Apache
Monthly
In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.2.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache OpenOffice documents can contain links. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Reflected cross-site scripting vulnerability in Apache OFBiz.09.03. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.09.03. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An out-of-bounds Write vulnerability in Apache OpenOffice could allow an attacker to craft a document that would crash the program, or otherwise corrupt other memory areas.1.15. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache OpenOffice documents can contain links. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache OpenOffice documents can contain links to other files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache OpenOffice Calc spreadsheet can contain links to other files, in the form of "external data sources". Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache OpenOffice documents can contain links. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache OpenOffice documents can contain links. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial of service in Apache Tomcat occurs when multipart upload errors leave temporary disk files uncleaned, allowing attackers to exhaust disk space faster than garbage collection reclaims it. Affected versions 8.5.0-8.5.100 (EOL), 9.0.0-M1-9.0.109, 10.1.0-M1-10.1.46, and 11.0.0-M1-11.0.11 require authenticated access (PR:L) and high attack complexity, making real-world exploitation limited despite the medium CVSS score.
ANSI escape sequence injection in Apache Tomcat log messages enables console manipulation and social engineering attacks against administrators on Windows systems. Attackers can craft malicious URLs that inject escape sequences into Tomcat logs, potentially manipulating console output and clipboard contents to trick administrators into executing attacker-controlled commands. This affects Tomcat 9.0.40-9.0.108, 10.1.0-M1-10.1.44, and 11.0.0-M1-11.0.10, with highest risk when Tomcat runs in ANSI-capable Windows consoles. Despite the 9.6 CVSS score, real-world risk is lower as exploitation requires user interaction (administrator viewing logs in console), scope change indicating console compromise beyond Tomcat process, and specific Windows deployment configuration. No active exploitation confirmed (not in CISA KEV), and EPSS data not available at time of analysis.
Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints protecting /WEB-INF/ and /META-INF/ directories when URL rewriting rules manipulate query parameters. Successful exploitation combined with enabled PUT requests enables remote code execution through malicious file upload. Apache Security Team confirms publicly available exploit code exists. The vulnerability stems from a regression in the fix for bug 60013, where URL normalization occurs before decoding, creating an exploitable window in specific rewrite configurations.
Rejected reason: Further research determined the issue is not an independent vulnerability as it originates from Apache Felix. No vendor patch available.
Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.
Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.
Knowage is an open source analytics and business intelligence suite. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions.9.0 before 3.9.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache IoTDB.0.0 before 2.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Apache IoTDB.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Openfire is an XMPP server licensed under the Open Source Apache License. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat . Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Default Permissions vulnerability in Apache DolphinScheduler.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Input Validation vulnerability in Apache DolphinScheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 49.3%.
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required.
SQL Injection vulnerability in Apache StreamPark.1.4 before 2.1.6. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.09.02 only when the scrum plugin is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Apache Superset contains an improper access control vulnerability in its /explore endpoint. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.
Session Fixation vulnerability in Apache Tomcat via rewrite valve.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.12.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Kloxo versions 6.1.12 and earlier contain two setuid root binaries-lxsuexec and lxrestart-that allow local privilege escalation from uid 48. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Apache Jackrabbit versions prior to 2.23.2 contain blind XXE (XML External Entity) vulnerabilities in jackrabbit-spi-commons and jackrabbit-core components due to unsafe XML document parsing when loading privilege definitions. An authenticated attacker with low privileges can exploit this to achieve high-impact confidentiality, integrity, and availability compromise. The vulnerability requires user authentication (PR:L) but has no interaction requirement and affects all systems regardless of scope.
CVE-2024-41169 is an unauthenticated information disclosure vulnerability in Apache Zeppelin's raft server protocol that allows remote attackers to enumerate and view server resources, including sensitive directories and files, without authentication. Versions 0.10.1 through 0.12.0 are affected. The vulnerability has a CVSS score of 7.5 (High) with a network-accessible attack vector and no authentication requirements, making it trivially exploitable by unauthenticated remote actors.
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.
A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2025-52520 is an integer overflow vulnerability in Apache Tomcat's multipart upload handling that allows unauthenticated remote attackers to bypass size limits and trigger denial of service. The vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, 9.0.0.M1 through 9.0.106, and EOL version 8.5.0 through 8.5.100, requiring only network access with no authentication. With a CVSS score of 7.5 (High severity) and an attack vector rated as Network/Low complexity, this represents a significant availability risk for unpatched deployments.
Apache Tomcat contains a race condition vulnerability in the APR/Native connector that can be triggered during concurrent HTTP/2 connection handling, particularly when clients initiate connection closes. The vulnerability affects Tomcat 9.0.0.M1 through 9.0.106 (and EOL versions 8.5.0-8.5.100), allowing remote unauthenticated attackers to cause denial of service through improper synchronization of shared resources. With a CVSS score of 7.5 and network-accessible attack vector requiring no authentication, this represents a high-severity availability impact, though no active public exploitation has been confirmed.
CVE-2025-53020 is a late release of memory after effective lifetime vulnerability (use-after-free) in Apache HTTP Server versions 2.4.17 through 2.4.63 that allows unauthenticated remote attackers to cause denial of service with high availability impact. The vulnerability has a CVSS score of 7.5 (high severity) with network-accessible attack vector and low attack complexity, making it easily exploitable without authentication. Affected organizations running vulnerable Apache HTTP Server versions should prioritize upgrading to version 2.4.64 immediately.
CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.
CVE-2025-49630 is a denial of service vulnerability in Apache HTTP Server versions 2.4.26 through 2.4.63 that can be triggered by untrusted remote clients when a reverse proxy is configured with HTTP/2 backend support and ProxyPreserveHost enabled, causing an assertion failure that crashes the proxy process. The vulnerability has a CVSS score of 7.5 (High) with network-accessible attack vector and no authentication required, making it immediately exploitable by unauthenticated remote attackers.
CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server 2.4.35-2.4.63 affecting mod_ssl configurations with multiple virtual hosts using different client certificate restrictions. An attacker with valid client certificates trusted by one virtual host can exploit TLS 1.3 session resumption to access another restricted virtual host if SSLStrictSNIVHostCheck is not enabled, achieving unauthorized access to confidential information and potentially modifying data. This is a network-accessible vulnerability with no authentication required and high real-world impact.
CVE-2024-47252 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2024-43394 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows (versions 2.4.0-2.4.63) that allows unauthenticated remote attackers to leak NTLM credential hashes to malicious servers through unvalidated request input processed by mod_rewrite or Apache expressions. The vulnerability exploits Windows SMB/UNC path handling to trigger NTLM authentication, potentially compromising domain credentials. This is a high-severity issue affecting all default Windows installations without explicit UNC path filtering.
CVE-2024-43204 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server when mod_proxy is loaded, allowing unauthenticated attackers to initiate outbound proxy requests to attacker-controlled URLs. The vulnerability requires an uncommon configuration where mod_headers is used to modify Content-Type headers based on user-supplied HTTP request values. Apache recommends immediate upgrade to version 2.4.64 to remediate this high-integrity-impact issue.
HTTP response splitting vulnerability in Apache HTTP Server core allows network-based attackers without authentication to inject arbitrary HTTP headers and content into responses by manipulating Content-Type headers in proxied or hosted applications, potentially enabling cache poisoning, session hijacking, or XSS attacks. Affects Apache HTTP Server versions prior to 2.4.64, with a critical note that the initial patch in 2.4.59 was incomplete. This is a regression/incomplete fix of CVE-2023-38709, indicating patch evasion and suggesting active exploitation interest.
Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.
The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
A remote code execution vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability in versions 2.9.8 to (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
CVE-2025-46647 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.6.0, which fixes this issue.
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).
Vulnerability in fusionforge in the shipped Apache configuration, where the web server may execute scripts that the users would have uploaded in their raw SCM repositories (SVN, Git, Bzr...). This issue affects fusionforge: before 5.3+20140506.
Apache Airflow Providers Snowflake versions before 6.4.0 contain a Special Element Injection vulnerability (CWE-75) in the CopyFromExternalStageToSnowflakeOperator that fails to properly sanitize table and stage parameters, allowing unauthenticated attackers to execute arbitrary SQL injection attacks with complete system compromise (CVSS 9.8). This is a critical remote vulnerability requiring network access only, with no authentication or user interaction needed, making it a high-priority patch regardless of KEV/EPSS status.
# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.
The ESI (Edge Side Includes) plugin in Apache Traffic Server lacks enforcement of maximum inclusion depth limits, allowing attackers to craft malicious ESI instructions that trigger excessive recursive inclusions and cause denial-of-service through memory exhaustion. This vulnerability affects Apache Traffic Server versions 9.0.0-9.2.10 and 10.0.0-10.0.5, with a CVSS score of 7.5 indicating high availability impact. The vulnerability is remotely exploitable without authentication and can be mitigated by upgrading to patched versions (9.2.11 or 10.0.6) or configuring the new --max-inclusion-depth setting.
CVE-2025-31698 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2025-49125 is an authentication bypass vulnerability in Apache Tomcat affecting versions 8.5.0-8.5.100, 9.0.0-9.0.105, 10.1.0-10.1.41, and 11.0.0-11.0.7. The vulnerability allows unauthenticated remote attackers to access PreResources or PostResources mounted outside the web application root via alternate path traversal, bypassing security constraints configured for the intended resource path. With a CVSS score of 7.5 and high confidentiality impact, this represents a critical authentication mechanism failure that requires immediate patching.
A security vulnerability in Apache Tomcat installer for Windows (CVSS 8.4). High severity vulnerability requiring prompt remediation.
In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking.2.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Apache OpenOffice documents can contain links. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Reflected cross-site scripting vulnerability in Apache OFBiz.09.03. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unrestricted Upload of File with Dangerous Type vulnerability in Apache OFBiz.09.03. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An out-of-bounds Write vulnerability in Apache OpenOffice could allow an attacker to craft a document that would crash the program, or otherwise corrupt other memory areas.1.15. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache OpenOffice documents can contain links. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache OpenOffice documents can contain links to other files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache OpenOffice Calc spreadsheet can contain links to other files, in the form of "external data sources". Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache OpenOffice documents can contain links. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache OpenOffice documents can contain links. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial of service in Apache Tomcat occurs when multipart upload errors leave temporary disk files uncleaned, allowing attackers to exhaust disk space faster than garbage collection reclaims it. Affected versions 8.5.0-8.5.100 (EOL), 9.0.0-M1-9.0.109, 10.1.0-M1-10.1.46, and 11.0.0-M1-11.0.11 require authenticated access (PR:L) and high attack complexity, making real-world exploitation limited despite the medium CVSS score.
ANSI escape sequence injection in Apache Tomcat log messages enables console manipulation and social engineering attacks against administrators on Windows systems. Attackers can craft malicious URLs that inject escape sequences into Tomcat logs, potentially manipulating console output and clipboard contents to trick administrators into executing attacker-controlled commands. This affects Tomcat 9.0.40-9.0.108, 10.1.0-M1-10.1.44, and 11.0.0-M1-11.0.10, with highest risk when Tomcat runs in ANSI-capable Windows consoles. Despite the 9.6 CVSS score, real-world risk is lower as exploitation requires user interaction (administrator viewing logs in console), scope change indicating console compromise beyond Tomcat process, and specific Windows deployment configuration. No active exploitation confirmed (not in CISA KEV), and EPSS data not available at time of analysis.
Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints protecting /WEB-INF/ and /META-INF/ directories when URL rewriting rules manipulate query parameters. Successful exploitation combined with enabled PUT requests enables remote code execution through malicious file upload. Apache Security Team confirms publicly available exploit code exists. The vulnerability stems from a regression in the fix for bug 60013, where URL normalization occurs before decoding, creating an exploitable window in specific rewrite configurations.
Rejected reason: Further research determined the issue is not an independent vulnerability as it originates from Apache Felix. No vendor patch available.
Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.
Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.
Knowage is an open source analytics and business intelligence suite. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions.9.0 before 3.9.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache IoTDB.0.0 before 2.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Apache IoTDB.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Openfire is an XMPP server licensed under the Open Source Apache License. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat . Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Default Permissions vulnerability in Apache DolphinScheduler.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Input Validation vulnerability in Apache DolphinScheduler. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 49.3%.
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required.
SQL Injection vulnerability in Apache StreamPark.1.4 before 2.1.6. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.09.02 only when the scrum plugin is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Apache Superset contains an improper access control vulnerability in its /explore endpoint. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.
Session Fixation vulnerability in Apache Tomcat via rewrite valve.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Input Validation vulnerability in Apache Zeppelin. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.12.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Kloxo versions 6.1.12 and earlier contain two setuid root binaries-lxsuexec and lxrestart-that allow local privilege escalation from uid 48. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Apache Jackrabbit versions prior to 2.23.2 contain blind XXE (XML External Entity) vulnerabilities in jackrabbit-spi-commons and jackrabbit-core components due to unsafe XML document parsing when loading privilege definitions. An authenticated attacker with low privileges can exploit this to achieve high-impact confidentiality, integrity, and availability compromise. The vulnerability requires user authentication (PR:L) but has no interaction requirement and affects all systems regardless of scope.
CVE-2024-41169 is an unauthenticated information disclosure vulnerability in Apache Zeppelin's raft server protocol that allows remote attackers to enumerate and view server resources, including sensitive directories and files, without authentication. Versions 0.10.1 through 0.12.0 are affected. The vulnerability has a CVSS score of 7.5 (High) with a network-accessible attack vector and no authentication requirements, making it trivially exploitable by unauthenticated remote actors.
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.
A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2025-52520 is an integer overflow vulnerability in Apache Tomcat's multipart upload handling that allows unauthenticated remote attackers to bypass size limits and trigger denial of service. The vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, 9.0.0.M1 through 9.0.106, and EOL version 8.5.0 through 8.5.100, requiring only network access with no authentication. With a CVSS score of 7.5 (High severity) and an attack vector rated as Network/Low complexity, this represents a significant availability risk for unpatched deployments.
Apache Tomcat contains a race condition vulnerability in the APR/Native connector that can be triggered during concurrent HTTP/2 connection handling, particularly when clients initiate connection closes. The vulnerability affects Tomcat 9.0.0.M1 through 9.0.106 (and EOL versions 8.5.0-8.5.100), allowing remote unauthenticated attackers to cause denial of service through improper synchronization of shared resources. With a CVSS score of 7.5 and network-accessible attack vector requiring no authentication, this represents a high-severity availability impact, though no active public exploitation has been confirmed.
CVE-2025-53020 is a late release of memory after effective lifetime vulnerability (use-after-free) in Apache HTTP Server versions 2.4.17 through 2.4.63 that allows unauthenticated remote attackers to cause denial of service with high availability impact. The vulnerability has a CVSS score of 7.5 (high severity) with network-accessible attack vector and low attack complexity, making it easily exploitable without authentication. Affected organizations running vulnerable Apache HTTP Server versions should prioritize upgrading to version 2.4.64 immediately.
CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.
CVE-2025-49630 is a denial of service vulnerability in Apache HTTP Server versions 2.4.26 through 2.4.63 that can be triggered by untrusted remote clients when a reverse proxy is configured with HTTP/2 backend support and ProxyPreserveHost enabled, causing an assertion failure that crashes the proxy process. The vulnerability has a CVSS score of 7.5 (High) with network-accessible attack vector and no authentication required, making it immediately exploitable by unauthenticated remote attackers.
CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server 2.4.35-2.4.63 affecting mod_ssl configurations with multiple virtual hosts using different client certificate restrictions. An attacker with valid client certificates trusted by one virtual host can exploit TLS 1.3 session resumption to access another restricted virtual host if SSLStrictSNIVHostCheck is not enabled, achieving unauthorized access to confidential information and potentially modifying data. This is a network-accessible vulnerability with no authentication required and high real-world impact.
CVE-2024-47252 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2024-43394 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows (versions 2.4.0-2.4.63) that allows unauthenticated remote attackers to leak NTLM credential hashes to malicious servers through unvalidated request input processed by mod_rewrite or Apache expressions. The vulnerability exploits Windows SMB/UNC path handling to trigger NTLM authentication, potentially compromising domain credentials. This is a high-severity issue affecting all default Windows installations without explicit UNC path filtering.
CVE-2024-43204 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server when mod_proxy is loaded, allowing unauthenticated attackers to initiate outbound proxy requests to attacker-controlled URLs. The vulnerability requires an uncommon configuration where mod_headers is used to modify Content-Type headers based on user-supplied HTTP request values. Apache recommends immediate upgrade to version 2.4.64 to remediate this high-integrity-impact issue.
HTTP response splitting vulnerability in Apache HTTP Server core allows network-based attackers without authentication to inject arbitrary HTTP headers and content into responses by manipulating Content-Type headers in proxied or hosted applications, potentially enabling cache poisoning, session hijacking, or XSS attacks. Affects Apache HTTP Server versions prior to 2.4.64, with a critical note that the initial patch in 2.4.59 was incomplete. This is a regression/incomplete fix of CVE-2023-38709, indicating patch evasion and suggesting active exploitation interest.
Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.
The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
A remote code execution vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability in versions 2.9.8 to (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
CVE-2025-46647 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.6.0, which fixes this issue.
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).
Vulnerability in fusionforge in the shipped Apache configuration, where the web server may execute scripts that the users would have uploaded in their raw SCM repositories (SVN, Git, Bzr...). This issue affects fusionforge: before 5.3+20140506.
Apache Airflow Providers Snowflake versions before 6.4.0 contain a Special Element Injection vulnerability (CWE-75) in the CopyFromExternalStageToSnowflakeOperator that fails to properly sanitize table and stage parameters, allowing unauthenticated attackers to execute arbitrary SQL injection attacks with complete system compromise (CVSS 9.8). This is a critical remote vulnerability requiring network access only, with no authentication or user interaction needed, making it a high-priority patch regardless of KEV/EPSS status.
# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.
The ESI (Edge Side Includes) plugin in Apache Traffic Server lacks enforcement of maximum inclusion depth limits, allowing attackers to craft malicious ESI instructions that trigger excessive recursive inclusions and cause denial-of-service through memory exhaustion. This vulnerability affects Apache Traffic Server versions 9.0.0-9.2.10 and 10.0.0-10.0.5, with a CVSS score of 7.5 indicating high availability impact. The vulnerability is remotely exploitable without authentication and can be mitigated by upgrading to patched versions (9.2.11 or 10.0.6) or configuring the new --max-inclusion-depth setting.
CVE-2025-31698 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.
CVE-2025-49125 is an authentication bypass vulnerability in Apache Tomcat affecting versions 8.5.0-8.5.100, 9.0.0-9.0.105, 10.1.0-10.1.41, and 11.0.0-11.0.7. The vulnerability allows unauthenticated remote attackers to access PreResources or PostResources mounted outside the web application root via alternate path traversal, bypassing security constraints configured for the intended resource path. With a CVSS score of 7.5 and high confidentiality impact, this represents a critical authentication mechanism failure that requires immediate patching.
A security vulnerability in Apache Tomcat installer for Windows (CVSS 8.4). High severity vulnerability requiring prompt remediation.