

The Apache Software Foundation takes a very active stance in eliminating security problems.

We strongly encourage folks to report such problems to the private security mailing list of the ASF Security Team, before disclosing them in a public forum.

Please see the page of the ASF Security Team for further information and contact information.

Security advisories

Security advisories by year
Reference Affected Fixed CVSS score Description
2026
CVE-2026-43866 From 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 HIGH Camel JMS deserialization filter bypass: a forged DefaultExchangeHolder carried in a JMS ObjectMessage passes the CVE-2026-40860 class check and is unmarshalled into the Exchange, letting an attacker who can publish an ObjectMessage inject the message body, headers, exchange properties, variables and exception
CVE-2026-56140 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 LOW Camel-AWS2-SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStrategy to align it with sibling components; because camel-aws2-sns is producer-only (no consumer) there is no reachable inbound header-injection path, so this is a defense-in-depth hardening change related to the camel-aws2-sqs issue CVE-2026-46456
CVE-2026-56139 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients - and the option was not honoured at all for Rest DSL consumers
CVE-2026-55994 From 4.17.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.18.3 and 4.21.0 HIGH Camel-Iggy: The inbound consumer maps externally-supplied Iggy message user-headers into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer
CVE-2026-55993 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 HIGH Camel-Atmosphere-Websocket: The inbound consumer maps externally-supplied WebSocket query parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer
CVE-2026-53913 From 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.18.3 and 4.21.0 HIGH Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a fail-open authentication bypass
CVE-2026-49365 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
CVE-2026-49099 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Salesforce: Non-Camel-prefixed Exchange header constants (sObjectQuery, sObjectSearch, apexUrl, ...) bypass the HTTP header filter, allowing an HTTP client to inject SOQL/SOSL queries, override the target SObject, and redirect Apex REST calls using the connected Salesforce user's permissions
CVE-2026-49098 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic
CVE-2026-49097 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-IRC: The irc.sendTo (and other irc.*) Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary channels or users
CVE-2026-49086 From 4.12.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Dapr: The Dapr Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to redirect the re-published message to an arbitrary Dapr Pub/Sub component and topic
CVE-2026-48206 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-JIRA: A set of non-Camel-prefixed Exchange header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials
CVE-2026-48205 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect DNS queries to an attacker-controlled server (server-side request forgery) and enumerate internal hostnames
CVE-2026-48204 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration
CVE-2026-48203 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to inject Solr query parameters (server-side request forgery) and document fields
CVE-2026-46726 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 HIGH Camel-Vertx-Websocket: The inbound consumer maps externally-supplied WebSocket query and path parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer
CVE-2026-46592 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed names (operationName, operationNamespace) that bypass the HTTP header filter, allowing an HTTP client to redirect the invoked SOAP operation
CVE-2026-46591 From 4.10.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause without validation, allowing Cypher injection (incomplete remediation of CVE-2025-66169)
CVE-2026-46590 From 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.18.3 and 4.21.0 MEDIUM Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle managers deserialize persisted key metadata with java.io.ObjectInputStream and no ObjectInputFilter (incomplete remediation of CVE-2026-40048)
CVE-2026-46585 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query
CVE-2026-46584 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Mail: The mail producer applied attacker-supplied mail.smtp.* / mail.smtps.* message headers as JavaMail session properties, allowing an attacker to weaken the SMTP transport security and, on releases before 4.19.0, redirect the connection and steal the configured SMTP credentials
CVE-2026-46457 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers
CVE-2026-46456 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers
CVE-2026-46455 From 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.18.3 and 4.21.0 MEDIUM Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted
CVE-2026-46454 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange without a HeaderFilterStrategy, allowing unauthenticated clients to inject Camel control headers
CVE-2026-46453 From 4.3.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel prefix bypass inbound HTTP header filtering, allowing untrusted clients to override the Elasticsearch query and operation
CVE-2026-43865 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. 4.14.8, 4.18.3 and 4.21.0 MEDIUM Camel-Hazelcast: Unsafe Java deserialization in default-configured managed Hazelcast instances enables remote code execution
CVE-2026-40859 From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0. 4.14.8, 4.18.3 and 4.20.0 MEDIUM Camel-Vertx-Http and Camel-Netty-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled
CVE-2026-40047 From 4.15.0 before 4.18.3. 4.18.3 and 4.19.0 MEDIUM Camel-Docling: Insufficient validation of custom CLI arguments enables argument injection and path traversal in DoclingProducer
CVE-2026-47323 from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.19.0 4.14.6, 4.18.2 and 4.19.0 MEDIUM Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
CVE-2026-45760 This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. 2.8.1, 2.9.2 and 2.10.1 HIGH Camel K Cross-Namespace Build Deputy Attack
CVE-2026-33453 From 4.14.0 before 4.14.6, from 4.15.0 before 4.18.1. 4.14.6, 4.18.1 and 4.19.0 HIGH Apache Camel: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Camel-Coap component.
CVE-2026-42527 Apache Camel 4.14.0 through 4.14.7 (4.14.x line). Apache Camel 4.18.0 through 4.18.2 (4.18.x line). Apache Camel 4.20.0. 4.14.8, 4.18.3, 4.21.0. MEDIUM Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure
CVE-2026-40860 From 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, and from 4.19.0 before 4.20.0. 4.14.7, 4.18.2 and 4.20.0 HIGH Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp
CVE-2026-40858 From 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0 4.14.7, 4.18.2 and 4.20.0 HIGH Camel-Infinispan: Unsafe Deserialization in ProtoStream Remote Aggregation Repository
CVE-2026-40473 From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. 4.14.6, 4.18.2 and 4.20.0 MEDIUM Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP
CVE-2026-40453 From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. 4.14.6, 4.18.2 and 4.20.0 MEDIUM Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection
CVE-2026-40048 From 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. 4.18.2 and 4.20.0 HIGH Camel-PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager
CVE-2026-40022 From 4.14.1 before 4.14.6, from 4.15.0 before 4.18.2. 4.14.6, 4.18.2 and 4.20.0 MEDIUM Camel-Platform-HTTP-Main: Authentication Bypass on Non-Root Context Paths in camel main runtime
CVE-2026-33454 From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. 4.14.6, 4.18.1 and 4.19.0 HIGH Camel-Mail Message Header Injection via Improper Filtering
CVE-2026-27172 From 3.0.0 before 4.14.6 and from 4.15.0 before 4.18.1 4.14.6, 4.18.1 and 4.19.0 HIGH Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV store
CVE-2026-25747 From 3.0.0 before 4.10.9, from 4.11.0 before 4.14.5, from 4.15.0 before 4.18.0. 4.10.9, 4.14.5 and 4.18.0 HIGH Apache Camel: Camel-LevelDB: Unsafe Deserialization from LevelDBAggregationRepository
CVE-2026-23552 From 4.15.0 before 4.18.0. 4.18.0 HIGH Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance in KeycloakSecurityPolicy
CVE-2025-66169 Apache Camel 4.10.x before 4.10.8, Apache Camel 4.14.x before 4.14.3, Apache Camel 4.15.0 and 4.16.0. 4.10.8, 4.14.3 and 4.17.0 MEDIUM Cypher injection vulnerability in Camel-Neo4j component
2025
CVE-2025-30177 Apache Camel 4.10.0 before 4.10.3. Apache Camel 4.8.0 before 4.8.6. 4.8.6 and 4.10.3 MEDIUM Camel-Undertow Message Header Injection via Improper Filtering
CVE-2025-29891 Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4. 3.22.4, 4.8.5 and 4.10.2 HIGH Camel Message Header Injection through request parameters
CVE-2025-27636 Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4. 3.22.4, 4.8.5 and 4.10.2 MEDIUM Camel Message Header Injection via Improper Filtering
2024
CVE-2024-22371 From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0 3.21.4, 3.22.1, 4.0.4 and 4.4.0 LOW Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data
CVE-2024-23114 From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. 3.21.4, 3.22.1, 4.0.4 and 4.4.0 HIGH Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository
CVE-2024-22369 From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. 3.21.4, 3.22.1, 4.0.4 and 4.4.0 HIGH Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository
2023
CVE-2023-34442 3.0.0 up to 3.14.8, and 3.18.0 up to 3.18.7, 3.20.0 up to 3.20.5 and 4.0.0-M1 up to 4.0.0-M3 3.14.9, 3.18.8, 3.20.6, 3.21.0 and 4.0.0-RC1 LOW Temporary File Local Information Disclosure in camel-jira
2022
CVE-2022-45046 3.0.0 up to 3.14.5, and 3.15.0 up to 3.18.3, and 3.19.0. 3.14.6, 3.18.4 MEDIUM LDAP Injection in camel-ldap
2021
No issues reported
2020
CVE-2020-11994 2.22.x, 2.23.x, 2.24.x, 2.25.0 and 2.25.1, 3.0.0 up to 3.3.0 2.25.2, 3.4.0 MEDIUM Server-Side Template Injection and arbitrary file disclosure on Camel templating components
CVE-2020-11973 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 2.25.1, 3.2.0 MEDIUM Apache Camel Netty enables Java deserialization by default
CVE-2020-11972 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 2.25.1, 3.2.0 MEDIUM Apache Camel RabbitMQ enables Java deserialization by default
CVE-2020-11971 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 3.2.0 MEDIUM Apache Camel JMX Rebind Flaw Vulnerability
2019
CVE-2019-0188 Apache Camel versions prior to 2.24.0 2.24.0 MEDIUM Apache Camel-XMLJson vulnerable to XML external entity injection (XXE)
CVE-2019-0194 2.21.0 up to 2.21.3, 2.22.0 up to 2.22.2, 2.23.0 2.21.5, 2.22.3, 2.23.1 MEDIUM Apache Camel's File is vulnerable to directory traversal
2018
CVE-2018-8041 2.20.0 up to 2.20.3, 2.21.0 up to 2.21.1, 2.22.0 2.20.4, 2.21.1, 2.22.1 and newer MEDIUM Apache Camel's Mail is vulnerable to path traversal
CVE-2018-8027 2.20.0 up to 2.20.3, 2.21.0 2.20.4, 2.21.1 and newer MEDIUM Apache Camel's Core is vulnerable to XXE in XSD validation processor
2017
CVE-2017-12634 2.19.0 up to 2.19.3, 2.20.0 2.19.4, 2.20.1 and newer MEDIUM Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks
CVE-2017-12633 2.19.0 up to 2.19.3, 2.20.0 2.19.4, 2.20.1 and newer MEDIUM Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks
CVE-2016-8749 2.16.0 up to 2.16.4, 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 2.16.5, 2.17.5, 2.18.2 MEDIUM Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks
CVE-2017-5643 2.17.0 up to 2.17.5, 2.18.0 up to 2.18.2 2.17.6, 2.18.3 and newer MEDIUM Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE
CVE-2017-3159 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 2.17.5, 2.18.2 and newer MEDIUM Apache Camel's Snakeyaml unmarshalling operation is vulnerable to Remote Code Execution attacks
2016
CVE-2015-5348 2.15.0 up to 2.15.4, 2.16.0 2.15.5, 2.16.1 and newer MEDIUM Apache Camel's Jetty/Servlet usage is vulnerable to Java object de-serialisation vulnerability.
CVE-2015-5344 2.15.0 up to 2.15.4, 2.16.0 2.15.5, 2.16.1 and newer MEDIUM Apache Camel's XStream usage is vulnerable to Remote Code Execution attacks.
2015
CVE-2015-0264 2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1 2.13.4, 2.14.2, 2.15.0 and newer MEDIUM The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attackers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown.
CVE-2015-0263 2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1 2.13.4, 2.14.2, 2.15.0 and newer MEDIUM The XML converter setup in Apache Camel allows remote attackers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration.
2014
CVE-2014-0003 2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2 2.11.4, 2.12.3, 2.13.0 and newer CRITICAL The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods.
CVE-2014-0002 2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2 2.11.4, 2.12.3, 2.13.0 and newer CRITICAL The Apache Camel XSLT component will resolve entities in XML messages when transforming them using an xslt route.
2013
CVE-2013-4330 2.9.0 up to 2.9.7, 2.10.0 up to 2.10.6, 2.11.0 up to 2.11.1, 2.12.0 2.9.8, 2.10.7, 2.11.2, 2.12.1 and newer CRITICAL Writing files using FILE or FTP components, can potentially be exploited by a malicious user.