Skip to main content

Apache

2550 CVEs vendor

Monthly

CVE-2026-33038 PHP HIGH PATCH This Week

A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.

PHP RCE SQLi Authentication Bypass CSRF +1
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-28563 PyPI MEDIUM PATCH This Month

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Authentication Bypass Debian Apache Airflow
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-26929 PyPI MEDIUM PATCH GHSA This Month

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Python Authentication Bypass Apache Airflow
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30911 PyPI HIGH PATCH GHSA This Week

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Authentication Bypass Apache Debian Apache Airflow
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-28779 PyPI HIGH PATCH GHSA This Week

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Information Disclosure Apache Debian Apache Airflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2016-20026 CRITICAL POC Act Now

Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.

RCE Tomcat Apache Authentication Bypass
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-54920 Maven HIGH PATCH This Week

This issue affects Apache Spark: before 3.5.7 and 4.0.1.

Command Injection RCE Deserialization Apache Red Hat
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-60012 Maven MEDIUM PATCH This Month

Apache Livy versions 0.7.0 and 0.8.0 contain an improper input validation vulnerability (CWE-20) that allows authenticated users to bypass file access controls by injecting malicious Spark configuration values when connecting to Apache Spark 3.1 or later. An attacker with access to Livy's REST or JDBC interface can craft requests with arbitrary Spark configuration parameters to gain unauthorized access to files they do not have permissions to read or modify. This vulnerability is of moderate severity (CVSS 6.3) but requires valid authentication and is fixed in version 0.9.0 and later.

Apache Authentication Bypass AI / ML Apache Livy
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-66249 Maven MEDIUM PATCH This Month

Apache Livy versions 0.3.0 through 0.8.x contain a path traversal vulnerability (CWE-22) that allows authenticated attackers to bypass directory restrictions and access files outside intended whitelist boundaries. The vulnerability only manifests when the 'livy.file.local-dir-whitelist' configuration parameter is set to a non-default value, enabling attackers with valid credentials to read, write, or execute arbitrary files on the server. With a CVSS score of 6.3 (moderate severity) reflecting the requirement for authenticated access and limited impact scope, this vulnerability warrants prioritization for organizations using Livy in multi-tenant or untrusted user environments.

Path Traversal Apache Apache Livy
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-23941 HIGH PATCH This Week

A critical HTTP Request Smuggling vulnerability exists in Erlang OTP's inets httpd module that allows attackers to desynchronize front-end and back-end servers by exploiting inconsistent Content-Length header parsing. The vulnerability affects Erlang OTP versions from 17.0 through 28.4.0 (inets 5.10 through 9.6.0) and enables attackers to bypass security controls, potentially poisoning web caches or accessing unauthorized resources. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability has a CVSS 4.0 score of 7.0 and could lead to significant security boundary violations in production environments using affected Erlang-based web services.

Information Disclosure Apache Nginx Request Smuggling
NVD VulDB GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-3963 LOW Monitor

A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks...

Apache Java Information Disclosure
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-23907 Maven MEDIUM PATCH This Month

Apache PDFBox versions 2.0.24-2.0.35 and 3.0.0-3.0.6 contain a path traversal vulnerability in the ExtractEmbeddedFiles example that allows attackers to write files outside the intended extraction directory by manipulating embedded file names. Organizations that have integrated this example code into production systems are at risk of unauthorized file writes on the host system. No patch is currently available, requiring developers to manually implement path validation to ensure extracted files remain within the designated directory.

Apache Path Traversal Pdfbox Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24713 Maven CRITICAL PATCH Act Now

Input validation vulnerability in Apache IoTDB from 1.0.0 before 1.3.7 and from 2.0.0 before 2.0.7. Second critical CVE affecting the IoT database.

Apache Iotdb
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24015 Maven CRITICAL PATCH Act Now

Vulnerability in Apache IoTDB from 1.0.0 before 1.3.7 and from 2.0.0 before 2.0.7. Critical severity issue in the IoT time-series database platform.

Apache Iotdb
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24308 Maven HIGH PATCH This Week

Apache ZooKeeper 3.8.5 and 3.9.4 improperly log sensitive client configuration data at INFO level, allowing unauthenticated remote attackers to extract credentials and other confidential information from application logfiles. The vulnerability affects all platforms and requires no user interaction or special privileges to exploit. No patch is currently available, leaving vulnerable deployments exposed until upgrades to versions 3.8.6 or 3.9.5 are deployed.

Apache Zookeeper Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24281 Maven HIGH POC PATCH This Week

Hostname verification bypass in Apache ZooKeeper's ZKTrustManager allows attackers with a valid certificate trusted by the server to impersonate ZooKeeper nodes by exploiting fallback to reverse DNS validation when IP SAN checks fail. An attacker controlling or spoofing PTR records can intercept and forge communications between ZooKeeper servers and clients, compromising confidentiality and integrity of the cluster. No patch is currently available; mitigation requires upgrading to ZooKeeper 3.8.6 or 3.9.5 or disabling reverse DNS lookup via configuration.

Apache Zookeeper Information Disclosure
NVD VulDB GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-40931 CRITICAL Act Now

Insecure session ID generation in Apache::Session::Generate::MD5 through 1.94 for Perl.

Apache Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27446 Maven CRITICAL PATCH CISA GHSA Act Now

Unauthenticated remote attackers can exploit Apache ActiveMQ Artemis (2.11.0-2.44.0) and Apache Artemis (2.50.0-2.51.0) to force brokers into establishing malicious Core protocol federation connections. This missing authentication (CWE-306) enables both message injection into any queue and exfiltration from any queue via attacker-controlled rogue brokers. Exploitation requires environments allowing untrusted Core protocol connections (default port 61616) in both inbound and outbound directions. EPSS score of 0.20% suggests low current exploitation probability, and no CISA KEV listing exists, indicating this is not yet widely exploited despite the critical CVSS 9.3 score. Vendor patch available in version 2.52.0.

Apache Authentication Bypass Activemq Artemis Artemis
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-66168 Maven MEDIUM PATCH This Month

Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. [CVSS 5.4 MEDIUM]

Apache Integer Overflow Buffer Overflow
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-59060 Maven MEDIUM PATCH This Month

Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue. [CVSS 5.3 MEDIUM]

Apache Ranger
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-59059 Maven CRITICAL PATCH Act Now

RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%.

Apache RCE Ranger
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-40932 HIGH This Week

Apache\ versions up to \ contains a vulnerability that allows attackers to gain access to systems (CVSS 8.2).

Apache Suse
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-27636 HIGH POC PATCH Act Now

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration.

Apache PHP Laravel RCE Freescout
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-23984 PyPI MEDIUM PATCH This Month

Authenticated users in Apache Superset versions before 6.0.0 can execute write operations against PostgreSQL databases configured as read-only by crafting specially formatted SQL statements that evade validation checks. This allows an attacker with SQLLab access to perform unauthorized data modifications despite read-only protections being in place. No patch is currently available for affected versions.

Apache PostgreSQL Superset
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23983 PyPI MEDIUM PATCH This Month

Authenticated users in Apache Superset versions before 6.0.0 can access sensitive user information including password hashes and email addresses through the Tag endpoint API, which improperly exposes user objects without proper field filtering. An attacker with low-privilege credentials (such as Gamma role) can exploit this to retrieve authentication data that should remain hidden. The vulnerability only affects instances with the TAGGING_SYSTEM enabled, which is disabled by default.

Apache Information Disclosure Superset
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23982 PyPI MEDIUM PATCH This Month

Apache Superset before version 6.0.0 contains an authorization bypass in dataset management that allows authenticated users with write access to datasets to circumvent data access controls and query unauthorized information. An attacker can exploit this by modifying the SQL query of existing datasets to access restricted data that their role should not permit. No patch is currently available, leaving affected deployments vulnerable until upgrading to version 6.0.0.

Apache Superset
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23980 PyPI MEDIUM PATCH This Month

Apache Superset before version 6.0.0 contains a SQL injection vulnerability in the sqlExpression and where parameters that allows authenticated users with read access to extract sensitive data through error-based techniques. An attacker with valid credentials could exploit this to bypass query restrictions and access unauthorized database information. A patch is available in version 6.0.0 and later.

Apache SQLi Superset
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23969 PyPI MEDIUM PATCH This Month

Insufficient SQL function restrictions in Apache Superset before 4.1.2 allow authenticated users to execute sensitive database functions on ClickHouse engines that should have been blocked. An attacker with database access could leverage the incomplete DISALLOWED_SQL_FUNCTIONS list to bypass security controls and potentially extract or manipulate data. No patch is currently available for affected versions of Apache Superset, PostgreSQL, and related deployments.

Apache PostgreSQL Superset
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-25747 Maven HIGH POC PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]

Apache Java Deserialization Camel RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-23552 Maven CRITICAL POC PATCH Act Now

Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to properly validate token issuers, accepting tokens from different Keycloak realms. PoC available.

Apache Camel
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27161 HIGH POC This Week

Unauthenticated attackers can access sensitive files in GetSimple CMS when Apache's AllowOverride directive is disabled, bypassing .htaccess protections that restrict directory access. This configuration is common in hardened and shared hosting environments, exposing authorization credentials, API keys, and cryptographic salts in files like authorization.xml. Public exploit code exists for this vulnerability, and no patch is currently available.

Apache Getsimple Cms
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27134 HIGH This Week

Strimzi Kafka Operator versions 0.49.0-0.50.0 incorrectly trusts all intermediate CAs in a multistage certificate chain for mTLS authentication, allowing any user with a certificate signed by any CA in the chain to authenticate to Kafka listeners. This authentication bypass affects only deployments using custom Cluster or Clients CA with multi-level CA chains. No patch is currently available.

Apache Kubernetes Strimzi Kafka Operator Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-27133 MEDIUM This Month

Strimzi versions 0.47.0 through 0.50.0 improperly trust all certificates in a CA chain rather than only the intended signing authority, allowing Kafka Connect and MirrorMaker 2 operands to accept connections from brokers with certificates signed by intermediate CAs. An attacker could leverage this improper certificate validation to establish unauthorized connections to Kafka clusters using alternate CA-signed certificates from the trusted chain. This vulnerability requires high privileges to configure the CA chain and has no available patch at this time.

Apache Kubernetes Strimzi Red Hat
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24734 Maven HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. [CVSS 7.5 HIGH]

Apache Tomcat Tomcat Native Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24733 Maven LOW PATCH Monitor

Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. [CVSS 3.7 LOW]

Apache Tomcat
NVD HeroDevs VulDB
CVSS 3.1
3.7
EPSS
0.2%
CVE-2025-66614 Maven CRITICAL PATCH Act Now

Input validation vulnerability in Apache Tomcat affecting versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Critical severity issue in one of the most widely deployed Java application servers.

Apache Tomcat Red Hat Suse
NVD HeroDevs VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25087 PyPI HIGH PATCH GHSA This Week

Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. [CVSS 7.0 HIGH]

Apache Python Ruby Use After Free Memory Corruption +4
NVD GitHub
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-25903 Maven HIGH PATCH This Week

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation.

Apache Authentication Bypass
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-33042 LIB HIGH PATCH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. [CVSS 7.3 HIGH]

Apache Java Code Injection Avro Red Hat
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-26214 CRITICAL Act Now

Man-in-the-middle interception affects the Xiaomi Galaxy FDS Android SDK (galaxy-fds-sdk-android) version 3.0.8 and prior, which disables TLS hostname verification whenever HTTPS is enabled — the default. Because createHttpClient() installs Apache HttpClient's ALLOW_ALL_HOSTNAME_VERIFIER, any TLS certificate from any host is accepted, letting an on-path attacker impersonate Xiaomi FDS cloud storage endpoints and steal authentication credentials, file contents, and API responses. EPSS is very low (0.03%, 8th percentile) and there is no public exploit identified at time of analysis, but the project has reached end-of-life so no fix is expected.

Apache Google Information Disclosure
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.0%
CVE-2026-25999 HIGH PATCH This Week

Klaw versions before 2.10.2 contain an improper access control flaw in the /resetMemoryCache endpoint that allows authenticated attackers to wipe cached metadata, configurations, and cluster data across any tenant without proper authorization. This vulnerability affects Apache Kafka deployments using Klaw for topic governance and could disrupt Kafka cluster management and visibility. A patch is available in version 2.10.2 and later.

Apache Klaw
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-24343 HIGH This Week

Apache HertzBeat versions 1.7.1 through 1.8.0 contain an XPath injection vulnerability that allows authenticated attackers to manipulate XPath queries and potentially extract or modify sensitive data. An attacker with valid credentials can exploit this flaw to bypass access controls and execute arbitrary XPath expressions against the application's XML data stores. Affected users should upgrade to version 1.8.0 immediately as no patch is currently available for earlier versions.

Apache Hertzbeat
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23906 Maven CRITICAL PATCH Act Now

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific prerequisites are met.

Apache DNS LDAP Authentication Bypass Druid
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-23901 Maven LOW PATCH Monitor

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. [CVSS 2.5 LOW]

Apache
NVD
CVSS 3.1
2.5
EPSS
0.0%
CVE-2026-24098 PyPI MEDIUM PATCH This Month

Apache Airflow 3.0.0 through 3.1.6 allows authenticated users with access to specific DAGs to view import error messages from other DAGs they lack permission to access, resulting in unintended information disclosure. An authenticated attacker can leverage this privilege escalation to gather sensitive information about other workflows and their configurations. Apache recommends upgrading to version 3.1.7 or later to remediate this vulnerability.

Apache Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22922 PyPI MEDIUM PATCH This Month

Airflow versions up to 3.1.6 contains a vulnerability that allows attackers to an authenticated user with custom permissions limited to task access to view tas (CVSS 6.5).

Apache Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23903 Maven MEDIUM PATCH This Month

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. [CVSS 5.3 MEDIUM]

macOS Apache Authentication Bypass Shiro Red Hat
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-24735 Go HIGH PATCH This Week

Answer contains a vulnerability that allows attackers to retrieve restricted or sensitive information (CVSS 7.5).

Apache Answer Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23795 Maven MEDIUM PATCH This Month

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Apache XXE Syncope
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-23794 Maven MEDIUM PATCH This Month

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. [CVSS 6.8 MEDIUM]

Apache XSS Syncope
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2020-36939 HIGH POC This Week

Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating path traversal parameters. [CVSS 7.5 HIGH]

Apache Path Traversal
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-24807 Maven MEDIUM This Month

Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java.

Apache Java Jwt Attack Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-24806 Maven MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java.

Apache Java Code Injection RCE
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-1464 This Week

Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java.

Apache Java Integer Overflow
NVD GitHub
EPSS
0.0%
CVE-2016-15057 Maven CRITICAL POC THREAT Emergency

Command injection in Apache Continuum (unsupported). EPSS 37.9% indicates active exploitation of this legacy CI/CD system. No patch available — product is end-of-life.

Apache Command Injection Continuum
NVD
CVSS 3.1
9.9
EPSS
37.9%
Threat
4.6
CVE-2026-24656 Maven LOW PATCH Monitor

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. [CVSS 3.7 LOW]

Apache Deserialization
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-27821 Maven HIGH PATCH This Week

Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. [CVSS 7.3 HIGH]

Apache Hadoop
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-22444 Maven HIGH PATCH This Week

Apache Solr 8.6 through 9.10.0 in standalone mode fails to properly validate the "create core" API parameters, allowing authenticated users to bypass the allowPaths security restriction and access unauthorized filesystem locations. On Windows systems configured with UNC path support, this vulnerability can lead to NTLM credential hash disclosure. Affected deployments using the allowPaths setting are at risk of unauthorized core creation and information exposure.

Windows Apache Solr Red Hat
NVD HeroDevs
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22022 Maven HIGH PATCH This Week

Unauthorized API access in Apache Solr 5.3.0 through 9.10.0 allows unauthenticated attackers to bypass the RuleBasedAuthorizationPlugin due to insufficient input validation in permission rule enforcement. This vulnerability affects only deployments using multiple roles with specific predefined permissions like config-read, config-edit, schema-read, metrics-read, or security-read without the "all" permission rule defined. Successful exploitation grants attackers unauthorized access to sensitive Solr APIs, potentially exposing configuration and security data.

Apache Solr Red Hat
NVD HeroDevs
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-21962 CRITICAL PATCH Act Now

Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer.

Oracle Apache IIS Http Server Weblogic Server Proxy Plug In
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2025-59355 Maven MEDIUM PATCH This Month

A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). [CVSS 6.5 MEDIUM]

Apache Linkis
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-29847 Maven HIGH PATCH This Week

A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. [CVSS 7.5 HIGH]

Apache Linkis
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23529 HIGH This Week

Arbitrary file read vulnerability in Kafka Connect BigQuery Connector prior to version 2.11.0 allows authenticated attackers to read sensitive files by injecting malicious credential configurations through improperly validated credential_source parameters. An attacker with connector configuration privileges can exploit this to access arbitrary files on the system or perform server-side request forgery attacks against internal endpoints. No patch is currently available for affected Apache Kafka deployments.

Apache SSRF
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-68675 PyPI HIGH PATCH GHSA This Week

In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or la...

Apache Airflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68438 PyPI HIGH PATCH GHSA This Week

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. [CVSS 7.5 HIGH]

Apache Airflow
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-60021 CRITICAL Act Now

Apache bRPC versions before 1.15.0 contain a remote command injection vulnerability in the heap profiler built-in service, allowing attackers to execute arbitrary OS commands.

Apache Github Command Injection Brpc
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22265 HIGH POC PATCH This Week

Authenticated command injection in Roxy-WI versions prior to 8.2.8.2 enables attackers to execute arbitrary system commands through improper sanitization of the grep parameter in log viewing functionality. Public exploit code exists for this vulnerability, affecting users managing HAProxy, Nginx, Apache, and Keepalived servers through the web interface. A patch is available in version 8.2.8.2 and later.

Apache Nginx Command Injection Roxy Wi
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-66169 Maven MEDIUM PATCH This Month

Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0. [CVSS 5.3 MEDIUM]

Apache Camel Red Hat
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68493 Maven HIGH PATCH This Week

Struts versions up to 2.2.1 is affected by improper restriction of xml external entity reference (CVSS 8.1).

Apache Struts XXE
NVD HeroDevs VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-62235 HIGH PATCH This Week

Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. [CVSS 8.1 HIGH]

Apache Authentication Bypass Nimble
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-53477 HIGH PATCH This Week

NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. [CVSS 7.5 HIGH]

Apache Null Pointer Dereference Nimble
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-53470 LOW PATCH Monitor

Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could lead to invalid memory read in H4 driver. [CVSS 3.1 LOW]

Apache
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-52435 HIGH PATCH This Week

J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange. [CVSS 7.5 HIGH]

Apache Nimble
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68280 Maven MEDIUM PATCH This Month

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML for...

Apache Java XXE Spatial Information System
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-66518 Maven HIGH PATCH This Week

Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. [CVSS 8.8 HIGH]

Apache Kyuubi
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-48769 HIGH This Week

Use After Free vulnerability was discovered in fs/vfs/fs_rename code of the Apache NuttX RTOS, that due recursive implementation and single buffer use by two different pointer variables allowed arbitrary user provided size buffer reallocation and write to the previously freed heap chunk, that in specific cases could cause unintended virtual filesystem rename/move operation results. [CVSS 8.1 HIGH]

Apache Use After Free Nuttx
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-48768 MEDIUM This Month

Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service. [CVSS 6.5 MEDIUM]

Apache Null Pointer Dereference Denial Of Service Nuttx
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-47411 Maven HIGH PATCH This Week

A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. [CVSS 8.1 HIGH]

Apache Streampipes
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-66623 Maven HIGH PATCH This Week

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1.

Information Disclosure Kubernetes Apache Strimzi Red Hat
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-58098 HIGH POC PATCH This Week

CVE-2025-58098 is a security vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

Information Disclosure Apache Ubuntu Debian Http Server +3
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2025-66200 MEDIUM POC PATCH This Month

A security vulnerability in Apache HTTP Server (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Apache Ubuntu Debian Http Server +3
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-65082 MEDIUM PATCH This Month

A security vulnerability in Apache HTTP Server (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Apache Ubuntu Debian Http Server +3
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-59775 HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Microsoft Apache SSRF Ubuntu Debian +5
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-55753 HIGH POC PATCH This Week

An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Buffer Overflow Integer Overflow Apache Ubuntu Debian +4
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66516 Maven HIGH POC PATCH This Week

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

XXE Apache Ubuntu Debian Tika +1
NVD GitHub
CVSS 3.1
8.4
EPSS
1.5%
CVE-2025-13516 HIGH This Week

The SureMail - SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin's save_file() function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or content types. Files are saved with predictable names derived from MD5 hashes of their content. While the plugin attempts to protect this directory with an Apache .htaccess file to disable PHP execution, this protection is ineffective on nginx, IIS, and Lighttpd servers, or on misconfigured Apache installations. This makes it possible for unauthenticated attackers to achieve Remote Code Execution by uploading malicious PHP files through any public form that emails attachments, calculating the predictable filename, and directly accessing the file to execute arbitrary code granted they are exploiting a site running on an affected web server configuration.

WordPress File Upload Nginx Apache PHP +1
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-64775 Maven HIGH POC PATCH This Week

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

Denial Of Service Apache Ubuntu Debian Struts +1
NVD GitHub HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59789 HIGH PATCH This Week

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options)  1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:  ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.

Denial Of Service Apache Debian Brpc
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-59792 MEDIUM This Month

Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.0.0 through 2.13.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Kvrocks
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-59790 MEDIUM This Month

Improper Privilege Management vulnerability in Apache Kvrocks.9.0 through v2.13.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Privilege Escalation Kvrocks
NVD
CVSS 3.1
5.4
EPSS
0.2%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A critical authentication bypass vulnerability in AVideo's installation endpoint allows unauthenticated remote attackers to take over uninitialized deployments by completing the installation process with attacker-controlled credentials and database settings. The vulnerability affects AVideo installations where the configuration file does not exist (fresh deployments, container restarts without persistent storage, or re-deployments), enabling attackers to become the sole administrator with full control over the application. A detailed proof-of-concept is publicly available, and while no active exploitation has been reported in KEV, the vulnerability has a moderate EPSS score and requires only network access to exploit.

PHP RCE SQLi +3
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

CVE-2026-28563 is a security vulnerability (CVSS 4.3) that allows an authenticated user with only dag dependencies permission. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Authentication Bypass +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Information Disclosure Apache Python +2
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

CVE-2026-30911 is a security vulnerability (CVSS 8.1) that allows any authenticated task instance. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Authentication Bypass Apache Debian +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

CVE-2026-28779 is a security vulnerability (CVSS 7.5) that allows any application co-hosted under the same domain. High severity vulnerability requiring prompt remediation. Vendor patch is available.

Information Disclosure Apache Debian +1
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software.

RCE Tomcat Apache +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

This issue affects Apache Spark: before 3.5.7 and 4.0.1.

Command Injection RCE Deserialization +2
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Apache Livy versions 0.7.0 and 0.8.0 contain an improper input validation vulnerability (CWE-20) that allows authenticated users to bypass file access controls by injecting malicious Spark configuration values when connecting to Apache Spark 3.1 or later. An attacker with access to Livy's REST or JDBC interface can craft requests with arbitrary Spark configuration parameters to gain unauthorized access to files they do not have permissions to read or modify. This vulnerability is of moderate severity (CVSS 6.3) but requires valid authentication and is fixed in version 0.9.0 and later.

Apache Authentication Bypass AI / ML +1
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Apache Livy versions 0.3.0 through 0.8.x contain a path traversal vulnerability (CWE-22) that allows authenticated attackers to bypass directory restrictions and access files outside intended whitelist boundaries. The vulnerability only manifests when the 'livy.file.local-dir-whitelist' configuration parameter is set to a non-default value, enabling attackers with valid credentials to read, write, or execute arbitrary files on the server. With a CVSS score of 6.3 (moderate severity) reflecting the requirement for authenticated access and limited impact scope, this vulnerability warrants prioritization for organizations using Livy in multi-tenant or untrusted user environments.

Path Traversal Apache Apache Livy
NVD VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

A critical HTTP Request Smuggling vulnerability exists in Erlang OTP's inets httpd module that allows attackers to desynchronize front-end and back-end servers by exploiting inconsistent Content-Length header parsing. The vulnerability affects Erlang OTP versions from 17.0 through 28.4.0 (inets 5.10 through 9.6.0) and enables attackers to bypass security controls, potentially poisoning web caches or accessing unauthorized resources. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability has a CVSS 4.0 score of 7.0 and could lead to significant security boundary violations in production environments using affected Erlang-based web services.

Information Disclosure Apache Nginx +1
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW Monitor

A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks...

