CVE-2026-6009

Jaspersoft Library Deserialisation Vulnerability

CVSS 8.7 HIGHEPSS 0.5%CWE-502

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.7EPSS 0.5%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

19 May 2026Published on NVD

22 May 2026Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Jaspersoft · JasperReports IO At-Scale Jaspersoft · JasperReports IO Professional Jaspersoft · JasperReports Library Community Edition Jaspersoft · JasperReports Library Professional Jaspersoft · JasperReports Server Jaspersoft · JasperReports Web Studio Jaspersoft · Jaspersoft Studio Community Edition Jaspersoft · Jaspersoft Studio Professional

public PoCs found — 1

githubgithub.com/Pumila03/CVE-2026-6009★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-may-19-2026-jaspersoft-library-cve-2026-6009-r11/