Shiro vulnerabilities: known CVEs & security history
Apache · Actively exploited · 23 tracked CVEs · 1 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Shiro release lines — 23 in total, with 1 actively exploited in the wild. A CVE here doesn't mean your version is affected — check Shiro's current status and the safe version to run.
Known Shiro CVEs
Actively-exploited and most-severe first. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2016-4437⚡ exploited | critical | 9.8 | 93% | 2016 |
| CVE-2023-34478 | critical | 9.8 | 2% | 2023 |
| CVE-2022-40664 | critical | 9.8 | 2% | 2022 |
| CVE-2022-32532 | critical | 9.8 | 20% | 2022 |
| CVE-2021-41303 | critical | 9.8 | 76% | 2021 |
| CVE-2020-17523 | critical | 9.8 | 86% | 2021 |
| CVE-2020-17510 | critical | 9.8 | 9% | 2020 |
| CVE-2020-11989 | critical | 9.8 | 24% | 2020 |
| CVE-2020-1957 | critical | 9.8 | 26% | 2020 |
| CVE-2023-22602 | high | 7.5 | 2% | 2023 |
| CVE-2020-13933 | high | 7.5 | 48% | 2020 |
| CVE-2019-12422 | high | 7.5 | 9% | 2019 |
| CVE-2016-6802 | high | 7.5 | 10% | 2016 |
| CVE-2014-0074 | high | 7.5 | 5% | 2014 |
| CVE-2026-43828 | medium | 6.5 | 0% | 2026 |
| CVE-2026-43827 | medium | 6.5 | 0% | 2026 |
| CVE-2023-46749 | medium | 6.5 | 1% | 2024 |
| CVE-2023-46750 | medium | 6.1 | 1% | 2023 |
| CVE-2026-48589 | medium | 5.4 | 0% | 2026 |
| CVE-2026-44598 | medium | 5.4 | 0% | 2026 |
| CVE-2026-23903 | medium | 5.3 | 0% | 2026 |
| CVE-2010-3863 | medium | 5 | 55% | 2010 |
| CVE-2026-23901 | low | 2.5 | 0% | 2026 |
Is my Shiro version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Shiro version → · Monitor Shiro for new CVEs →
Shiro vulnerabilities — frequently asked
How many known vulnerabilities does Shiro have?
IsItPatched tracks 23 CVEs for Shiro, 1 of which is actively exploited (CISA KEV). 9 are critical-severity and 5 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Shiro have any actively-exploited vulnerabilities?
Yes — 1 Shiro CVE is in CISA's Known Exploited Vulnerabilities catalog, meaning it is confirmed exploited in the wild. Patch it as a priority.
What is the most severe Shiro vulnerability?
Among tracked issues, CVE-2016-4437 (CRITICAL, CVSS 9.8), which is actively exploited, ranks highest — a CWE-321 weakness.
Is Shiro safe to use?
It depends on the version. The latest supported Shiro release clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Shiro security status · Shiro end-of-life · actively-exploited CVEs. Always verify against Apache's advisories — see our disclaimer.