Apache Java Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Apache PDFBox versions 2.0.24-2.0.35 and 3.0.0-3.0.6 contain a path traversal vulnerability in the ExtractEmbeddedFiles example that allows attackers to write files outside the intended extraction directory by manipulating embedded file names. Organizations that have integrated this example code into production systems are at risk of unauthorized file writes on the host system. No patch is currently available, requiring developers to manually implement path validation to ensure extracted files remain within the designated directory.

Apache Path Traversal Pdfbox +2
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Input validation vulnerability in Apache IoTDB from 1.0.0 before 1.3.7 and from 2.0.0 before 2.0.7. Second critical CVE affecting the IoT database.

Apache Iotdb
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Vulnerability in Apache IoTDB from 1.0.0 before 1.3.7 and from 2.0.0 before 2.0.7. Critical severity issue in the IoT time-series database platform.

Apache Iotdb
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Apache ZooKeeper 3.8.5 and 3.9.4 improperly log sensitive client configuration data at INFO level, allowing unauthenticated remote attackers to extract credentials and other confidential information from application logfiles. The vulnerability affects all platforms and requires no user interaction or special privileges to exploit. No patch is currently available, leaving vulnerable deployments exposed until upgrades to versions 3.8.6 or 3.9.5 are deployed.

Apache Zookeeper Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.4
HIGH POC PATCH This Week

Hostname verification bypass in Apache ZooKeeper's ZKTrustManager allows attackers with a valid certificate trusted by the server to impersonate ZooKeeper nodes by exploiting fallback to reverse DNS validation when IP SAN checks fail. An attacker controlling or spoofing PTR records can intercept and forge communications between ZooKeeper servers and clients, compromising confidentiality and integrity of the cluster. No patch is currently available; mitigation requires upgrading to ZooKeeper 3.8.6 or 3.9.5 or disabling reverse DNS lookup via configuration.

Apache Zookeeper Information Disclosure
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Insecure session ID generation in Apache::Session::Generate::MD5 through 1.94 for Perl.

Apache Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated remote attackers can exploit Apache ActiveMQ Artemis (2.11.0-2.44.0) and Apache Artemis (2.50.0-2.51.0) to force brokers into establishing malicious Core protocol federation connections. This missing authentication (CWE-306) enables both message injection into any queue and exfiltration from any queue via attacker-controlled rogue brokers. Exploitation requires environments allowing untrusted Core protocol connections (default port 61616) in both inbound and outbound directions. EPSS score of 0.20% suggests low current exploitation probability, and no CISA KEV listing exists, indicating this is not yet widely exploited despite the critical CVSS 9.3 score. Vendor patch available in version 2.52.0.

Apache Authentication Bypass Activemq Artemis +1
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. [CVSS 5.4 MEDIUM]

Apache Integer Overflow Buffer Overflow
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue. [CVSS 5.3 MEDIUM]

Apache Ranger
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

RCE in Apache Ranger <= 2.7.0 via NashornScriptEngineCreator. EPSS 0.42%.

Apache RCE Ranger
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Apache\ versions up to \ contains a vulnerability that allows attackers to gain access to systems (CVSS 8.2).

Apache Suse
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH Act Now

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration.

Apache PHP Laravel +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Authenticated users in Apache Superset versions before 6.0.0 can execute write operations against PostgreSQL databases configured as read-only by crafting specially formatted SQL statements that evade validation checks. This allows an attacker with SQLLab access to perform unauthorized data modifications despite read-only protections being in place. No patch is currently available for affected versions.

Apache PostgreSQL Superset
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Authenticated users in Apache Superset versions before 6.0.0 can access sensitive user information including password hashes and email addresses through the Tag endpoint API, which improperly exposes user objects without proper field filtering. An attacker with low-privilege credentials (such as Gamma role) can exploit this to retrieve authentication data that should remain hidden. The vulnerability only affects instances with the TAGGING_SYSTEM enabled, which is disabled by default.

Apache Information Disclosure Superset
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache Superset before version 6.0.0 contains an authorization bypass in dataset management that allows authenticated users with write access to datasets to circumvent data access controls and query unauthorized information. An attacker can exploit this by modifying the SQL query of existing datasets to access restricted data that their role should not permit. No patch is currently available, leaving affected deployments vulnerable until upgrading to version 6.0.0.

Apache Superset
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache Superset before version 6.0.0 contains a SQL injection vulnerability in the sqlExpression and where parameters that allows authenticated users with read access to extract sensitive data through error-based techniques. An attacker with valid credentials could exploit this to bypass query restrictions and access unauthorized database information. A patch is available in version 6.0.0 and later.

Apache SQLi Superset
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient SQL function restrictions in Apache Superset before 4.1.2 allow authenticated users to execute sensitive database functions on ClickHouse engines that should have been blocked. An attacker with database access could leverage the incomplete DISALLOWED_SQL_FUNCTIONS list to bypass security controls and potentially extract or manipulate data. No patch is currently available for affected versions of Apache Superset, PostgreSQL, and related deployments.

Apache PostgreSQL Superset
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH]

Apache Java Deserialization +2
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to properly validate token issuers, accepting tokens from different Keycloak realms. PoC available.

Apache Camel
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthenticated attackers can access sensitive files in GetSimple CMS when Apache's AllowOverride directive is disabled, bypassing .htaccess protections that restrict directory access. This configuration is common in hardened and shared hosting environments, exposing authorization credentials, API keys, and cryptographic salts in files like authorization.xml. Public exploit code exists for this vulnerability, and no patch is currently available.

Apache Getsimple Cms
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Strimzi Kafka Operator versions 0.49.0-0.50.0 incorrectly trusts all intermediate CAs in a multistage certificate chain for mTLS authentication, allowing any user with a certificate signed by any CA in the chain to authenticate to Kafka listeners. This authentication bypass affects only deployments using custom Cluster or Clients CA with multi-level CA chains. No patch is currently available.

Apache Kubernetes Strimzi Kafka Operator +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Strimzi versions 0.47.0 through 0.50.0 improperly trust all certificates in a CA chain rather than only the intended signing authority, allowing Kafka Connect and MirrorMaker 2 operands to accept connections from brokers with certificates signed by intermediate CAs. An attacker could leverage this improper certificate validation to establish unauthorized connections to Kafka clusters using alternate CA-signed certificates from the trusted chain. This vulnerability requires high privileges to configure the CA chain and has no available patch at this time.

Apache Kubernetes Strimzi +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. [CVSS 7.5 HIGH]

Apache Tomcat Tomcat Native +1
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. [CVSS 3.7 LOW]

Apache Tomcat
NVD HeroDevs VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Input validation vulnerability in Apache Tomcat affecting versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Critical severity issue in one of the most widely deployed Java application servers.

Apache Tomcat Red Hat +1
NVD HeroDevs VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. [CVSS 7.0 HIGH]

Apache Python Ruby +6
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation.

Apache Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. [CVSS 7.3 HIGH]

Apache Java Code Injection +2
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Man-in-the-middle interception affects the Xiaomi Galaxy FDS Android SDK (galaxy-fds-sdk-android) version 3.0.8 and prior, which disables TLS hostname verification whenever HTTPS is enabled — the default. Because createHttpClient() installs Apache HttpClient's ALLOW_ALL_HOSTNAME_VERIFIER, any TLS certificate from any host is accepted, letting an on-path attacker impersonate Xiaomi FDS cloud storage endpoints and steal authentication credentials, file contents, and API responses. EPSS is very low (0.03%, 8th percentile) and there is no public exploit identified at time of analysis, but the project has reached end-of-life so no fix is expected.

Apache Google Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Klaw versions before 2.10.2 contain an improper access control flaw in the /resetMemoryCache endpoint that allows authenticated attackers to wipe cached metadata, configurations, and cluster data across any tenant without proper authorization. This vulnerability affects Apache Kafka deployments using Klaw for topic governance and could disrupt Kafka cluster management and visibility. A patch is available in version 2.10.2 and later.

Apache Klaw
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Apache HertzBeat versions 1.7.1 through 1.8.0 contain an XPath injection vulnerability that allows authenticated attackers to manipulate XPath queries and potentially extract or modify sensitive data. An attacker with valid credentials can exploit this flaw to bypass access controls and execute arbitrary XPath expressions against the application's XML data stores. Affected users should upgrade to version 1.8.0 immediately as no patch is currently available for earlier versions.

Apache Hertzbeat
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific prerequisites are met.

Apache DNS LDAP +2
NVD
EPSS 0% CVSS 2.5
LOW PATCH Monitor

Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. [CVSS 2.5 LOW]

Apache
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache Airflow 3.0.0 through 3.1.6 allows authenticated users with access to specific DAGs to view import error messages from other DAGs they lack permission to access, resulting in unintended information disclosure. An authenticated attacker can leverage this privilege escalation to gather sensitive information about other workflows and their configurations. Apache recommends upgrading to version 3.1.7 or later to remediate this vulnerability.

Apache Airflow
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Airflow versions up to 3.1.6 contains a vulnerability that allows attackers to an authenticated user with custom permissions limited to task access to view tas (CVSS 6.5).

Apache Airflow
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. [CVSS 5.3 MEDIUM]

macOS Apache Authentication Bypass +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Answer contains a vulnerability that allows attackers to retrieve restricted or sensitive information (CVSS 7.5).

Apache Answer Suse
NVD
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Apache XXE Syncope
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. [CVSS 6.8 MEDIUM]

Apache XSS Syncope
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating path traversal parameters. [CVSS 7.5 HIGH]

Apache Path Traversal
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java.

Apache Java Jwt Attack +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java.

Apache Java Code Injection +1
NVD GitHub VulDB
EPSS 0%
This Week

Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java.

Apache Java Integer Overflow
NVD GitHub
EPSS 38% 4.6 CVSS 9.9
CRITICAL POC THREAT Emergency

Command injection in Apache Continuum (unsupported). EPSS 37.9% indicates active exploitation of this legacy CI/CD system. No patch available — product is end-of-life.

Apache Command Injection Continuum
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. [CVSS 3.7 LOW]

Apache Deserialization
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. [CVSS 7.3 HIGH]

Apache Hadoop
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Apache Solr 8.6 through 9.10.0 in standalone mode fails to properly validate the "create core" API parameters, allowing authenticated users to bypass the allowPaths security restriction and access unauthorized filesystem locations. On Windows systems configured with UNC path support, this vulnerability can lead to NTLM credential hash disclosure. Affected deployments using the allowPaths setting are at risk of unauthorized core creation and information exposure.

Windows Apache Solr +1
NVD HeroDevs
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unauthorized API access in Apache Solr 5.3.0 through 9.10.0 allows unauthenticated attackers to bypass the RuleBasedAuthorizationPlugin due to insufficient input validation in permission rule enforcement. This vulnerability affects only deployments using multiple roles with specific predefined permissions like config-read, config-edit, schema-read, metrics-read, or security-read without the "all" permission rule defined. Successful exploitation grants attackers unauthorized access to sensitive Solr APIs, potentially exposing configuration and security data.

Apache Solr Red Hat
NVD HeroDevs
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer.

Oracle Apache IIS +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). [CVSS 6.5 MEDIUM]

Apache Linkis
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. [CVSS 7.5 HIGH]

Apache Linkis
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Arbitrary file read vulnerability in Kafka Connect BigQuery Connector prior to version 2.11.0 allows authenticated attackers to read sensitive files by injecting malicious credential configurations through improperly validated credential_source parameters. An attacker with connector configuration privileges can exploit this to access arbitrary files on the system or perform server-side request forgery attacks against internal endpoints. No patch is currently available for affected Apache Kafka deployments.

Apache SSRF
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or la...

Apache Airflow
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. [CVSS 7.5 HIGH]

Apache Airflow
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Apache bRPC versions before 1.15.0 contain a remote command injection vulnerability in the heap profiler built-in service, allowing attackers to execute arbitrary OS commands.

Apache Github Command Injection +1
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Authenticated command injection in Roxy-WI versions prior to 8.2.8.2 enables attackers to execute arbitrary system commands through improper sanitization of the grep parameter in log viewing functionality. Public exploit code exists for this vulnerability, affecting users managing HAProxy, Nginx, Apache, and Keepalived servers through the web interface. A patch is available in version 8.2.8.2 and later.

Apache Nginx Command Injection +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0. [CVSS 5.3 MEDIUM]

Apache Camel Red Hat
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Struts versions up to 2.2.1 is affected by improper restriction of xml external entity reference (CVSS 8.1).

Apache Struts XXE
NVD HeroDevs VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. [CVSS 8.1 HIGH]

Apache Authentication Bypass Nimble
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. [CVSS 7.5 HIGH]

Apache Null Pointer Dereference Nimble
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could lead to invalid memory read in H4 driver. [CVSS 3.1 LOW]

Apache
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange. [CVSS 7.5 HIGH]

Apache Nimble
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML for...

Apache Java XXE +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. [CVSS 8.8 HIGH]

Apache Kyuubi
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Use After Free vulnerability was discovered in fs/vfs/fs_rename code of the Apache NuttX RTOS, that due recursive implementation and single buffer use by two different pointer variables allowed arbitrary user provided size buffer reallocation and write to the previously freed heap chunk, that in specific cases could cause unintended virtual filesystem rename/move operation results. [CVSS 8.1 HIGH]

Apache Use After Free Nuttx
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service. [CVSS 6.5 MEDIUM]

Apache Null Pointer Dereference Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. [CVSS 8.1 HIGH]

Apache Streampipes
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1.

Information Disclosure Kubernetes Apache +2
NVD GitHub
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

CVE-2025-58098 is a security vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

Information Disclosure Apache Ubuntu +5
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

A security vulnerability in Apache HTTP Server (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Apache Ubuntu +5
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A security vulnerability in Apache HTTP Server (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Apache Ubuntu +5
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Microsoft Apache SSRF +7
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Buffer Overflow Integer Overflow Apache +6
NVD GitHub
EPSS 1% CVSS 8.4
HIGH POC PATCH This Week

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

XXE Apache Ubuntu +3
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

The SureMail - SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin's save_file() function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or content types. Files are saved with predictable names derived from MD5 hashes of their content. While the plugin attempts to protect this directory with an Apache .htaccess file to disable PHP execution, this protection is ineffective on nginx, IIS, and Lighttpd servers, or on misconfigured Apache installations. This makes it possible for unauthenticated attackers to achieve Remote Code Execution by uploading malicious PHP files through any public form that emails attachments, calculating the predictable filename, and directly accessing the file to execute arbitrary code granted they are exploiting a site running on an affected web server configuration.

WordPress File Upload Nginx +3
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

Denial Of Service Apache Ubuntu +3
NVD GitHub HeroDevs VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options)  1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:  ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.

Denial Of Service Apache Debian +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.0.0 through 2.13.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Kvrocks
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Improper Privilege Management vulnerability in Apache Kvrocks.9.0 through v2.13.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Privilege Escalation Kvrocks
NVD
Prev Page 6 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy