Skip to main content

Apache

2550 CVEs vendor

Monthly

CVE-2024-28098 Maven MEDIUM PATCH This Month

The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Pulsar
NVD
CVSS 3.1
5.4
EPSS
1.7%
CVE-2024-27894 Maven HIGH PATCH This Week

The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Denial Of Service Pulsar
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2024-27317 Maven CRITICAL PATCH Act Now

In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Apache Pulsar
NVD
CVSS 3.1
9.9
EPSS
56.9%
CVE-2024-27135 Maven CRITICAL PATCH Act Now

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache Java Pulsar
NVD
CVSS 3.1
9.9
EPSS
6.0%
CVE-2024-26580 Maven CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache InLong.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Inlong
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2024-27140 Maven MEDIUM This Month

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Archiva
NVD
CVSS 3.1
5.4
EPSS
1.3%
CVE-2024-27139 Maven HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Archiva
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-27138 Maven HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Archiva
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2024-26280 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Apache Airflow
NVD GitHub
CVSS 3.1
4.7
EPSS
1.9%
CVE-2024-27906 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Airflow
NVD GitHub
CVSS 3.1
5.9
EPSS
0.3%
CVE-2024-25065 CRITICAL Act Now

Possible path traversal in Apache OFBiz allowing authentication bypass. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Path Traversal Apache Ofbiz
NVD
CVSS 3.1
9.1
EPSS
47.7%
CVE-2024-23946 MEDIUM PATCH This Month

Possible path traversal in Apache OFBiz allowing file inclusion. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Apache Ofbiz
NVD
CVSS 3.1
5.3
EPSS
3.1%
CVE-2024-23807 CRITICAL POC PATCH Act Now

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Use After Free Apache Information Disclosure Memory Corruption Xerces C
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2024-26016 PyPI MEDIUM PATCH This Month

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Superset
NVD
CVSS 3.1
5.4
EPSS
0.9%
CVE-2024-24779 PyPI MEDIUM PATCH This Month

Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Superset
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-24773 PyPI MEDIUM PATCH This Month

Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope.0.4, from 3.1.0 before 3.1.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Superset
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2024-24772 PyPI MEDIUM PATCH This Month

A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.0.4, from 3.1.0 before 3.1.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Apache Superset
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2024-27315 PyPI MEDIUM PATCH This Month

An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Superset
NVD
CVSS 3.1
4.3
EPSS
1.0%
CVE-2024-27905 CRITICAL Act Now

** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Information Disclosure Oracle Aurora
NVD
CVSS 3.1
9.1
EPSS
1.5%
CVE-2024-22371 Maven HIGH PATCH This Week

Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Camel
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-23320 Maven HIGH PATCH This Week

Improper Input Validation vulnerability in Apache DolphinScheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Dolphinscheduler
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2024-26578 Go MEDIUM PATCH This Month

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.2.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Information Disclosure Apache Answer
NVD
CVSS 3.1
5.9
EPSS
0.9%
CVE-2024-23349 Go MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.2.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Answer
NVD
CVSS 3.1
5.4
EPSS
1.1%
CVE-2024-22393 Go CRITICAL PATCH Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.2.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache File Upload Answer
NVD
CVSS 3.1
9.1
EPSS
2.5%
CVE-2024-23114 Maven CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Camel
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-22369 Maven HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Camel SQL Component0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Camel
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2024-26308 Maven MEDIUM PATCH This Month

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.21 before 1.26. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Commons Compress
NVD
CVSS 3.1
5.5
EPSS
0.9%
CVE-2024-25710 Maven MEDIUM PATCH This Month

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.3 through 1.25.0. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Commons Compress
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2024-23952 MEDIUM This Month

This is a duplicate for CVE-2023-46104. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Superset
NVD
CVSS 3.1
6.5
EPSS
1.7%
CVE-2024-24814 HIGH POC PATCH This Week

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Denial Of Service Mod Auth Openidc Debian Linux Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-23452 HIGH PATCH This Week

Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Apache Request Smuggling Information Disclosure Brpc
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2024-23673 Maven HIGH PATCH This Week

Malicious code execution via path traversal in Apache Software Foundation Apache Sling Servlets Resolver.11.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

RCE Path Traversal Apache Sling Servlets Resolver
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-23636 Maven CRITICAL PATCH Act Now

SOFARPC is a Java RPC framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Java Sofarpc
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-21733 Maven MEDIUM PATCH This Month

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
14.3%
CVE-2023-6554 MEDIUM This Month

When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Tcexam
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2023-49619 Go LOW PATCH Monitor

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.2.0. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable.

Apache Race Condition Information Disclosure Answer
NVD
CVSS 3.1
3.1
EPSS
1.3%
CVE-2023-51441 Maven HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Java Apache Axis
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2023-51785 Maven HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache InLong.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Apache Inlong
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2023-51784 Maven CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.5.0 through 1.9.0, which could lead to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache RCE Code Injection Inlong
NVD
CVSS 3.1
9.8
EPSS
7.1%
CVE-2023-49299 Maven HIGH PATCH This Week

Improper Input Validation vulnerability in Apache DolphinScheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Dolphinscheduler
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2023-47804 HIGH PATCH This Week

Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Openoffice
NVD
CVSS 3.1
8.8
EPSS
2.7%
CVE-2023-50968 HIGH POC PATCH THREAT This Week

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure SSRF Ofbiz
NVD
CVSS 3.1
7.5
EPSS
63.4%
CVE-2023-51656 Maven CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache IoTDB.13.0 through 0.13.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Iotdb
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-50783 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Authentication Bypass Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2023-49920 PyPI MEDIUM PATCH This Month

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Apache CSRF Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2023-48291 PyPI MEDIUM PATCH This Month

Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
4.3
EPSS
1.8%
CVE-2023-47265 PyPI MEDIUM PATCH This Month

Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Airflow
NVD GitHub
CVSS 3.1
5.4
EPSS
1.3%
CVE-2023-37544 Maven HIGH PATCH This Week

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Authentication Bypass Pulsar
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-43826 HIGH This Week

Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Integer Overflow Apache RCE Buffer Overflow Guacamole
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2023-49736 PyPI HIGH PATCH This Week

A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.1.2, from 3.0.0 before 3.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Superset
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-49734 PyPI MEDIUM PATCH This Month

An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-46104 PyPI MEDIUM PATCH This Month

Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Superset
NVD
CVSS 3.1
6.5
EPSS
1.7%
CVE-2023-48795 LIB MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js SSH Java +66
NVD GitHub
CVSS 3.1
5.9
EPSS
53.6%
Threat
4.3
CVE-2023-46279 Maven CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Dubbo
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2023-29234 Maven CRITICAL PATCH Act Now

A deserialization vulnerability existed when decode a malicious package.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Dubbo
NVD
CVSS 3.1
9.8
EPSS
7.4%
CVE-2023-46750 Maven MEDIUM PATCH This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Open Redirect Shiro
NVD
CVSS 3.1
6.1
EPSS
1.5%
CVE-2023-6710 MEDIUM POC This Month

A flaw was found in the mod_proxy_cluster in the Apache server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Mod Proxy Cluster Enterprise Linux
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
2.2%
CVE-2023-36648 HIGH POC This Week

Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Authentication Bypass Cryptospike
NVD
CVSS 3.1
8.2
EPSS
1.0%
CVE-2023-49070 CRITICAL POC PATCH THREAT Act Now

Pre-auth RCE in Apache Ofbiz 18.12.09. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Apache Ofbiz
NVD
CVSS 3.1
9.8
EPSS
95.4%
CVE-2023-49735 Maven HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal XXE SSRF Tiles
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-49733 Maven CRITICAL PATCH Act Now

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.2.0 before 2.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Cocoon
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-42504 PyPI MEDIUM PATCH This Month

An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service.0.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Superset
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2023-42505 PyPI MEDIUM PATCH This Month

An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection's username.0.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Superset
NVD
CVSS 3.1
4.3
EPSS
1.0%
CVE-2023-42502 PyPI MEDIUM PATCH This Month

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Open Redirect Superset
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2023-46589 Maven HIGH POC PATCH This Week

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tomcat Apache Information Disclosure Request Smuggling
NVD
CVSS 3.1
7.5
EPSS
2.7%
CVE-2023-3545 CRITICAL POC PATCH Act Now

Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload RCE Microsoft Apache PHP +1
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2023-49145 Maven MEDIUM PATCH This Month

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Nifi
NVD
CVSS 3.1
5.4
EPSS
1.2%
CVE-2023-43701 PyPI MEDIUM PATCH This Month

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Superset
NVD
CVSS 3.1
5.4
EPSS
1.0%
CVE-2023-42501 PyPI MEDIUM PATCH This Month

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.1.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Superset
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2023-40610 PyPI HIGH POC PATCH This Week

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Apache Authentication Bypass Superset
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2023-49068 Maven HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Dolphinscheduler
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-6308 HIGH POC This Week

A vulnerability, which was classified as critical, has been found in Xiamen Four-Faith Video Surveillance Management System 2016/2017. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache File Upload Video Surveillance Management System
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.0%
CVE-2023-48796 LIB HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Dolphinscheduler
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-43123 Maven MEDIUM PATCH This Month

On unix-like systems, the temporary directory is shared between all user. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Oracle Apple Atlassian Java Apache +2
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2023-37924 PyPI CRITICAL PATCH Act Now

Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SQLi Submarine
NVD GitHub
CVSS 3.1
9.8
EPSS
7.2%
CVE-2023-46302 PyPI CRITICAL POC PATCH Act Now

Apache Software Foundation Apache Submarine has a bug when serializing against yaml. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Java Apache Deserialization Submarine
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2023-26031 Maven HIGH PATCH This Week

Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Apache Atlassian Hadoop
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2023-47037 PyPI MEDIUM PATCH This Month

We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Apache Authentication Bypass Airflow
NVD GitHub
CVSS 3.1
4.3
EPSS
1.5%
CVE-2023-42781 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
1.7%
CVE-2023-47248 PyPI CRITICAL POC PATCH THREAT Act Now

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache RCE Deserialization Pyarrow
NVD GitHub
CVSS 3.1
9.8
EPSS
14.4%
CVE-2023-39913 Maven HIGH PATCH This Week

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Java Apache Checkpoint +1
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2023-46819 MEDIUM PATCH This Month

Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin.12.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Apache Authentication Bypass Ofbiz
NVD
CVSS 3.1
5.3
EPSS
1.8%
CVE-2023-46851 MEDIUM PATCH This Month

Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Apache RCE Allura
NVD
CVSS 3.1
4.9
EPSS
1.6%
CVE-2023-1713 HIGH POC This Week

Insecure temporary file creation in bitrix/modules/crm/lib/order/import/instagram.php in Bitrix24 22.0.300 hosted on Apache HTTP Server allows remote authenticated attackers to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache File Upload PHP Bitrix24
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-46237 MEDIUM PATCH This Month

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Apache Path Traversal Fogproject
NVD GitHub
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-46236 HIGH PATCH This Week

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Apache SSRF Fogproject
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-46215 PyPI HIGH PATCH This Week

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Airflow Airflow Celery Provider
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-46288 PyPI MEDIUM PATCH This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.4.0 to 2.7.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
4.3
EPSS
1.4%
CVE-2023-43622 HIGH This Week

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Http Server
NVD
CVSS 3.1
7.5
EPSS
70.6%
CVE-2023-31122 HIGH This Week

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.4.57. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Apache Debian Linux Http Server +1
NVD
CVSS 3.1
7.5
EPSS
3.0%
EPSS 2% CVSS 5.4
MEDIUM PATCH This Month

The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Pulsar
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Denial Of Service +1
NVD
EPSS 57% CVSS 9.9
CRITICAL PATCH Act Now

In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Apache Pulsar
NVD
EPSS 6% CVSS 9.9
CRITICAL PATCH Act Now

Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache Java +1
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache InLong.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Inlong
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Archiva
NVD
EPSS 1% CVSS 7.5
HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Archiva
NVD
EPSS 1% CVSS 7.5
HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Archiva
NVD
EPSS 2% CVSS 4.7
MEDIUM PATCH This Month

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Apache Airflow
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Airflow
NVD GitHub
EPSS 48% CVSS 9.1
CRITICAL Act Now

Possible path traversal in Apache OFBiz allowing authentication bypass. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Path Traversal Apache +1
NVD
EPSS 3% CVSS 5.3
MEDIUM PATCH This Month

Possible path traversal in Apache OFBiz allowing file inclusion. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Apache Ofbiz
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5 contains a use-after-free error triggered during the scanning of external DTDs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Use After Free Apache Information Disclosure +2
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Superset
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Superset
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope.0.4, from 3.1.0 before 3.1.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Superset
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.0.4, from 3.1.0 before 3.1.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Apache Superset
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Superset
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

** UNSUPPORTED WHEN ASSIGNED ** Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Aurora. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Information Disclosure +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Camel
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Improper Input Validation vulnerability in Apache DolphinScheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Dolphinscheduler
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.2.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Information Disclosure Apache +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.2.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Answer
NVD
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.2.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache File Upload Answer
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Camel
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Camel SQL Component0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Camel
NVD
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.21 before 1.26. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Commons Compress
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.3 through 1.25.0. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Commons Compress
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

This is a duplicate for CVE-2023-46104. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Superset
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Denial Of Service Mod Auth Openidc +2
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Apache Request Smuggling Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Malicious code execution via path traversal in Apache Software Foundation Apache Sling Servlets Resolver.11.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

RCE Path Traversal Apache +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

SOFARPC is a Java RPC framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Java +1
NVD GitHub
EPSS 14% CVSS 5.3
MEDIUM PATCH This Month

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Apache Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Tcexam
NVD
EPSS 1% CVSS 3.1
LOW PATCH Monitor

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.2.0. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable.

Apache Race Condition Information Disclosure +1
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Java Apache +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache InLong.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization Apache Inlong
NVD
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.5.0 through 1.9.0, which could lead to Remote Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache RCE Code Injection +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Improper Input Validation vulnerability in Apache DolphinScheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Dolphinscheduler
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Openoffice
NVD
EPSS 63% CVSS 7.5
HIGH POC PATCH THREAT This Week

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure SSRF +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache IoTDB.13.0 through 0.13.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Iotdb
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Authentication Bypass Airflow
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Apache CSRF Airflow
NVD GitHub
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Resource to Wrong Sphere vulnerability could allow attackers to access resources from an unintended security context.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Airflow
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Authentication Bypass +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Integer Overflow Apache RCE +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.1.2, from 3.0.0 before 3.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Superset
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Superset
NVD
EPSS 54% 4.3 CVSS 5.9
MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js +68
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Dubbo
NVD
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

A deserialization vulnerability existed when decode a malicious package.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Dubbo
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Open Redirect Shiro
NVD
EPSS 2% CVSS 5.4
MEDIUM POC This Month

A flaw was found in the mod_proxy_cluster in the Apache server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Mod Proxy Cluster +1
NVD Exploit-DB
EPSS 1% CVSS 8.2
HIGH POC This Week

Missing authentication in the internal data streaming system in ProLion CryptoSpike 3.0.15P2 allows remote unauthenticated users to read potentially sensitive information and deny service to users by. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Authentication Bypass Cryptospike
NVD
EPSS 95% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Pre-auth RCE in Apache Ofbiz 18.12.09. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Apache +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal XXE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.2.0 before 2.3.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Cocoon
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service.0.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Superset
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

An authenticated user with read permissions on database connections metadata could potentially access sensitive information such as the connection's username.0.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Superset
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site by spoofing the HTTP Host header, users could be redirected to this site when clicking on. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Open Redirect Superset
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tomcat Apache Information Disclosure +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload RCE Microsoft +3
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Nifi
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Superset
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.1.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Superset
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Apache Authentication Bypass +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler.2.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Dolphinscheduler
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability, which was classified as critical, has been found in Xiamen Four-Faith Video Surveillance Management System 2016/2017. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache File Upload Video Surveillance Management System
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache DolphinScheduler. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Dolphinscheduler
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

On unix-like systems, the temporary directory is shared between all user. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Oracle Apple Atlassian +4
NVD
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache SQLi Submarine
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Apache Software Foundation Apache Submarine has a bug when serializing against yaml. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Java Apache Deserialization +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Apache Atlassian +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Apache Authentication Bypass Airflow
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 14% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache RCE Deserialization +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Java +3
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Missing Authentication in Apache Software Foundation Apache OFBiz when using the Solr plugin.12.09. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Apache Authentication Bypass Ofbiz
NVD
EPSS 2% CVSS 4.9
MEDIUM PATCH This Month

Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Apache RCE Allura
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Insecure temporary file creation in bitrix/modules/crm/lib/order/import/instagram.php in Bitrix24 22.0.300 hosted on Apache HTTP Server allows remote authenticated attackers to execute arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache File Upload +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Apache Path Traversal Fogproject
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Apache SSRF Fogproject
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Information Disclosure Airflow +1
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.4.0 to 2.7.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 71% CVSS 7.5
HIGH This Week

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Http Server
NVD
EPSS 3% CVSS 7.5
HIGH This Week

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.4.57. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Apache +3
NVD
Prev Page 11 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy