Skip to main content

Apache

2550 CVEs vendor

Monthly

CVE-2024-48019 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Path Traversal Doris
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2025-24860 Maven MEDIUM PATCH This Month

Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Cassandra Red Hat
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-27137 Maven MEDIUM PATCH This Month

In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Java Cassandra Red Hat
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-23015 Maven HIGH PATCH This Week

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Privilege Escalation Cassandra Red Hat
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-13504 HIGH This Month

The Shared Files - Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dfxp File uploads in all versions up to, and including, 1.7.42. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress Apache XSS
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2024-23953 Maven MEDIUM POC PATCH This Week

Use of Arrays.equals() in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte by byte. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Apache Hive
NVD GitHub
CVSS 3.1
6.5
EPSS
1.5%
CVE-2025-24783 Maven HIGH This Month

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Cocoon
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2025-24814 Maven MEDIUM PATCH This Month

Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Solr Red Hat
NVD
CVSS 3.1
5.5
EPSS
0.8%
CVE-2024-52012 Maven MEDIUM PATCH This Month

Relative Path Traversal vulnerability in Apache Solr. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.5% and no vendor patch available.

Microsoft Apache Path Traversal Solr Windows
NVD
CVSS 3.1
5.4
EPSS
13.5%
CVE-2024-53299 Maven MEDIUM PATCH This Month

The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Wicket
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-45479 Maven CRITICAL PATCH This Week

SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Ranger
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2024-45478 Maven MEDIUM PATCH Monitor

Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Ranger
NVD
CVSS 3.1
4.8
EPSS
0.7%
CVE-2025-23184 Maven MEDIUM PATCH This Month

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Denial Of Service Cxf Red Hat
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-45627 Maven MEDIUM PATCH This Month

In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Path Traversal Linkis
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-22828 MEDIUM Monitor

CloudStack users can add and read comments (annotations) on resources they are authorised to access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 18.4% and no vendor patch available.

Information Disclosure Apache Cloudstack
NVD
CVSS 3.1
4.3
EPSS
18.4%
CVE-2024-54676 Maven CRITICAL PATCH This Week

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Openmeetings
NVD
CVSS 3.1
9.8
EPSS
6.1%
CVE-2024-45033 PyPI HIGH PATCH This Month

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider.5.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Apache Airflow Providers Fab
NVD GitHub
CVSS 3.1
8.1
EPSS
0.7%
CVE-2024-56512 Maven LOW POC PATCH Monitor

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Nifi
NVD
CVSS 4.0
2.1
EPSS
3.1%
CVE-2024-52046 Maven CRITICAL PATCH Act Now

The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache Java Mina
NVD
CVSS 4.0
10.0
EPSS
23.9%
CVE-2024-43441 Maven CRITICAL POC PATCH THREAT Act Now

Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server.0.0 before 1.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Hugegraph
NVD
CVSS 3.1
9.8
EPSS
69.7%
CVE-2024-45387 Go HIGH PATCH This Week

An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Apache Traffic Control
NVD
CVSS 3.1
8.8
EPSS
41.8%
CVE-2024-23945 Maven MEDIUM POC PATCH This Month

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Information Disclosure Hive Spark
NVD GitHub
CVSS 3.1
5.9
EPSS
1.5%
CVE-2024-56337 Maven CRITICAL PATCH Act Now

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Java Information Disclosure Bootstrap Os
NVD
CVSS 3.1
9.8
EPSS
8.9%
CVE-2024-56128 Maven MEDIUM PATCH This Month

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Microsoft Kafka
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2024-54677 Maven MEDIUM PATCH This Month

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service Bootstrap Os
NVD
CVSS 3.1
5.3
EPSS
2.0%
CVE-2024-50379 Maven CRITICAL PATCH Act Now

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure Bootstrap Os
NVD
CVSS 3.1
9.8
EPSS
44.3%
CVE-2024-55633 PyPI HIGH PATCH This Week

Improper Authorization vulnerability in Apache Superset. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache PostgreSQL Superset
NVD
CVSS 4.0
7.1
EPSS
2.6%
CVE-2024-53677 Maven CRITICAL PATCH Act Now

File upload logic in Apache Struts is flawed. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Atlassian RCE Apache File Upload Struts
NVD
CVSS 4.0
9.5
EPSS
78.2%
CVE-2024-53949 PyPI HIGH PATCH This Week

Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Superset
NVD
CVSS 4.0
7.6
EPSS
0.7%
CVE-2024-53948 PyPI MEDIUM PATCH This Month

Generation of Error Message Containing analytics metadata Information in Apache Superset.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Superset
NVD
CVSS 4.0
5.3
EPSS
0.8%
CVE-2024-53947 PyPI LOW PATCH Monitor

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Apache PostgreSQL Superset
NVD
CVSS 4.0
2.3
EPSS
0.8%
CVE-2024-53703 HIGH This Week

A vulnerability in the SonicWall SMA100 SSLVPN firmware 10.2.1.13-72sv and earlier versions mod_httprp library loaded by the Apache web server allows remote attackers to cause Stack-based buffer. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Stack Overflow Sonicwall RCE Apache +5
NVD
CVSS 3.1
8.1
EPSS
12.7%
CVE-2024-45106 Maven HIGH PATCH This Week

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Ozone
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-52338 PyPI CRITICAL PATCH Act Now

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Apache Python Arrow
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2024-51569 HIGH PATCH This Week

Out-of-bounds Read vulnerability in Apache NimBLE. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Apache Information Disclosure Nimble
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2024-47250 MEDIUM PATCH This Month

Out-of-bounds Read vulnerability in Apache NimBLE. Rated medium severity (CVSS 5.0), this vulnerability is no authentication required.

Buffer Overflow Apache Information Disclosure Nimble
NVD GitHub
CVSS 3.1
5.0
EPSS
0.7%
CVE-2024-47249 MEDIUM PATCH This Month

Improper Validation of Array Index vulnerability in Apache NimBLE. Rated medium severity (CVSS 5.0), this vulnerability is no authentication required.

Buffer Overflow Apache Nimble
NVD GitHub
CVSS 3.1
5.0
EPSS
0.6%
CVE-2024-47248 MEDIUM PATCH This Month

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Apache NimBLE. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Buffer Overflow Apache Nimble
NVD GitHub
CVSS 3.1
6.3
EPSS
0.7%
CVE-2024-45719 Go LOW PATCH Monitor

Inadequate Encryption Strength vulnerability in Apache Answer.4.0. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Apache Information Disclosure Answer
NVD
CVSS 3.1
2.6
EPSS
0.2%
CVE-2024-52067 Maven MEDIUM PATCH This Month

Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

Apache Information Disclosure Nifi
NVD
CVSS 4.0
6.9
EPSS
0.7%
CVE-2024-31141 Maven MEDIUM PATCH This Month

Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Kafka
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2024-52318 Maven MEDIUM PATCH This Month

Incorrect object recycling and reuse vulnerability in Apache Tomcat.0.0, 10.1.31, 9.0.96. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure
NVD
CVSS 3.1
6.1
EPSS
1.7%
CVE-2024-52317 Maven MEDIUM PATCH This Month

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
2.0%
CVE-2024-52316 Maven CRITICAL PATCH Act Now

Unchecked Error Condition vulnerability in Apache Tomcat. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Authentication Bypass Debian Linux
NVD
CVSS 3.1
9.8
EPSS
6.3%
CVE-2024-48962 HIGH This Week

Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection Apache CSRF RCE Ofbiz
NVD
CVSS 4.0
8.9
EPSS
0.6%
CVE-2024-47208 CRITICAL Act Now

Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.12.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Code Injection Apache RCE Ofbiz
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2024-45791 HIGH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat.6.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Hertzbeat
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-45505 HIGH This Week

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Command Injection Hertzbeat
NVD
CVSS 3.1
8.8
EPSS
2.1%
CVE-2024-41151 HIGH This Week

Deserialization of Untrusted Data vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Apache Hertzbeat
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-45784 PyPI HIGH PATCH This Week

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2024-50386 CRITICAL Act Now

Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Cloudstack
NVD
CVSS 3.1
9.9
EPSS
1.4%
CVE-2024-38286 Maven HIGH PATCH This Week

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service Ontap Tools
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2024-23590 Maven CRITICAL PATCH Act Now

Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Session Fixation Information Disclosure Kylin
NVD
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-43383 NuGet HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization RCE Apache Authentication Bypass Lucene Net
NVD
CVSS 3.1
8.1
EPSS
1.2%
CVE-2024-45477 Maven MEDIUM PATCH This Month

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Nifi
NVD
CVSS 3.1
4.6
EPSS
0.6%
CVE-2024-45693 HIGH This Week

Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache CSRF Information Disclosure Cloudstack
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-45462 HIGH This Week

The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Cloudstack
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2024-45461 MEDIUM This Month

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Cloudstack
NVD
CVSS 3.1
6.3
EPSS
0.7%
CVE-2024-45219 HIGH This Week

Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Apache Denial Of Service Cloudstack
NVD
CVSS 3.1
8.5
EPSS
1.2%
CVE-2024-45217 Maven HIGH PATCH This Week

Insecure Default Initialization of Resource vulnerability in Apache Solr. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Solr
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2024-45216 Maven CRITICAL POC PATCH THREAT Act Now

Improper Authentication vulnerability in Apache Solr. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Solr
NVD
CVSS 3.1
9.8
EPSS
90.7%
CVE-2023-50780 Maven HIGH PATCH This Week

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Authentication Bypass Artemis
NVD VulDB
CVSS 3.1
8.8
EPSS
2.1%
CVE-2024-46911 MEDIUM This Month

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache CSRF Roller
NVD
CVSS 3.1
4.7
EPSS
0.4%
CVE-2024-28168 Maven HIGH PATCH This Week

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Formatting Objects Processor
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-47554 Maven MEDIUM PATCH This Month

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Commons Io Active Iq Unified Manager Bluexp +5
NVD
CVSS 3.1
4.3
EPSS
1.2%
CVE-2024-47561 Maven CRITICAL PATCH Act Now

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache Java Avro +2
NVD
CVSS 4.0
9.2
EPSS
3.3%
CVE-2024-45772 Maven HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator.4.0 before 9.12.0. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Apache Java Lucene Replicator
NVD
CVSS 3.1
8.0
EPSS
0.6%
CVE-2024-40761 Go MEDIUM PATCH This Month

Inadequate Encryption Strength vulnerability in Apache Answer.3.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Answer
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2024-23454 Maven MEDIUM PATCH This Month

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

Apache Information Disclosure Hadoop
NVD
CVSS 3.1
6.2
EPSS
0.4%
CVE-2024-39928 Maven HIGH PATCH This Week

In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Linkis
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-37779 HIGH This Week

WoodWing Elvis DAM v6.98.1 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the Apache Ant script functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-46544 MEDIUM This Month

Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Tomcat Apache Information Disclosure Denial Of Service +3
NVD
CVSS 3.1
5.9
EPSS
0.3%
CVE-2024-42323 HIGH This Week

SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Apache Hertzbeat
NVD
CVSS 3.1
8.8
EPSS
4.1%
CVE-2024-45537 Maven MEDIUM PATCH This Month

Apache Druid allows users with certain permissions to read data from other database systems using JDBC. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Druid
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-45384 Maven MEDIUM PATCH This Month

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Oracle Druid
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2024-22399 Maven CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache Seata. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Seata
NVD
CVSS 3.1
9.8
EPSS
3.3%
CVE-2024-8646 Maven MEDIUM PATCH This Month

In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Apache Open Redirect Glassfish
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-45498 PyPI HIGH PATCH This Week

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Airflow
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2024-45034 PyPI HIGH PATCH This Week

Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Airflow
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-7923 CRITICAL Act Now

An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Satellite
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-7012 CRITICAL Act Now

An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Satellite
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-45507 CRITICAL POC PATCH THREAT Act Now

Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.12.16. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF Code Injection Apache RCE Ofbiz
NVD
CVSS 3.1
9.8
EPSS
93.2%
CVE-2024-45195 HIGH POC KEV THREAT This Week

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.12.16. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Ofbiz
NVD
CVSS 3.1
7.5
EPSS
100.0%
CVE-2024-45623 CRITICAL Act Now

D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary that handles PHP HTTP GET requests for the Apache. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

D-Link Buffer Overflow PHP Code Injection Apache +1
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-43804 HIGH POC This Week

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache Command Injection Nginx Roxy Wi
NVD GitHub
CVSS 3.1
8.8
EPSS
2.6%
CVE-2024-5725 HIGH PATCH This Week

Centreon initCurveList SQL Injection Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi Apache RCE Centreon Web
NVD
CVSS 3.1
8.8
EPSS
47.6%
CVE-2024-5723 HIGH This Week

Centreon updateServiceHost SQL Injection Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Apache RCE Centreon Web
NVD
CVSS 3.1
8.8
EPSS
40.7%
CVE-2024-41937 PyPI MEDIUM PATCH This Month

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Airflow
NVD GitHub
CVSS 3.1
6.1
EPSS
1.8%
CVE-2024-22281 Maven HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Helix
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-38175 HIGH This Week

An improper access control vulnerability in the Azure Managed Instance for Apache Cassandra allows an authenticated attacker to elevate privileges over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Microsoft Azure Managed Instance For Apache Cassandra
NVD
CVSS 3.1
8.8
EPSS
0.8%
EPSS 1% CVSS 5.4
MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Path Traversal Doris
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Authentication Bypass Cassandra +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache Authentication Bypass Java +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Privilege Escalation Cassandra +1
NVD
EPSS 0% CVSS 7.2
HIGH This Month

The Shared Files - Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dfxp File uploads in all versions up to, and including, 1.7.42. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress Apache +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Week

Use of Arrays.equals() in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte by byte. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Apache Hive
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Month

** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Cocoon
NVD
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Solr +1
NVD
EPSS 13% CVSS 5.4
MEDIUM PATCH This Month

Relative Path Traversal vulnerability in Apache Solr. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.5% and no vendor patch available.

Microsoft Apache Path Traversal +2
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Wicket
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH This Week

SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Apache Ranger
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH Monitor

Stored XSS vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Ranger
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Apache Denial Of Service Cxf +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Path Traversal +1
NVD
EPSS 18% CVSS 4.3
MEDIUM Monitor

CloudStack users can add and read comments (annotations) on resources they are authorised to access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 18.4% and no vendor patch available.

Information Disclosure Apache Cloudstack
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH This Week

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Openmeetings
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Month

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider.5.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Apache Apache Airflow Providers Fab
NVD GitHub
EPSS 3% CVSS 2.1
LOW POC PATCH Monitor

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Nifi
NVD
EPSS 24% CVSS 10.0
CRITICAL PATCH Act Now

The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache +2
NVD
EPSS 70% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server.0.0 before 1.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Hugegraph
NVD
EPSS 42% CVSS 8.8
HIGH PATCH This Week

An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Apache Traffic Control
NVD
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Apache Information Disclosure Hive +1
NVD GitHub
EPSS 9% CVSS 9.8
CRITICAL PATCH Act Now

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Java +2
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Microsoft +1
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service +1
NVD
EPSS 44% CVSS 9.8
CRITICAL PATCH Act Now

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure +1
NVD
EPSS 3% CVSS 7.1
HIGH PATCH This Week

Improper Authorization vulnerability in Apache Superset. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache PostgreSQL +1
NVD
EPSS 78% CVSS 9.5
CRITICAL PATCH Act Now

File upload logic in Apache Struts is flawed. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Atlassian RCE Apache +2
NVD
EPSS 1% CVSS 7.6
HIGH PATCH This Week

Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Superset
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Generation of Error Message Containing analytics metadata Information in Apache Superset.1.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Superset
NVD
EPSS 1% CVSS 2.3
LOW PATCH Monitor

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Apache PostgreSQL +1
NVD
EPSS 13% CVSS 8.1
HIGH This Week

A vulnerability in the SonicWall SMA100 SSLVPN firmware 10.2.1.13-72sv and earlier versions mod_httprp library loaded by the Apache web server allows remote attackers to cause Stack-based buffer. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Stack Overflow Sonicwall +7
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Ozone
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Deserialization RCE Apache +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Out-of-bounds Read vulnerability in Apache NimBLE. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Apache Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

Out-of-bounds Read vulnerability in Apache NimBLE. Rated medium severity (CVSS 5.0), this vulnerability is no authentication required.

Buffer Overflow Apache Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

Improper Validation of Array Index vulnerability in Apache NimBLE. Rated medium severity (CVSS 5.0), this vulnerability is no authentication required.

Buffer Overflow Apache Nimble
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Apache NimBLE. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Buffer Overflow Apache Nimble
NVD GitHub
EPSS 0% CVSS 2.6
LOW PATCH Monitor

Inadequate Encryption Strength vulnerability in Apache Answer.4.0. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Apache Information Disclosure Answer
NVD
EPSS 1% CVSS 6.9
MEDIUM PATCH This Month

Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 include optional debug logging of Parameter Context values during the flow synchronization process. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.

Apache Information Disclosure Nifi
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Kafka
NVD
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

Incorrect object recycling and reuse vulnerability in Apache Tomcat.0.0, 10.1.31, 9.0.96. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Information Disclosure
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

Unchecked Error Condition vulnerability in Apache Tomcat. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Authentication Bypass +1
NVD
EPSS 1% CVSS 8.9
HIGH This Week

Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection Apache CSRF +2
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.12.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Code Injection Apache +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat.6.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Hertzbeat
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Command Injection Hertzbeat
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Apache HertzBeat. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Apache Hertzbeat
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL Act Now

Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Denial Of Service Cloudstack
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Apache Denial Of Service +1
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Deserialization RCE Apache +2
NVD
EPSS 1% CVSS 4.6
MEDIUM PATCH This Month

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Nifi
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache CSRF Information Disclosure +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Cloudstack
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Cloudstack
NVD
EPSS 1% CVSS 8.5
HIGH This Week

Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

Apache Denial Of Service Cloudstack
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Insecure Default Initialization of Resource vulnerability in Apache Solr. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Solr
NVD
EPSS 91% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Improper Authentication vulnerability in Apache Solr. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Solr
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Authentication Bypass Artemis
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache CSRF +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XXE Formatting Objects Processor
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Commons Io +7
NVD
EPSS 3% CVSS 9.2
CRITICAL PATCH Act Now

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache +4
NVD
EPSS 1% CVSS 8.0
HIGH PATCH This Week

Deserialization of Untrusted Data vulnerability in Apache Lucene Replicator.4.0 before 9.12.0. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Deserialization Apache Java +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Inadequate Encryption Strength vulnerability in Apache Answer.3.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Answer
NVD
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

Apache Information Disclosure Hadoop
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Linkis
NVD
EPSS 1% CVSS 8.8
HIGH This Week

WoodWing Elvis DAM v6.98.1 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the Apache Ant script functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Tomcat Apache +5
NVD
EPSS 4% CVSS 8.8
HIGH This Week

SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization Apache Hertzbeat
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Apache Druid allows users with certain permissions to read data from other database systems using JDBC. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Druid
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Oracle +1
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of Untrusted Data vulnerability in Apache Seata. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Apache Seata
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Apache Open Redirect Glassfish
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Airflow
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Airflow
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Satellite
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apache Satellite
NVD
EPSS 93% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.12.16. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF Code Injection Apache +2
NVD
EPSS 100% CVSS 7.5
HIGH POC KEV THREAT This Week

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz.12.16. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Ofbiz
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary that handles PHP HTTP GET requests for the Apache. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

D-Link Buffer Overflow PHP +3
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache Command Injection +2
NVD GitHub
EPSS 48% CVSS 8.8
HIGH PATCH This Week

Centreon initCurveList SQL Injection Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi Apache RCE +1
NVD
EPSS 41% CVSS 8.8
HIGH This Week

Centreon updateServiceHost SQL Injection Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Apache RCE +1
NVD
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Airflow
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

** UNSUPPORTED WHEN ASSIGNED ** The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Helix
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An improper access control vulnerability in the Azure Managed Instance for Apache Cassandra allows an authenticated attacker to elevate privileges over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Apache Microsoft +1
NVD
Prev Page 9 of 29 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy