Vulnerable Library - KeePassJava2-2.2.1.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/org/bouncycastle/bcpkix-jdk18on/1.73/bcpkix-jdk18on-1.73.jar
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (KeePassJava2 version) |
Remediation Possible** |
| CVE-2026-5588 |
 Medium |
5.3 |
bcpkix-jdk18on-1.73.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-8916 |
Medium |
5.3 |
bcpkix-jdk18on-1.73.jar |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-5588
Vulnerable Library - bcpkix-jdk18on-1.73.jar
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
Library home page: https://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/org/bouncycastle/bcpkix-jdk18on/1.73/bcpkix-jdk18on-1.73.jar
Dependency Hierarchy:
- KeePassJava2-2.2.1.jar (Root Library)
- KeePassJava2-kdb-2.2.1.jar
- database-2.2.1.jar
- ❌ bcpkix-jdk18on-1.73.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules).
This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java.
This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.
Publish Date: 2026-04-15
URL: CVE-2026-5588
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-17
Fix Resolution: https://github.com/bcgit/bc-java.git - r1rv84
Step up your Open Source Security Game with Mend here
CVE-2025-8916
Vulnerable Library - bcpkix-jdk18on-1.73.jar
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
Library home page: https://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/org/bouncycastle/bcpkix-jdk18on/1.73/bcpkix-jdk18on-1.73.jar
Dependency Hierarchy:
- KeePassJava2-2.2.1.jar (Root Library)
- KeePassJava2-kdb-2.2.1.jar
- database-2.2.1.jar
- ❌ bcpkix-jdk18on-1.73.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java.
This issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7.
Publish Date: 2025-08-13
URL: CVE-2025-8916
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-08-13
Fix Resolution: org.bouncycastle:bcpkix-fips:2.0.8,org.bouncycastle:bcprov-jdk15to18:1.79,org.bouncycastle:bcprov-ext-jdk18on:1.79,org.bouncycastle:bcprov-debug-jdk14:1.79,org.bouncycastle:bcprov-debug-jdk18on:1.79,org.bouncycastle:bcprov-debug-jdk15to18:1.79,org.bouncycastle:bcprov-ext-jdk15to18:1.79,org.bouncycastle:bcprov-jdk14:1.79,org.bouncycastle:bcprov-jdk18on:1.79,org.bouncycastle:bcpkix-fips:1.0.8,org.bouncycastle:bcprov-ext-jdk14:1.79,https://github.com/bcgit/bc-java.git - r1rv79
Step up your Open Source Security Game with Mend here
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/org/bouncycastle/bcpkix-jdk18on/1.73/bcpkix-jdk18on-1.73.jar
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - bcpkix-jdk18on-1.73.jar
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
Library home page: https://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/org/bouncycastle/bcpkix-jdk18on/1.73/bcpkix-jdk18on-1.73.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules).
This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java.
This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.
Publish Date: 2026-04-15
URL: CVE-2026-5588
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-17
Fix Resolution: https://github.com/bcgit/bc-java.git - r1rv84
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcpkix-jdk18on-1.73.jar
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
Library home page: https://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.m2/repository/org/bouncycastle/bcpkix-jdk18on/1.73/bcpkix-jdk18on-1.73.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java.
This issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7.
Publish Date: 2025-08-13
URL: CVE-2025-8916
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-08-13
Fix Resolution: org.bouncycastle:bcpkix-fips:2.0.8,org.bouncycastle:bcprov-jdk15to18:1.79,org.bouncycastle:bcprov-ext-jdk18on:1.79,org.bouncycastle:bcprov-debug-jdk14:1.79,org.bouncycastle:bcprov-debug-jdk18on:1.79,org.bouncycastle:bcprov-debug-jdk15to18:1.79,org.bouncycastle:bcprov-ext-jdk15to18:1.79,org.bouncycastle:bcprov-jdk14:1.79,org.bouncycastle:bcprov-jdk18on:1.79,org.bouncycastle:bcpkix-fips:1.0.8,org.bouncycastle:bcprov-ext-jdk14:1.79,https://github.com/bcgit/bc-java.git - r1rv79
Step up your Open Source Security Game with Mend here