GHSA-rp46-r563-jrc7

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-02-13T12:16:07Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed_at": "2026-02-13T20:56:03Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.apache.avro:avro-compiler

Package

Name: org.apache.avro:avro-compiler; View open source insights on deps.dev
Purl: pkg:maven/org.apache.avro/avro-compiler

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.12.0

Fixed

1.12.1

Affected versions

1.*

1.12.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rp46-r563-jrc7/GHSA-rp46-r563-jrc7.json"

Maven / org.apache.avro:avro-compiler

Package

Name: org.apache.avro:avro-compiler; View open source insights on deps.dev
Purl: pkg:maven/org.apache.avro/avro-compiler

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.5

Affected versions

1.*

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.8.0

1.8.1

1.8.2

1.9.0

1.9.1

1.9.2

1.10.0

1.10.1

1.10.2

1.11.0

1.11.1

1.11.2

1.11.3

1.11.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rp46-r563-jrc7/GHSA-rp46-r563-jrc7.json"