Skip to main content

Apache

2550 CVEs vendor

Monthly

CVE-2024-43202 Maven CRITICAL PATCH Act Now

Exposure of Remote Code Execution in Apache Dolphinscheduler.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection Apache RCE Dolphinscheduler
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2024-41909 Maven MEDIUM PATCH This Month

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Mina Sshd
NVD GitHub
CVSS 3.1
5.9
EPSS
0.6%
CVE-2024-41890 Go MEDIUM PATCH This Month

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.3.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Answer
NVD
CVSS 3.1
5.3
EPSS
1.1%
CVE-2024-41888 Go MEDIUM PATCH This Month

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.3.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Answer
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2024-30188 Maven HIGH POC PATCH This Week

File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files.1.0 before 3.2.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Dolphinscheduler
NVD
CVSS 3.1
8.1
EPSS
6.0%
CVE-2024-29831 Maven HIGH PATCH This Week

Improper Input Validation vulnerability in Apache DolphinScheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Dolphinscheduler
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2024-42222 MEDIUM POC This Month

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Information Disclosure Cloudstack
NVD GitHub
CVSS 3.1
4.3
EPSS
1.0%
CVE-2024-42062 HIGH This Week

CloudStack account-users by default use username and password based authentication for API and UI access. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Denial Of Service Cloudstack
NVD
CVSS 3.1
7.2
EPSS
0.9%
CVE-2024-36448 HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench.13.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Iotdb Workbench
NVD
CVSS 3.1
7.3
EPSS
0.7%
CVE-2024-38856 CRITICAL POC KEV PATCH THREAT Act Now

Incorrect Authorization vulnerability in Apache OFBiz.12.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Ofbiz
NVD
CVSS 3.1
9.8
EPSS
99.4%
CVE-2024-42447 PyPI CRITICAL PATCH Act Now

Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Fab
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-36268 Maven CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.10.0 through 1.12.0, which could lead to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Apache RCE Inlong
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-27182 Maven MEDIUM PATCH This Month

In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Apache Linkis
NVD
CVSS 3.1
4.9
EPSS
0.7%
CVE-2024-27181 Maven HIGH PATCH This Week

In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Linkis
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-35296 HIGH This Week

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Traffic Server
NVD
CVSS 3.1
8.2
EPSS
1.1%
CVE-2024-35161 HIGH This Week

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure Traffic Server
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-25090 MEDIUM This Month

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Roller
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2024-41801 MEDIUM PATCH This Month

OpenProject is open source project management software. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Apache Open Redirect Openproject
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-39676 Maven HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot.1 before 1.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Pinot
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-41178 Cargo HIGH PATCH This Week

Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (`object_store` crate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Arrow
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-23321 Maven HIGH PATCH This Week

For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information to an unauthorized actor even if RocketMQ is enabled with authentication and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Rocketmq
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-41172 Maven HIGH PATCH This Week

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Cxf
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2024-32007 Maven HIGH PATCH This Week

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Cxf
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-29736 Maven CRITICAL PATCH Act Now

A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Cxf
NVD
CVSS 3.1
9.1
EPSS
1.0%
CVE-2024-31411 LIB HIGH PATCH This Week

Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache File Upload Streampipes
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-31979 LIB MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Apache Streampipes
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2024-30471 LIB LOW PATCH Monitor

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Streampipes
NVD
CVSS 3.1
3.7
EPSS
0.7%
CVE-2024-39877 PyPI HIGH PATCH This Week

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection Apache RCE Airflow
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-39863 PyPI MEDIUM PATCH This Month

Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Airflow
NVD GitHub
CVSS 3.1
5.4
EPSS
1.0%
CVE-2024-39887 PyPI CRITICAL POC PATCH Act Now

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Apache PostgreSQL Superset
NVD
CVSS 3.1
9.8
EPSS
4.4%
CVE-2024-37389 Maven MEDIUM PATCH This Month

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Nifi
NVD
CVSS 3.1
5.4
EPSS
24.0%
CVE-2024-34750 Maven HIGH PATCH This Week

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service Ontap Tools
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2024-24749 Maven HIGH PATCH This Week

GeoServer is an open source server that allows users to share and edit geospatial data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Tomcat Path Traversal Apache Microsoft Geoserver
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-34580 MEDIUM This Month

Apache XML Security for C++ through 2.0.4 implements the XML Signature Syntax and Processing (XMLDsig) specification without protection against an SSRF payload in a KeyInfo element. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

SSRF Apache
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-29868 Maven CRITICAL POC PATCH Act Now

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Streampipes
NVD
CVSS 3.1
9.1
EPSS
6.0%
CVE-2024-27136 Maven MEDIUM PATCH This Month

XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Jspwiki
NVD
CVSS 3.1
6.1
EPSS
59.4%
CVE-2024-38379 MEDIUM This Month

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Allura
NVD
CVSS 3.1
4.8
EPSS
0.7%
CVE-2024-34693 PyPI MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache Information Disclosure Superset
NVD
CVSS 3.1
5.3
EPSS
1.6%
CVE-2024-32030 HIGH This Week

Kafka UI is an Open-Source Web UI for Apache Kafka Management. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Code Injection Apache RCE
NVD GitHub
CVSS 3.1
8.1
EPSS
34.1%
CVE-2024-25142 PyPI MEDIUM PATCH This Month

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2024-36265 LIB CRITICAL Act Now

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Submarine Server Core.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Submarine
NVD VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-36264 LIB CRITICAL PATCH Act Now

** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Submarine
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-36263 Maven HIGH POC This Week

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Submarine Server Core. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Apache Submarine
NVD GitHub
CVSS 3.1
8.1
EPSS
1.0%
CVE-2024-36471 HIGH This Week

Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Allura
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-4577 CRITICAL POC KEV THREAT Emergency

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit". Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Command Injection PHP Microsoft Fedora
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
100.0%
CVE-2024-36104 CRITICAL POC THREAT Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.12.14. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ofbiz
NVD
CVSS 3.1
9.1
EPSS
87.9%
CVE-2024-5246 HIGH This Week

NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat RCE Apache Netgear Prosafe Network Management Software 300
NVD
CVSS 3.1
8.8
EPSS
31.3%
CVE-2024-33647 MEDIUM This Month

A vulnerability has been identified in Polarion ALM (All versions < V2404.0). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-32077 PyPI MEDIUM PATCH This Month

Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Airflow
NVD GitHub
CVSS 3.1
5.4
EPSS
1.6%
CVE-2024-34365 Maven CRITICAL Act Now

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Karaf Cave. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Karaf Cave
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2024-32113 CRITICAL POC KEV PATCH THREAT Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.12.13. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Apache Ofbiz
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
99.4%
CVE-2024-26579 Maven CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache InLong.7.0 through 1.11.0, the attackers can bypass using malicious parameters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Inlong
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-28148 PyPI MEDIUM PATCH This Month

An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.1.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Superset
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2024-32638 MEDIUM This Month

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.8.0, 3.9.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure Apisix
NVD
CVSS 3.1
6.3
EPSS
1.1%
CVE-2024-32114 Maven HIGH POC PATCH This Week

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Activemq
NVD
CVSS 3.1
8.8
EPSS
6.9%
CVE-2024-23335 MEDIUM PATCH This Month

MyBB is a free and open source forum software. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Mybb
NVD GitHub
CVSS 3.1
4.7
EPSS
0.6%
CVE-2024-32656 Maven HIGH PATCH This Week

Ant Media Server is live streaming engine software. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass RCE Apache Java Privilege Escalation
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-27349 Maven CRITICAL PATCH Act Now

Authentication Bypass by Spoofing vulnerability in Apache HugeGraph-Server.0.0 before 1.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Hugegraph
NVD
CVSS 3.1
9.1
EPSS
1.0%
CVE-2024-27348 Maven CRITICAL POC KEV PATCH THREAT Act Now

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Hugegraph
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
99.2%
CVE-2024-27347 Maven MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Apache HugeGraph-Hubble.0.0 before 1.3.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Hugegraph Hubble
NVD
CVSS 3.1
5.3
EPSS
1.0%
CVE-2024-29733 PyPI LOW PATCH Monitor

Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Apache Airflow Providers Ftp
NVD GitHub
CVSS 3.1
2.7
EPSS
0.6%
CVE-2024-29217 Go MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.3.0. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Answer
NVD
CVSS 3.1
4.6
EPSS
1.0%
CVE-2024-31391 Go MEDIUM PATCH This Month

Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator.3.0 through 0.8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Kubernetes Solr Operator
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2024-27309 Maven HIGH PATCH This Week

While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Apache Kafka
NVD
CVSS 3.1
7.4
EPSS
1.1%
CVE-2024-31867 Maven MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Zeppelin
NVD GitHub
CVSS 3.1
6.5
EPSS
1.8%
CVE-2024-31868 Maven MEDIUM PATCH This Month

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Zeppelin
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2024-31866 Maven CRITICAL PATCH Act Now

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Zeppelin
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2024-31865 Maven MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Zeppelin
NVD GitHub
CVSS 3.1
6.5
EPSS
1.7%
CVE-2024-31864 Maven CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Apache RCE Zeppelin
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-31863 Maven MEDIUM PATCH This Month

Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.10.1 before 0.11.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Zeppelin
NVD
CVSS 3.1
5.3
EPSS
1.0%
CVE-2024-31862 Maven MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.10.1 before 0.11.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Zeppelin
NVD GitHub
CVSS 3.1
5.3
EPSS
1.4%
CVE-2024-31860 Maven MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Apache Zeppelin
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2024-24746 HIGH PATCH This Week

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache NimBLE. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Denial Of Service Nimble
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2024-29834 Maven MEDIUM PATCH This Month

This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Pulsar
NVD
CVSS 3.1
6.4
EPSS
1.4%
CVE-2024-23539 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Apache Fineract
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2024-23538 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Apache Fineract
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-23537 HIGH This Week

Improper Privilege Management vulnerability in Apache Fineract.8.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Fineract
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-1521 MEDIUM This Month

The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file uploaded via the Form widget in all versions up to, and including, 3.20.1 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx XSS WordPress Apache Elementor Pro +1
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-29735 PyPI MEDIUM PATCH This Month

Improper Preservation of Permissions vulnerability in Apache Airflow.8.2 through 2.8.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable.

Apache Information Disclosure Docker Airflow
NVD GitHub
CVSS 3.1
5.3
EPSS
1.5%
CVE-2024-27438 CRITICAL Act Now

Download of Code Without Integrity Check vulnerability in Apache Doris. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Doris
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-26307 MEDIUM This Month

Possible race condition vulnerability in Apache Doris. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Race Condition Information Disclosure Apache Doris
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-29133 Maven MEDIUM PATCH This Month

Out-of-bounds Write vulnerability in Apache Commons Configuration.0 before 2.10.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Apache Memory Corruption Commons Configuration Fedora
NVD
CVSS 3.1
5.4
EPSS
1.7%
CVE-2024-29131 Maven HIGH PATCH This Week

Out-of-bounds Write vulnerability in Apache Commons Configuration.0 before 2.10.1. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Apache Memory Corruption Commons Configuration Fedora +2
NVD
CVSS 3.1
7.3
EPSS
2.1%
CVE-2024-27439 Maven MEDIUM PATCH This Month

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache CSRF Wicket
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-24683 Maven MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Hop Engine.8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Hop Engine
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2024-28752 Maven CRITICAL POC PATCH Act Now

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Cxf Oncommand Workflow Automation Ontap Tools
NVD
CVSS 3.1
9.3
EPSS
5.8%
CVE-2024-23944 Maven MEDIUM PATCH This Month

Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Apache Information Disclosure Zookeeper
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-28746 PyPI HIGH PATCH This Week

Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
8.1
EPSS
1.3%
CVE-2024-24549 Maven HIGH PATCH This Week

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service Debian Linux Fedora
NVD
CVSS 3.1
7.5
EPSS
23.1%
CVE-2024-23672 Maven MEDIUM PATCH This Month

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service Debian Linux Fedora
NVD
CVSS 3.1
6.3
EPSS
2.3%
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Exposure of Remote Code Execution in Apache Dolphinscheduler.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection Apache RCE +1
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Mina Sshd
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.3.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Answer
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.3.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Answer
NVD
EPSS 6% CVSS 8.1
HIGH POC PATCH This Week

File read and write vulnerability in Apache DolphinScheduler , authenticated users can illegally access additional resource files.1.0 before 3.2.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Dolphinscheduler
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Improper Input Validation vulnerability in Apache DolphinScheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Dolphinscheduler
NVD
EPSS 1% CVSS 4.3
MEDIUM POC This Month

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Information Disclosure Cloudstack
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

CloudStack account-users by default use username and password based authentication for API and UI access. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Denial Of Service +1
NVD
EPSS 1% CVSS 7.3
HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench.13.0. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Iotdb Workbench
NVD
EPSS 99% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Incorrect Authorization vulnerability in Apache OFBiz.12.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Ofbiz
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Apache Airflow Providers Fab
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.10.0 through 1.12.0, which could lead to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Apache RCE +1
NVD
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Apache +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Linkis
NVD
EPSS 1% CVSS 8.2
HIGH This Week

Invalid Accept-Encoding header can cause Apache Traffic Server to fail cache lookup and force forwarding requests.0.0 through 8.1.10, from 9.0.0 through 9.2.4. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Traffic Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Apache Traffic Server forwards malformed HTTP chunked trailer section to origin servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure +1
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Roller
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

OpenProject is open source project management software. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Apache Open Redirect Openproject
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot.1 before 1.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Pinot
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Exposure of temporary credentials in logs in Apache Arrow Rust Object Store (`object_store` crate), version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Arrow
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

For RocketMQ versions 5.2.0 and below, under certain conditions, there is a risk of exposure of sensitive Information to an unauthorized actor even if RocketMQ is enabled with authentication and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Rocketmq
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Cxf
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Cxf
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Cxf
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache File Upload +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Apache Streampipes
NVD
EPSS 1% CVSS 3.7
LOW PATCH Monitor

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Information Disclosure Streampipes
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection Apache RCE +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Airflow
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Apache PostgreSQL +1
NVD
EPSS 24% CVSS 5.4
MEDIUM PATCH This Month

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Nifi
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

GeoServer is an open source server that allows users to share and edit geospatial data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Tomcat Path Traversal Apache +2
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Apache XML Security for C++ through 2.0.4 implements the XML Signature Syntax and Processing (XMLDsig) specification without protection against an SSRF payload in a KeyInfo element. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

SSRF Apache
NVD GitHub
EPSS 6% CVSS 9.1
CRITICAL POC PATCH Act Now

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Streampipes
NVD
EPSS 59% CVSS 6.1
MEDIUM PATCH This Month

XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Jspwiki
NVD
EPSS 1% CVSS 4.8
MEDIUM This Month

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Allura
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Apache Information Disclosure Superset
NVD
EPSS 34% CVSS 8.1
HIGH This Week

Kafka UI is an Open-Source Web UI for Apache Kafka Management. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization Code Injection Apache +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Submarine Server Core.8.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Submarine
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Apache Submarine
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC This Week

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Submarine Server Core. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Apache Submarine
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Allura
NVD
EPSS 100% CVSS 9.8
CRITICAL POC KEV THREAT Emergency

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit". Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Command Injection PHP +2
NVD GitHub Exploit-DB
EPSS 88% CVSS 9.1
CRITICAL POC THREAT Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.12.14. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Apache Ofbiz
NVD
EPSS 31% CVSS 8.8
HIGH This Week

NETGEAR ProSAFE Network Management System Tomcat Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat RCE Apache +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability has been identified in Polarion ALM (All versions < V2404.0). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache
NVD
EPSS 2% CVSS 5.4
MEDIUM PATCH This Month

Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Airflow
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL Act Now

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Karaf Cave. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Karaf Cave
NVD
EPSS 99% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.12.13. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Apache Ofbiz
NVD GitHub Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache InLong.7.0 through 1.11.0, the attackers can bypass using malicious parameters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Inlong
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.1.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Superset
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.8.0, 3.9.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Request Smuggling Information Disclosure +1
NVD
EPSS 7% CVSS 8.8
HIGH POC PATCH This Week

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Activemq
NVD
EPSS 1% CVSS 4.7
MEDIUM PATCH This Month

MyBB is a free and open source forum software. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Mybb
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Ant Media Server is live streaming engine software. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass RCE Apache +2
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Authentication Bypass by Spoofing vulnerability in Apache HugeGraph-Server.0.0 before 1.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Hugegraph
NVD
EPSS 99% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Hugegraph
NVD Exploit-DB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Apache HugeGraph-Hubble.0.0 before 1.3.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Hugegraph Hubble
NVD
EPSS 1% CVSS 2.7
LOW PATCH Monitor

Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Apache Airflow Providers Ftp
NVD GitHub
EPSS 1% CVSS 4.6
MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.3.0. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Answer
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator.3.0 through 0.8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Kubernetes +1
NVD
EPSS 1% CVSS 7.4
HIGH PATCH This Week

While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Apache Kafka
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Zeppelin
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Zeppelin
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Zeppelin
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Zeppelin
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Apache RCE +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.10.1 before 0.11.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Zeppelin
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin's UI.10.1 before 0.11.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Zeppelin
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Apache Zeppelin
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache NimBLE. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Denial Of Service Nimble
NVD GitHub
EPSS 1% CVSS 6.4
MEDIUM PATCH This Month

This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Pulsar
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Apache Fineract
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.8.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Apache Fineract
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Improper Privilege Management vulnerability in Apache Fineract.8.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Fineract
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file uploaded via the Form widget in all versions up to, and including, 3.20.1 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx XSS WordPress +3
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Improper Preservation of Permissions vulnerability in Apache Airflow.8.2 through 2.8.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable.

Apache Information Disclosure Docker +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Download of Code Without Integrity Check vulnerability in Apache Doris. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Doris
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Possible race condition vulnerability in Apache Doris. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Race Condition Information Disclosure Apache +1
NVD
EPSS 2% CVSS 5.4
MEDIUM PATCH This Month

Out-of-bounds Write vulnerability in Apache Commons Configuration.0 before 2.10.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Apache Memory Corruption +2
NVD
EPSS 2% CVSS 7.3
HIGH PATCH This Week

Out-of-bounds Write vulnerability in Apache Commons Configuration.0 before 2.10.1. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Apache Memory Corruption +4
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache CSRF Wicket
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache Hop Engine.8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Hop Engine
NVD
EPSS 6% CVSS 9.3
CRITICAL POC PATCH Act Now

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Cxf +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Apache Information Disclosure +1
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 23% CVSS 7.5
HIGH PATCH This Week

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service +2
NVD
EPSS 2% CVSS 6.3
MEDIUM PATCH This Month

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service +2
NVD
Prev Page 10 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy