FusionAuth Vulnerabilities


This page is provided to help a FusionAuth administrator understand what CVEs or other documented vulnerabilities affect FusionAuth.

The FusionAuth development team continually monitors for known vulnerabilities in FusionAuth and its dependent packages.


The Common Vulnerabilities and Exposures or CVE as it is referred to is a public database that allows software vendors and software consumers to find and report on software vulnerabilities.


The purpose of this listing is to provide you with a list of CVEs that are known to exist in one or more versions of FusionAuth. It will also cover affected versions, migration steps, or an explanation of why a CVE may show up in a scan, but not affect FusionAuth.


The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.


Why am I seeing this CVE show up in a security scan?

The version Java that is packaged with FusionAuth contains the Apache Xalan XSLT library.

Is FusionAuth affected?

No. FusionAuth is not using the XSLT compiler to compile the style sheets. This CVE does not affect FusionAuth.

Fixed in version: