Tag

Valtimo

2 briefs RSS

Valtimo Sensitive Data Exposure via Excessive HTTP Request/Response Logging (CVE-2026-44516)

The `LoggingRestClientCustomizer` in Valtimo's `web` module automatically intercepts all outgoing HTTP calls and logs the full request/response body and headers, potentially exposing sensitive information like credentials, personal data, and session tokens via error messages logged at ERROR level (CVE-2026-44516).

Valtimo sensitive-data-exposure logging

1r May 11, 2026

critical advisory

Valtimo SpEL Injection Vulnerability Allows Remote Code Execution

2 rules 1 TTP

Valtimo is vulnerable to SpEL injection via StandardEvaluationContext, which allows Remote Code Execution by admin users who can execute arbitrary OS commands and exfiltrate sensitive information.

Valtimo document module +2 spel-injection rce valtimo

2r 1t May 7, 2026