Security
Security
A vulnerability has been discovered in Commons-BeanUtils, which can lead to execution of arbitrary code.
| Package | dev-java/commons-beanutils on all architectures |
|---|---|
| Affected versions | < 1.11.0 |
| Unaffected versions | >= 1.11.0 |
Commons-beanutils provides easy-to-use wrappers around Reflection and Introspection APIs
Multiple vulnerabilities have been discovered in Commons-BeanUtils. Please review the CVE identifiers referenced below for details.
A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
There is no known workaround at this time.
All Commons-BeanUtils users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/commons-beanutils-1.11.0"
Release date
January 26, 2026
Latest revision
January 26, 2026: 1
Severity
high
Exploitable
remote
Bugzilla entries