A vulnerability has been discovered in Commons-BeanUtils, which can lead to execution of arbitrary code. Affected packages Package dev-java/commons-beanutils on all architectures Affected versions < 1.11.0 Unaffected versions >= 1.11.0 Background Commons-beanutils provides easy-to-use wrappers around Reflection and Introspection APIs Description Multiple vulnerabilities have been discovered in Commons-BeanUtils. Please review the CVE identifiers referenced below for details. Impact A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Workaround There is no known workaround at this time. Resolution All Commons-BeanUtils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/commons-beanutils-1.11.0" References CVE-2025-48734 Release date January 26, 2026 Latest revision January 26, 2026: 1 Severity high Exploitable remote Bugzilla entries 960929