Skip to main content

Apache Http Server

5 CVEs product

Monthly

CVE-2026-42536 HIGH PATCH This Week

Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 allows remote unauthenticated attackers to crash the server by submitting untrusted XML content processed by the mod_xml2enc module's xml2StartParse function. The flaw is a CWE-122 heap-based buffer overflow with a CVSS 7.5 score reflecting high availability impact only, and no public exploit has been identified at time of analysis.

Buffer Overflow Apache Heap Overflow Apache Http Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44185 HIGH PATCH This Week

Buffer over-read in Apache HTTP Server 2.4.0 through 2.4.67 allows remote attackers to trigger memory disclosure or limited integrity and availability impact via outbound OCSP requests sent to an attacker-controlled OCSP responder. The flaw stems from improper bounds handling (CWE-126) when parsing OCSP response data, and currently shows no public exploit identified at time of analysis despite a CVSS 7.3 rating reflecting unauthenticated network reachability with low complexity.

Buffer Overflow Apache Apache Http Server
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-34355 HIGH This Week

Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 stems from a heap buffer overflow in the mod_proxy_html output filter, where a malicious or compromised backend can return crafted HTML that corrupts memory in the proxying httpd worker. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) reflects unauthenticated network exploitation with availability-only impact, and no public exploit was identified at time of analysis.

Buffer Overflow Apache Heap Overflow Apache Http Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28780 CRITICAL PATCH Act Now

Remote heap buffer overflow in Apache HTTP Server's mod_proxy_ajp module allows complete system compromise when proxying to attacker-controlled AJP backends. Affects all versions through 2.4.66; attackers can achieve remote code execution by sending malicious AJP protocol responses that overflow a heap buffer with 4 controlled bytes. Apache released patch in version 2.4.67. Despite critical CVSS 9.8, EPSS probability remains very low (0.02%, 5th percentile) indicating minimal observed exploitation attempts, and no CISA KEV listing confirms active in-the-wild abuse. Exploitation requires specific proxy_ajp deployment configuration connecting to malicious AJP servers.

Buffer Overflow Apache Heap Overflow Apache Http Server
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-23918 HIGH POC PATCH NEWS This Week

Remote code execution via double-free memory corruption in Apache HTTP Server 2.4.66's HTTP/2 protocol implementation allows authenticated attackers to compromise server integrity and confidentiality with high impact. Vendor-released patch 2.4.67 addresses the issue. No public exploit or active exploitation confirmed at time of analysis, but SSVC framework rates technical impact as total, indicating complete system compromise potential.

Apache Information Disclosure Apache Http Server
NVD VulDB Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 allows remote unauthenticated attackers to crash the server by submitting untrusted XML content processed by the mod_xml2enc module's xml2StartParse function. The flaw is a CWE-122 heap-based buffer overflow with a CVSS 7.5 score reflecting high availability impact only, and no public exploit has been identified at time of analysis.

Buffer Overflow Apache Heap Overflow +1
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Buffer over-read in Apache HTTP Server 2.4.0 through 2.4.67 allows remote attackers to trigger memory disclosure or limited integrity and availability impact via outbound OCSP requests sent to an attacker-controlled OCSP responder. The flaw stems from improper bounds handling (CWE-126) when parsing OCSP response data, and currently shows no public exploit identified at time of analysis despite a CVSS 7.3 rating reflecting unauthenticated network reachability with low complexity.

Buffer Overflow Apache Apache Http Server
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 stems from a heap buffer overflow in the mod_proxy_html output filter, where a malicious or compromised backend can return crafted HTML that corrupts memory in the proxying httpd worker. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) reflects unauthenticated network exploitation with availability-only impact, and no public exploit was identified at time of analysis.

Buffer Overflow Apache Heap Overflow +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote heap buffer overflow in Apache HTTP Server's mod_proxy_ajp module allows complete system compromise when proxying to attacker-controlled AJP backends. Affects all versions through 2.4.66; attackers can achieve remote code execution by sending malicious AJP protocol responses that overflow a heap buffer with 4 controlled bytes. Apache released patch in version 2.4.67. Despite critical CVSS 9.8, EPSS probability remains very low (0.02%, 5th percentile) indicating minimal observed exploitation attempts, and no CISA KEV listing confirms active in-the-wild abuse. Exploitation requires specific proxy_ajp deployment configuration connecting to malicious AJP servers.

Buffer Overflow Apache Heap Overflow +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Remote code execution via double-free memory corruption in Apache HTTP Server 2.4.66's HTTP/2 protocol implementation allows authenticated attackers to compromise server integrity and confidentiality with high impact. Vendor-released patch 2.4.67 addresses the issue. No public exploit or active exploitation confirmed at time of analysis, but SSVC framework rates technical impact as total, indicating complete system compromise potential.

Apache Information Disclosure Apache Http Server
NVD VulDB Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy