{"id":"CVE-2026-45205","summary":"Apache Commons Configuration: StackOverflowError for YAML input with cycles","details":"Uncontrolled Recursion vulnerability in Apache Commons.\n\nWhen processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.\nThis issue affects Apache Commons: from 2.2 before 2.15.0.\n\nUsers are recommended to upgrade to version 2.15.0, which fixes the issue.","aliases":["GHSA-337m-mw94-2v6g"],"modified":"2026-07-15T01:49:12.079156523Z","published":"2026-05-14T11:22:43.908Z","related":["CGA-mvrp-qg39-5fq7","SUSE-SU-2026:21996-1","SUSE-SU-2026:2642-1","openSUSE-SU-2026:10784-1","openSUSE-SU-2026:20841-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45205.json","cna_assigner":"apache","cwe_ids":["CWE-674"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/14/5"},{"type":"WEB","url":"https://repo.maven.apache.org/maven2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45205.json"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6kk27vtkk"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45205"},{"type":"FIX","url":"https://github.com/apache/commons-configuration/pull/634"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/commons-configuration","events":[{"introduced":"137997974e0ebd3acd047243f46ddf3b90fa0160"},{"fixed":"26d8bc8c397296983800da80ef1277dbdb5700e4"}],"database_specific":{"cpe":"cpe:2.3:a:apache:commons_configuration:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.2"},{"fixed":"2.15.0"}],"source":["AFFECTED_FIELD","CPE_RANGE"]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45205.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}