CVE-2025-49656 — Apache Jena allows users with administrator access to create databases files out

Description

Users with administrator access can create databases files outside the files area of the Fuseki server. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to version 5.5.0, which fixes the issue.

How to fix CVE-2025-49656

To remediate CVE-2025-49656, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 5.5.0 or later

Is CVE-2025-49656 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 5.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-49656
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-49656
PATCHgithub.com/apache/jena
WEBgithub.com/apache/jena/commit/03c5265910aa3a27907bf54f6b4aaae3409afa4f