CVE-2025-10492 is a newly disclosed Java deserialisation vulnerability affecting Jaspersoft’s JasperReports library that could allow remote code execution in some deployments. While this issue has been patched in commercial editions, community releases are still pending. Skyve is not affected due to its use of trusted local report templates and the absence of remote deserialisation — but we outline what the vulnerability means, who is at risk, and how we’re responding.
Read MoreThe recently disclosed CVE-2025-48976 vulnerability in Apache Commons FileUpload does not affect Skyve 9. Skyve 8 is only conditionally vulnerable when using the commons uploader with an outdated JSF version. Recommended mitigations are provided for affected configurations.
Read More
A new critical vulnerability has been found in the Apache Struts 2 web application framework. No version of Skyve is affected by this vulnerability.
Read More
I came across an interesting security article by penetration tester Daniel Thatcher discussing a proposed attack against older versions of UUIDs. I describe some of the design decisions which went into designing the identifier systems used in Skyve.
Read More