Skip to main content

Apache

2550 CVEs vendor

Monthly

CVE-2025-48988 Maven HIGH PATCH This Week

A remote code execution vulnerability in Apache Tomcat (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Apache Tomcat Denial Of Service Java Red Hat +1
NVD HeroDevs GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-48976 Maven HIGH PATCH This Week

Apache Commons FileUpload contains a Denial of Service vulnerability in multipart header processing due to insufficient resource allocation limits (CWE-770). Affected versions are 1.0 through 1.5.x and 2.0.0-M1 through 2.0.0-M3. An unauthenticated remote attacker can exploit this with a network request to cause resource exhaustion and service unavailability without requiring user interaction or elevated privileges. CVSS 7.5 (High) reflects the high availability impact; KEV and EPSS data availability would determine exploitation likelihood in the wild.

Apache Denial Of Service Java Commons Fileupload Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-47869 CRITICAL PATCH Act Now

Buffer overflow vulnerability in the Apache NuttX RTOS xmlrpc example application where device statistics structures use hardcoded buffer sizes that do not account for the CONFIG_XMLRPC_STRINGSIZE configuration parameter, allowing remote attackers to overflow memory without authentication. This affects Apache NuttX RTOS versions 6.22 through 12.8.x, with a critical CVSS score of 9.8 indicating high severity across confidentiality, integrity, and availability. The vulnerability is particularly dangerous because developers may have copied the vulnerable example code into production implementations, extending the attack surface beyond the example application itself.

Buffer Overflow Apache Nuttx
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-47868 CRITICAL PATCH Act Now

A buffer overflow vulnerability (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Buffer Overflow Heap Overflow Apache Denial Of Service Nuttx
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-30675 MEDIUM PATCH This Month

In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain. A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.  This vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller's scope rather than defaulting to the ROOT domain. Affected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.

Apache Information Disclosure Cloudstack
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-47849 HIGH PATCH This Week

A privilege escalation vulnerability in Apache CloudStack (CVSS 8.8) that allows the attacker. High severity vulnerability requiring prompt remediation.

Apache Privilege Escalation Information Disclosure Cloudstack
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-47713 HIGH PATCH This Week

A privilege escalation vulnerability in Apache CloudStack (CVSS 8.8) that allows the attacker. High severity vulnerability requiring prompt remediation.

Apache Privilege Escalation Denial Of Service Information Disclosure Cloudstack
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-26521 HIGH PATCH This Week

CVE-2025-26521 is a security vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation.

Apache Information Disclosure Kubernetes Privilege Escalation Cloudstack
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-27819 Maven HIGH PATCH This Week

A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Denial Of Service Apache Java RCE Authentication Bypass +3
NVD GitHub HeroDevs
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-27818 Maven HIGH PATCH This Week

A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.

Deserialization Java Apache LDAP RCE +3
NVD GitHub HeroDevs
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-27817 Maven HIGH POC PATCH THREAT Act Now

A SSRF vulnerability in A possible arbitrary file read and SSRF vulnerability (CVSS 7.5) that allows clients. Risk factors: EPSS 17% exploitation probability.

Apache SSRF Kafka Red Hat Suse
NVD HeroDevs GitHub
CVSS 3.1
7.5
EPSS
17.5%
CVE-2025-49127 HIGH This Week

Kafbat UI version 1.0.0 contains an unsafe deserialization vulnerability (CWE-502) that allows unauthenticated remote attackers to execute arbitrary code on affected servers with no user interaction required. This is a critical pre-authentication RCE affecting Kafka cluster management infrastructure. The vulnerability has a CVSS score of 8.9 with high impact across confidentiality, integrity, and availability; patch is available in version 1.1.0.

Deserialization RCE Apache
NVD GitHub
CVSS 4.0
8.9
EPSS
1.0%
CVE-2025-27531 Maven CRITICAL PATCH Act Now

Critical deserialization of untrusted data vulnerability in Apache InLong versions 1.13.0 through 2.0.x that allows authenticated attackers to read arbitrary files through parameter manipulation ('double writing' the param). With a CVSS 9.8 score and network-based attack vector requiring no user interaction, this represents a high-severity information disclosure risk affecting data ingestion pipeline deployments.

Deserialization Apache Java Information Disclosure Inlong
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-48866 HIGH POC PATCH This Week

ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the `sanitiseArg` and `sanitizeArg` actions that allows unauthenticated remote attackers to cause service disruption by submitting requests with an excessive number of arguments. This is a network-accessible DoS vulnerability with high impact on availability that affects widely-deployed WAF deployments across Apache, IIS, and Nginx platforms.

Apache Denial Of Service Nginx Modsecurity Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-48912 PyPI HIGH PATCH This Month

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Authentication Bypass Superset
NVD
CVSS 4.0
7.1
EPSS
0.5%
CVE-2025-46701 Maven HIGH PATCH This Month

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Tomcat Red Hat Suse
NVD HeroDevs
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-48471 HIGH POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache RCE File Upload Freescout
NVD GitHub
CVSS 4.0
7.0
EPSS
2.9%
CVE-2024-47056 PHP MEDIUM PATCH This Month

SummaryThis advisory addresses a security vulnerability in Mautic where sensitive .env configuration files may be directly accessible via a web browser. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Nginx Apache Information Disclosure
NVD GitHub
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-48734 Maven HIGH PATCH This Month

Improper Access Control vulnerability in Apache Commons. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache Authentication Bypass Java Commons Beanutils +2
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-27528 Maven CRITICAL PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2025-27526 Maven MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-27522 Maven MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-35003 CRITICAL POC Act Now

Improper Restriction of Operations within the Bounds of a Memory Buffer and Stack-based Buffer Overflow vulnerabilities were discovered in Apache NuttX RTOS Bluetooth Stack (HCI and UART components). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Buffer Overflow RCE Denial Of Service Nuttx
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-47947 HIGH POC PATCH This Month

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Apache Denial Of Service Modsecurity Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-47436 MEDIUM This Month

Heap-based Buffer Overflow vulnerability in Apache ORC. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow Apache Orc
NVD
CVSS 4.0
6.0
EPSS
0.3%
CVE-2025-26864 LIB HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.10.0 through 1.3.3, from 2.0.1-beta. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-26795 Maven HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.10.0 through 1.3.3, from 2.0.1-beta before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-24780 LIB CRITICAL PATCH Act Now

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Code Injection Iotdb
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2025-30207 PHP LOW PATCH Monitor

Kirby is an open-source content management system. Rated low severity (CVSS 2.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Nginx Apache PHP Path Traversal Kirby
NVD GitHub
CVSS 4.0
2.3
EPSS
0.6%
CVE-2025-27696 PyPI MEDIUM PATCH This Month

Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-46392 Maven MEDIUM PATCH This Month

Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Java Denial Of Service Commons Configuration Red Hat +1
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2025-27533 Maven MEDIUM POC PATCH This Month

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Denial Of Service Activemq Red Hat
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
2.3%
CVE-2025-46762 Maven HIGH PATCH This Week

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache RCE Parquet Red Hat
NVD
CVSS 4.0
7.1
EPSS
0.4%
CVE-2025-3891 HIGH PATCH This Week

A flaw was found in the mod_auth_openidc module for Apache httpd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Http Server Enterprise Linux Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2025-31651 Maven CRITICAL PATCH Act Now

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Tomcat Red Hat Suse
NVD HeroDevs
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31650 Maven HIGH POC PATCH THREAT Act Now

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.3%.

Apache Tomcat Denial Of Service Red Hat Suse
NVD Exploit-DB HeroDevs
CVSS 3.1
7.5
EPSS
20.3%
CVE-2025-27820 Maven HIGH PATCH This Week

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Apache Httpclient Ontap Tools Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-26413 HIGH This Week

Improper Input Validation vulnerability in Apache Kvrocks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Kvrocks
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2025-29953 NuGet CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client.1.1 when performing connections to untrusted servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization Activemq Nms Openwire
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-3790 MEDIUM POC This Month

A vulnerability classified as critical has been found in baseweb JSite 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Apache Jsite
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2024-56736 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat.7.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Hertzbeat
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-24859 LOW Monitor

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. No vendor patch available.

Apache Authentication Bypass Roller
NVD
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-27391 Maven MEDIUM PATCH This Month

Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Apache Activemq Artemis
NVD
CVSS 4.0
6.8
EPSS
0.3%
CVE-2025-31672 Maven MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache POI. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Poi Active Iq Unified Manager Red Hat
NVD
CVSS 3.1
5.3
EPSS
1.0%
CVE-2025-30677 Maven MEDIUM PATCH This Month

Apache Pulsar contains multiple connectors for integrating with Apache Kafka. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Pulsar
NVD
CVSS 4.0
6.3
EPSS
0.3%
CVE-2025-30473 PyPI HIGH PATCH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache SQLi Airflow Common Sql Provider
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-31492 HIGH PATCH This Week

mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Red Hat Suse
NVD GitHub
CVSS 4.0
8.2
EPSS
0.6%
CVE-2024-53868 HIGH This Week

Apache Traffic Server allows request smuggling if chunked messages are malformed.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Request Smuggling Traffic Server
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2025-30676 MEDIUM PATCH This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.12.19. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache XSS Ofbiz
NVD
CVSS 3.1
6.1
EPSS
2.9%
CVE-2025-30177 Maven MEDIUM PATCH This Month

Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Camel Red Hat
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2025-30065 Maven CRITICAL POC PATCH Act Now

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache RCE Deserialization Parquet Java Red Hat
NVD GitHub
CVSS 4.0
10.0
EPSS
0.5%
CVE-2025-29868 Go MEDIUM PATCH This Month

Private Data Structure Returned From A Public Method vulnerability in Apache Answer.4.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Answer Suse
NVD
CVSS 3.1
6.5
EPSS
2.2%
CVE-2025-27427 Maven LOW PATCH Monitor

A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Activemq Artemis
NVD
CVSS 4.0
2.3
EPSS
0.7%
CVE-2025-3022 CRITICAL Act Now

Os command injection vulnerability in e-solutions e-management. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Apache PHP
NVD
CVSS 4.0
9.3
EPSS
1.6%
CVE-2025-30067 Maven HIGH PATCH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache Code Injection Kylin
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2024-48944 Maven MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Kylin
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-53679 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Vcl
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2024-53678 MEDIUM This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Vcl
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-30474 Maven MEDIUM PATCH This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable.

Apache Information Disclosure Commons Vfs Suse
NVD
CVSS 3.1
5.0
EPSS
0.2%
CVE-2025-27553 Maven HIGH PATCH This Week

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Commons Vfs Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2025-26796 Maven MEDIUM This Month

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Oozie. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Oozie
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2025-27888 Maven MEDIUM POC PATCH This Month

Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Open Redirect Apache XSS SSRF Druid
NVD
CVSS 4.0
5.8
EPSS
1.0%
CVE-2024-54016 Maven MEDIUM PATCH This Month

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating).2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Seata
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-47552 Maven CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).0.0 before 2.2.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-27018 PyPI MEDIUM PATCH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Apache Airflow Providers Mysql
NVD GitHub
CVSS 3.1
6.3
EPSS
0.3%
CVE-2024-8510 MEDIUM This Month

N-central is vulnerable to a path traversal that allows unintended access to the Apache Tomcat WEB-INF directory. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Path Traversal N Central
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-27017 Maven MEDIUM PATCH This Month

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Nifi
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-27867 Maven MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin.X through 1.2.0. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache XSS Felix Http Webconsole Plugin
NVD
CVSS 3.1
5.6
EPSS
0.4%
CVE-2025-29891 Maven MEDIUM POC PATCH This Month

Bypass/Injection vulnerability in Apache Camel.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Apache Authentication Bypass Camel Red Hat
NVD GitHub
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-24813 Maven CRITICAL POC KEV PATCH THREAT CERT-EU Act Now

A critical path equivalence vulnerability in Apache Tomcat's Default Servlet allows unauthenticated remote code execution through specially crafted PUT requests using internal dot notation in filenames. With EPSS of 94% and active exploitation in the wild, this represents one of the most dangerous Tomcat vulnerabilities in recent years, affecting versions 9.0.0-9.0.98, 10.1.0-10.1.34, and 11.0.0-11.0.2.

Apache RCE Information Disclosure Red Hat Suse
NVD GitHub HeroDevs Exploit-DB
CVSS 3.1
9.8
EPSS
94.2%
Threat
7.8
CVE-2025-26865 LOW PATCH Monitor

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. [CVSS 3.5 LOW]

Apache
NVD
CVSS 3.1
3.5
EPSS
0.3%
CVE-2025-27636 Maven MEDIUM POC PATCH THREAT This Month

Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 47.8%.

Microsoft Apache Authentication Bypass Java Camel +1
NVD GitHub
CVSS 3.1
5.6
EPSS
47.8%
CVE-2024-56196 MEDIUM This Month

Improper Access Control vulnerability in Apache Traffic Server.0.0 through 10.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Traffic Server
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2024-56195 MEDIUM This Month

Improper Access Control vulnerability in Apache Traffic Server.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Traffic Server
NVD
CVSS 3.1
6.3
EPSS
0.6%
CVE-2024-38311 MEDIUM This Month

Improper Input Validation vulnerability in Apache Traffic Server.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Traffic Server
NVD
CVSS 3.1
6.3
EPSS
0.7%
CVE-2024-56202 MEDIUM This Month

Expected Behavior Violation vulnerability in Apache Traffic Server.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Traffic Server
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-55532 Maven CRITICAL PATCH Act Now

Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Ranger
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-24778 LIB MEDIUM PATCH This Month

Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know.95.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Privilege Escalation Streampipes
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-13869 HIGH POC PATCH THREAT Act Now

The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.7%.

Nginx File Upload Apache RCE WordPress +1
NVD GitHub
CVSS 3.1
7.2
EPSS
10.7%
CVE-2025-1075 MEDIUM This Month

Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p27, <2.2.0p40, and 2.1.0p51 (EOL) causes LDAP credentials to be written to Apache error log file accessible. Rated medium severity (CVSS 5.6), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Apache Checkmk
NVD
CVSS 4.0
5.6
EPSS
0.1%
CVE-2024-56180 Maven CRITICAL PATCH Act Now

g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Apache Deserialization Eventmesh Windows +1
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2024-52577 Maven CRITICAL PATCH Act Now

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization Ignite Red Hat
NVD
CVSS 4.0
9.5
EPSS
2.6%
CVE-2025-26511 Maven HIGH PATCH This Week

Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2024-46910 Maven HIGH PATCH This Week

An authenticated user can perform XSS and potentially impersonate another user.3.0 and earlier. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Atlas
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2024-32838 CRITICAL Act Now

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Fineract
NVD
CVSS 4.0
9.4
EPSS
0.1%
CVE-2025-25247 Maven MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole.x up to 4.9.8 and 5.x up to 5.0.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Felix Webconsole Red Hat
NVD
CVSS 3.1
6.1
EPSS
2.2%
CVE-2025-25069 MEDIUM PATCH This Month

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Redis Kvrocks Suse
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-31764 HIGH This Week

The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database.0.1 and prior versions. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Apache Shardingsphere Elasticjob Ui
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2024-45626 Maven MEDIUM PATCH This Month

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service James Server
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-37358 Maven HIGH PATCH This Week

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service James Server
NVD
CVSS 3.1
8.6
EPSS
0.8%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A remote code execution vulnerability in Apache Tomcat (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Apache Tomcat Denial Of Service +3
NVD HeroDevs GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Apache Commons FileUpload contains a Denial of Service vulnerability in multipart header processing due to insufficient resource allocation limits (CWE-770). Affected versions are 1.0 through 1.5.x and 2.0.0-M1 through 2.0.0-M3. An unauthenticated remote attacker can exploit this with a network request to cause resource exhaustion and service unavailability without requiring user interaction or elevated privileges. CVSS 7.5 (High) reflects the high availability impact; KEV and EPSS data availability would determine exploitation likelihood in the wild.

Apache Denial Of Service Java +3
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Buffer overflow vulnerability in the Apache NuttX RTOS xmlrpc example application where device statistics structures use hardcoded buffer sizes that do not account for the CONFIG_XMLRPC_STRINGSIZE configuration parameter, allowing remote attackers to overflow memory without authentication. This affects Apache NuttX RTOS versions 6.22 through 12.8.x, with a critical CVSS score of 9.8 indicating high severity across confidentiality, integrity, and availability. The vulnerability is particularly dangerous because developers may have copied the vulnerable example code into production implementations, extending the attack surface beyond the example application itself.

Buffer Overflow Apache Nuttx
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

A buffer overflow vulnerability (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

Buffer Overflow Heap Overflow Apache +2
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain. A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.  This vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller's scope rather than defaulting to the ROOT domain. Affected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.

Apache Information Disclosure Cloudstack
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A privilege escalation vulnerability in Apache CloudStack (CVSS 8.8) that allows the attacker. High severity vulnerability requiring prompt remediation.

Apache Privilege Escalation Information Disclosure +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A privilege escalation vulnerability in Apache CloudStack (CVSS 8.8) that allows the attacker. High severity vulnerability requiring prompt remediation.

Apache Privilege Escalation Denial Of Service +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

CVE-2025-26521 is a security vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation.

Apache Information Disclosure Kubernetes +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A remote code execution vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Denial Of Service Apache Java +5
NVD GitHub HeroDevs
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A remote code execution vulnerability in A possible security vulnerability (CVSS 8.8). High severity vulnerability requiring prompt remediation.

Deserialization Java Apache +5
NVD GitHub HeroDevs
EPSS 17% CVSS 7.5
HIGH POC PATCH THREAT Act Now

A SSRF vulnerability in A possible arbitrary file read and SSRF vulnerability (CVSS 7.5) that allows clients. Risk factors: EPSS 17% exploitation probability.

Apache SSRF Kafka +2
NVD HeroDevs GitHub
EPSS 1% CVSS 8.9
HIGH This Week

Kafbat UI version 1.0.0 contains an unsafe deserialization vulnerability (CWE-502) that allows unauthenticated remote attackers to execute arbitrary code on affected servers with no user interaction required. This is a critical pre-authentication RCE affecting Kafka cluster management infrastructure. The vulnerability has a CVSS score of 8.9 with high impact across confidentiality, integrity, and availability; patch is available in version 1.1.0.

Deserialization RCE Apache
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Critical deserialization of untrusted data vulnerability in Apache InLong versions 1.13.0 through 2.0.x that allows authenticated attackers to read arbitrary files through parameter manipulation ('double writing' the param). With a CVSS 9.8 score and network-based attack vector requiring no user interaction, this represents a high-severity information disclosure risk affecting data ingestion pipeline deployments.

Deserialization Apache Java +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

ModSecurity versions prior to 2.9.10 contain a denial of service vulnerability in the `sanitiseArg` and `sanitizeArg` actions that allows unauthenticated remote attackers to cause service disruption by submitting requests with an excessive number of arguments. This is a network-accessible DoS vulnerability with high impact on availability that affects widely-deployed WAF deployments across Apache, IIS, and Nginx platforms.

Apache Denial Of Service Nginx +3
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Month

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Authentication Bypass +1
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Month

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Tomcat +2
NVD HeroDevs
EPSS 3% CVSS 7.0
HIGH POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache RCE File Upload +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

SummaryThis advisory addresses a security vulnerability in Mautic where sensitive .env configuration files may be directly accessible via a web browser. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Nginx Apache Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Month

Improper Access Control vulnerability in Apache Commons. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache Authentication Bypass +4
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Deserialization of Untrusted Data vulnerability in Apache InLong.13.0 through 2.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization Inlong
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Improper Restriction of Operations within the Bounds of a Memory Buffer and Stack-based Buffer Overflow vulnerabilities were discovered in Apache NuttX RTOS Bluetooth Stack (HCI and UART components). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Buffer Overflow RCE +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Month

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Apache Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM This Month

Heap-based Buffer Overflow vulnerability in Apache ORC. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow Apache +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB.10.0 through 1.3.3, from 2.0.1-beta. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Iotdb
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver.10.0 through 1.3.3, from 2.0.1-beta before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Iotdb
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Code Injection +1
NVD
EPSS 1% CVSS 2.3
LOW PATCH Monitor

Kirby is an open-source content management system. Rated low severity (CVSS 2.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Nginx Apache PHP +2
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.1.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Superset
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Java Denial Of Service +3
NVD
EPSS 2% CVSS 6.9
MEDIUM POC PATCH This Month

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Apache Denial Of Service Activemq +1
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache RCE Parquet +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in the mod_auth_openidc module for Apache httpd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Http Server +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Tomcat +2
NVD HeroDevs
EPSS 20% CVSS 7.5
HIGH POC PATCH THREAT Act Now

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.3%.

Apache Tomcat Denial Of Service +2
NVD Exploit-DB HeroDevs
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Apache Httpclient +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Improper Input Validation vulnerability in Apache Kvrocks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Kvrocks
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client.1.1 when performing connections to untrusted servers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization +1
NVD
EPSS 0% CVSS 6.9
MEDIUM POC This Month

A vulnerability classified as critical has been found in baseweb JSite 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Apache Jsite
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat.7.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Hertzbeat
NVD
EPSS 0% CVSS 2.1
LOW Monitor

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. No vendor patch available.

Apache Authentication Bypass Roller
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Apache Activemq Artemis
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Improper Input Validation vulnerability in Apache POI. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Poi +2
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Apache Pulsar contains multiple connectors for integrating with Apache Kafka. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Pulsar
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache SQLi Airflow Common Sql Provider
NVD GitHub
EPSS 1% CVSS 8.2
HIGH PATCH This Week

mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Red Hat +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

Apache Traffic Server allows request smuggling if chunked messages are malformed.2.0 through 9.2.9, from 10.0.0 through 10.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Request Smuggling +1
NVD
EPSS 3% CVSS 6.1
MEDIUM PATCH This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache OFBiz.12.19. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache XSS Ofbiz
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Camel +1
NVD
EPSS 1% CVSS 10.0
CRITICAL POC PATCH Act Now

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code Users are recommended to upgrade to version 1.15.1, which fixes. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache RCE Deserialization +2
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Private Data Structure Returned From A Public Method vulnerability in Apache Answer.4.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Answer +1
NVD
EPSS 1% CVSS 2.3
LOW PATCH Monitor

A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Activemq Artemis
NVD
EPSS 2% CVSS 9.3
CRITICAL Act Now

Os command injection vulnerability in e-solutions e-management. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Apache PHP
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache Code Injection +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Kylin
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Vcl
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Vcl
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable.

Apache Information Disclosure Commons Vfs +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Commons Vfs +2
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Oozie. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Oozie
NVD
EPSS 1% CVSS 5.8
MEDIUM POC PATCH This Month

Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Open Redirect Apache XSS +2
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating).2.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Seata
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).0.0 before 2.2.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Apache Airflow Providers Mysql
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

N-central is vulnerable to a path traversal that allows unintended access to the Apache Tomcat WEB-INF directory. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Path Traversal +1
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Nifi
NVD
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin.X through 1.2.0. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache XSS Felix Http Webconsole Plugin
NVD
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

Bypass/Injection vulnerability in Apache Camel.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Apache Authentication Bypass Camel +1
NVD GitHub
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

A critical path equivalence vulnerability in Apache Tomcat's Default Servlet allows unauthenticated remote code execution through specially crafted PUT requests using internal dot notation in filenames. With EPSS of 94% and active exploitation in the wild, this represents one of the most dangerous Tomcat vulnerabilities in recent years, affecting versions 9.0.0-9.0.98, 10.1.0-10.1.34, and 11.0.0-11.0.2.

Apache RCE Information Disclosure +2
NVD GitHub HeroDevs Exploit-DB
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. [CVSS 3.5 LOW]

Apache
NVD
EPSS 48% CVSS 5.6
MEDIUM POC PATCH THREAT This Month

Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 47.8%.

Microsoft Apache Authentication Bypass +3
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Improper Access Control vulnerability in Apache Traffic Server.0.0 through 10.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Traffic Server
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Improper Access Control vulnerability in Apache Traffic Server.2.0 through 9.2.8, from 10.0.0 through 10.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Traffic Server
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Improper Input Validation vulnerability in Apache Traffic Server.0.0 through 8.1.11, from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Traffic Server
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Expected Behavior Violation vulnerability in Apache Traffic Server.0.0 through 9.2.8, from 10.0.0 through 10.0.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Traffic Server
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Ranger
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know.95.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Privilege Escalation Streampipes
NVD
EPSS 11% CVSS 7.2
HIGH POC PATCH THREAT Act Now

The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.7%.

Nginx File Upload Apache +3
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM This Month

Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p27, <2.2.0p40, and 2.1.0p51 (EOL) causes LDAP credentials to be written to Apache error log file accessible. Rated medium severity (CVSS 5.6), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Apache Checkmk
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

g. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Apache Deserialization +3
NVD
EPSS 3% CVSS 9.5
CRITICAL PATCH Act Now

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache RCE Deserialization +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

An authenticated user can perform XSS and potentially impersonate another user.3.0 and earlier. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Atlas
NVD
EPSS 0% CVSS 9.4
CRITICAL Act Now

SQL Injection vulnerability in various API endpoints - offices, dashboards, etc. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SQLi Fineract
NVD
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole.x up to 4.9.8 and 5.x up to 5.0.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Felix Webconsole +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Redis +2
NVD
EPSS 0% CVSS 8.5
HIGH This Week

The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database.0.1 and prior versions. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Apache Shardingsphere Elasticjob Ui
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service James Server
NVD
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service James Server
NVD
Prev Page 8 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy