Vulnerable Library - robolectric-4.14.1.jar
Found in HEAD commit: 77a89ac5bd1696a91ab9e7654223c13959e4b2c1
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (robolectric version) |
Remediation Possible** |
| CVE-2026-5598 |
 Critical |
10.0 |
bcprov-jdk18on-1.78.1.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-14813 |
Critical |
9.0 |
bcprov-jdk18on-1.78.1.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-0636 |
 Medium |
5.3 |
bcprov-jdk18on-1.78.1.jar |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-5598
Vulnerable Library - bcprov-jdk18on-1.78.1.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
Library home page: https://www.bouncycastle.org/java.html
Dependency Hierarchy:
- robolectric-4.14.1.jar (Root Library)
- ❌ bcprov-jdk18on-1.78.1.jar (Vulnerable Library)
Found in HEAD commit: 77a89ac5bd1696a91ab9e7654223c13959e4b2c1
Found in base branch: develop
Vulnerability Details
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.
This issue affects BC-JAVA: from 1.71 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2026-5598
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution: https://github.com/bcgit/bc-java.git - r1rv84,org.bouncycastle:bcprov-jdk18on:1.84,org.bouncycastle:bcprov-jdk14:1.84,org.bouncycastle:bcprov-jdk15to18:1.84
Step up your Open Source Security Game with Mend here
CVE-2025-14813
Vulnerable Library - bcprov-jdk18on-1.78.1.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
Library home page: https://www.bouncycastle.org/java.html
Dependency Hierarchy:
- robolectric-4.14.1.jar (Root Library)
- ❌ bcprov-jdk18on-1.78.1.jar (Vulnerable Library)
Found in HEAD commit: 77a89ac5bd1696a91ab9e7654223c13959e4b2c1
Found in base branch: develop
Vulnerability Details
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher.
GOSTCTR implementation unable to process more than 255 blocks correctly.
This issue affects BC-JAVA: from 1.59 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2025-14813
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution: https://github.com/bcgit/bc-java.git - r1rv84,org.bouncycastle:bcprov-jdk18on:1.84,org.bouncycastle:bcprov-jdk14:1.84,org.bouncycastle:bcprov-jdk15to18:1.84
Step up your Open Source Security Game with Mend here
CVE-2026-0636
Vulnerable Library - bcprov-jdk18on-1.78.1.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
Library home page: https://www.bouncycastle.org/java.html
Dependency Hierarchy:
- robolectric-4.14.1.jar (Root Library)
- ❌ bcprov-jdk18on-1.78.1.jar (Vulnerable Library)
Found in HEAD commit: 77a89ac5bd1696a91ab9e7654223c13959e4b2c1
Found in base branch: develop
Vulnerability Details
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper.
This issue affects BC-JAVA: from 1.74 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2026-0636
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution: https://github.com/bcgit/bc-java.git - r1rv84,org.bouncycastle:bcprov-jdk18on:1.84
Step up your Open Source Security Game with Mend here
Found in HEAD commit: 77a89ac5bd1696a91ab9e7654223c13959e4b2c1
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - bcprov-jdk18on-1.78.1.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
Library home page: https://www.bouncycastle.org/java.html
Dependency Hierarchy:
Found in HEAD commit: 77a89ac5bd1696a91ab9e7654223c13959e4b2c1
Found in base branch: develop
Vulnerability Details
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.
This issue affects BC-JAVA: from 1.71 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2026-5598
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution: https://github.com/bcgit/bc-java.git - r1rv84,org.bouncycastle:bcprov-jdk18on:1.84,org.bouncycastle:bcprov-jdk14:1.84,org.bouncycastle:bcprov-jdk15to18:1.84
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk18on-1.78.1.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
Library home page: https://www.bouncycastle.org/java.html
Dependency Hierarchy:
Found in HEAD commit: 77a89ac5bd1696a91ab9e7654223c13959e4b2c1
Found in base branch: develop
Vulnerability Details
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher.
GOSTCTR implementation unable to process more than 255 blocks correctly.
This issue affects BC-JAVA: from 1.59 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2025-14813
CVSS 3 Score Details (9.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution: https://github.com/bcgit/bc-java.git - r1rv84,org.bouncycastle:bcprov-jdk18on:1.84,org.bouncycastle:bcprov-jdk14:1.84,org.bouncycastle:bcprov-jdk15to18:1.84
Step up your Open Source Security Game with Mend here
Vulnerable Library - bcprov-jdk18on-1.78.1.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
Library home page: https://www.bouncycastle.org/java.html
Dependency Hierarchy:
Found in HEAD commit: 77a89ac5bd1696a91ab9e7654223c13959e4b2c1
Found in base branch: develop
Vulnerability Details
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper.
This issue affects BC-JAVA: from 1.74 before 1.84.
Publish Date: 2026-04-15
URL: CVE-2026-0636
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-15
Fix Resolution: https://github.com/bcgit/bc-java.git - r1rv84,org.bouncycastle:bcprov-jdk18on:1.84
Step up your Open Source Security Game with Mend here