Skip to main content

Http Server

173 CVEs product

Monthly

CVE-2026-49975 HIGH POC PATCH This Week

Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthenticated attackers to exhaust server memory by sending crafted HTTP/2 requests whose cookie headers are not correctly counted against LimitRequestFields. Publicly available exploit code exists and a third-party write-up describes a 'hidden HTTP/2 bomb,' but EPSS exploitation probability is currently very low (0.02%, 5th percentile) and the CVE is not on the CISA KEV list.

Apache Denial Of Service Http Server Nginx Debian Linux
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8835 HIGH PATCH This Week

Invalid pointer dereference in IBM HTTP Server 8.5 and 9.0 allows an authenticated privileged user on the Administration Server to expose sensitive information or trigger a denial-of-service condition. The flaw requires adjacent network access and existing low-level privileges, and no public exploit identified at time of analysis. EPSS exploitation probability is negligible (0.01%) and CISA SSVC indicates no observed exploitation.

Denial Of Service IBM Http Server
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-8834 HIGH PATCH This Week

Heap-based buffer overflow in IBM HTTP Server 8.5 and 9.0 allows an attacker already authenticated to the Administration Server to execute arbitrary code or crash the service. The flaw requires adjacent network access and existing low-level privileges, and no public exploit identified at time of analysis despite the high CVSS 8.0 rating. EPSS probability is negligible (0.01%) and SSVC marks exploitation as 'none,' indicating the issue is currently a patch-and-move-on item rather than an emergency.

Denial Of Service Heap Overflow IBM Buffer Overflow Http Server
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-8855 HIGH PATCH This Week

Remote code execution and denial of service in IBM HTTP Server 8.5 and 9.0 affects deployments configured with TLS mutual (client certificate) authentication, where an attacker can trigger code injection (CWE-94) over the network without prior authentication. The flaw carries a CVSS 8.1 score with high attack complexity, and IBM has published a patch (advisory node/7274065); no public exploit has been identified at time of analysis and SSVC marks exploitation as 'none' with total technical impact.

Denial Of Service Code Injection IBM RCE Http Server
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-8854 HIGH PATCH This Week

Denial of service in IBM HTTP Server 8.5 and 9.0 allows remote unauthenticated attackers to crash or degrade the service when the optional mod_mem_cache module is loaded. The flaw carries a CVSS 7.5 (availability-only impact) and has no public exploit identified at time of analysis, though the SSVC framework rates exploitation as automatable. EPSS probability is very low (0.01%, 3rd percentile), suggesting limited near-term exploitation interest.

Denial Of Service IBM Http Server
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8856 HIGH PATCH This Week

Denial of service in IBM HTTP Server 8.5 and 9.0 allows local attackers with write access to server configuration files to crash or render the web server unavailable. The CVSS vector (AV:L/PR:N) indicates a local attack vector with high integrity and availability impact, and no public exploit has been identified at time of analysis. EPSS exploitation probability is very low at 0.03% (9th percentile), and SSVC scores exploitation as 'none' with partial technical impact, suggesting limited real-world urgency.

Denial Of Service IBM Http Server
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-8852 MEDIUM PATCH This Month

Denial of service in IBM HTTP Server 8.5 and 9.0 is achievable by a local, unprivileged attacker through the optional mod_fastcgi module, which triggers a reachable assertion (CWE-617) causing the server process to abort. Affected versions span IBM HTTP Server 9.0 and IBM HTTP Server 8.5.0 through Interim Fix 002. No public exploit exists and CISA has not listed this in the KEV catalog; EPSS exploitation probability is extremely low at 0.03% (9th percentile), indicating minimal real-world threat at present.

Denial Of Service IBM Http Server
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-8850 HIGH PATCH This Week

Denial of service in IBM HTTP Server 8.5 and 9.0 allows remote unauthenticated attackers to crash the web server when the optional mod_ibm_upload module is loaded, triggering a null pointer dereference (CWE-476). No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02% (4th percentile), though SSVC flags the issue as automatable with partial technical impact. Affected deployments include HTTP Server 8.5 up to Interim Fix 002 and HTTP Server 9.0, with a vendor patch available via IBM support note 7274065.

Denial Of Service Null Pointer Dereference IBM Http Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21962 CRITICAL PATCH Act Now

Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer.

Oracle Apache IIS Http Server Weblogic Server Proxy Plug In
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2025-58098 HIGH POC PATCH This Week

CVE-2025-58098 is a security vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

Information Disclosure Apache Ubuntu Debian Http Server +3
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2025-66200 MEDIUM POC PATCH This Month

A security vulnerability in Apache HTTP Server (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Apache Ubuntu Debian Http Server +3
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-65082 MEDIUM PATCH This Month

A security vulnerability in Apache HTTP Server (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Apache Ubuntu Debian Http Server +3
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-59775 HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Microsoft Apache SSRF Ubuntu Debian +5
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-55753 HIGH POC PATCH This Week

An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Buffer Overflow Integer Overflow Apache Ubuntu Debian +4
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53020 HIGH PATCH This Week

CVE-2025-53020 is a late release of memory after effective lifetime vulnerability (use-after-free) in Apache HTTP Server versions 2.4.17 through 2.4.63 that allows unauthenticated remote attackers to cause denial of service with high availability impact. The vulnerability has a CVSS score of 7.5 (high severity) with network-accessible attack vector and low attack complexity, making it easily exploitable without authentication. Affected organizations running vulnerable Apache HTTP Server versions should prioritize upgrading to version 2.4.64 immediately.

Apache Use After Free Denial Of Service Http Server Red Hat +2
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2025-49812 HIGH PATCH This Week

CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.

Apache TLS Session Fixation Http Server Red Hat +2
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-49630 HIGH POC PATCH This Week

CVE-2025-49630 is a denial of service vulnerability in Apache HTTP Server versions 2.4.26 through 2.4.63 that can be triggered by untrusted remote clients when a reverse proxy is configured with HTTP/2 backend support and ProxyPreserveHost enabled, causing an assertion failure that crashes the proxy process. The vulnerability has a CVSS score of 7.5 (High) with network-accessible attack vector and no authentication required, making it immediately exploitable by unauthenticated remote attackers.

Apache Denial Of Service Http Server Red Hat Suse +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2025-23048 CRITICAL POC PATCH Act Now

CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server 2.4.35-2.4.63 affecting mod_ssl configurations with multiple virtual hosts using different client certificate restrictions. An attacker with valid client certificates trusted by one virtual host can exploit TLS 1.3 session resumption to access another restricted virtual host if SSLStrictSNIVHostCheck is not enabled, achieving unauthorized access to confidential information and potentially modifying data. This is a network-accessible vulnerability with no authentication required and high real-world impact.

Apache Authentication Bypass TLS Http Server Red Hat +2
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2024-47252 HIGH POC PATCH This Week

CVE-2024-47252 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Apache Information Disclosure TLS Http Server Red Hat +2
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-43394 HIGH PATCH This Week

CVE-2024-43394 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows (versions 2.4.0-2.4.63) that allows unauthenticated remote attackers to leak NTLM credential hashes to malicious servers through unvalidated request input processed by mod_rewrite or Apache expressions. The vulnerability exploits Windows SMB/UNC path handling to trigger NTLM authentication, potentially compromising domain credentials. This is a high-severity issue affecting all default Windows installations without explicit UNC path filtering.

Apache SSRF Windows Information Disclosure Http Server +3
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-43204 HIGH PATCH This Week

CVE-2024-43204 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server when mod_proxy is loaded, allowing unauthenticated attackers to initiate outbound proxy requests to attacker-controlled URLs. The vulnerability requires an uncommon configuration where mod_headers is used to modify Content-Type headers based on user-supplied HTTP request values. Apache recommends immediate upgrade to version 2.4.64 to remediate this high-integrity-impact issue.

Apache SSRF Http Server Red Hat Suse +1
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-42516 HIGH POC PATCH This Week

HTTP response splitting vulnerability in Apache HTTP Server core allows network-based attackers without authentication to inject arbitrary HTTP headers and content into responses by manipulating Content-Type headers in proxied or hosted applications, potentially enabling cache poisoning, session hijacking, or XSS attacks. Affects Apache HTTP Server versions prior to 2.4.64, with a critical note that the initial patch in 2.4.59 was incomplete. This is a regression/incomplete fix of CVE-2023-38709, indicating patch evasion and suggesting active exploitation interest.

Apache Information Disclosure Http Server Red Hat Suse +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-3891 HIGH PATCH This Week

A flaw was found in the mod_auth_openidc module for Apache httpd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Http Server Enterprise Linux Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2025-21498 MEDIUM This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Oracle Http Server
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-20991 MEDIUM This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Oracle Http Server
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-45802 MEDIUM This Month

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Http Server Fedora Debian Linux
NVD
CVSS 3.1
5.9
EPSS
3.0%
CVE-2023-43622 HIGH This Week

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Http Server
NVD
CVSS 3.1
7.5
EPSS
70.6%
CVE-2023-31122 HIGH This Week

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.4.57. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Apache Debian Linux Http Server +1
NVD
CVSS 3.1
7.5
EPSS
3.0%
CVE-2023-22019 HIGH PATCH This Week

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Authentication Bypass Information Disclosure Oracle Http Server
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-32342 HIGH This Week

IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure IBM Http Server
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2023-27522 PyPI HIGH PATCH This Week

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.4.30 through 2.4.55. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling Http Server Debian Linux +1
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2023-25690 CRITICAL Act Now

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Authentication Bypass Http Server
NVD
CVSS 3.1
9.8
EPSS
83.8%
CVE-2023-26281 HIGH PATCH This Week

IBM HTTP Server 8.5 used by IBM WebSphere Application Server could allow a remote user to cause a denial of service using a specially crafted URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service IBM Http Server
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-21593 HIGH PATCH This Week

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: OHS Config MBeans). Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Oracle Http Server
NVD
CVSS 3.1
7.1
EPSS
0.6%
CVE-2022-31813 CRITICAL POC Act Now

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Http Server Clustered Data Ontap Fedora
NVD
CVSS 3.1
9.8
EPSS
3.1%
CVE-2022-30556 HIGH This Week

Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Http Server Clustered Data Ontap Fedora
NVD
CVSS 3.1
7.5
EPSS
4.7%
CVE-2022-30522 HIGH This Week

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Http Server Clustered Data Ontap Fedora
NVD
CVSS 3.1
7.5
EPSS
90.4%
CVE-2022-29404 HIGH This Week

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Apache Http Server Fedora Clustered Data Ontap
NVD
CVSS 3.1
7.5
EPSS
5.7%
CVE-2022-28615 CRITICAL Act Now

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Integer Overflow Apache Http Server Fedora +1
NVD
CVSS 3.1
9.1
EPSS
5.7%
CVE-2022-28614 MEDIUM This Month

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Apache Information Disclosure Http Server Fedora +1
NVD
CVSS 3.1
5.3
EPSS
4.4%
CVE-2022-28330 MEDIUM This Month

Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Microsoft Buffer Overflow Information Disclosure Http Server
NVD
CVSS 3.1
5.3
EPSS
3.4%
CVE-2022-26377 HIGH This Week

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Request Smuggling Http Server Fedora +1
NVD
CVSS 3.1
7.5
EPSS
19.0%
CVE-2022-23943 CRITICAL PATCH Act Now

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.4 version 2.4.52 and prior versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

Integer Overflow Apache Buffer Overflow Http Server Fedora +2
NVD
CVSS 3.1
9.8
EPSS
50.4%
CVE-2022-22721 CRITICAL PATCH Act Now

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.4.52 and earlier. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow Apache Buffer Overflow Http Server Fedora +5
NVD
CVSS 3.1
9.1
EPSS
41.9%
CVE-2022-22720 CRITICAL PATCH Act Now

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Apache Request Smuggling Http Server Fedora +5
NVD
CVSS 3.1
9.8
EPSS
28.2%
CVE-2022-22719 HIGH PATCH This Week

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.4.52 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Apache Http Server Debian Linux Fedora +3
NVD
CVSS 3.1
7.5
EPSS
69.8%
CVE-2022-21716 PyPI HIGH POC PATCH This Week

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Python Twisted Debian Linux Http Server +2
NVD GitHub
CVSS 3.1
7.5
EPSS
3.6%
CVE-2022-25315 CRITICAL POC PATCH Act Now

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Buffer Overflow Libexpat Debian Linux Fedora +3
NVD GitHub
CVSS 3.1
9.8
EPSS
4.8%
CVE-2022-25314 HIGH PATCH This Week

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow Buffer Overflow Libexpat Debian Linux Fedora +3
NVD GitHub
CVSS 3.1
7.5
EPSS
4.7%
CVE-2022-25313 MEDIUM PATCH This Month

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Libexpat Debian Linux Fedora Http Server +2
NVD GitHub
CVSS 3.1
6.5
EPSS
3.3%
CVE-2021-4185 HIGH POC This Week

Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wireshark Fedora Debian Linux Http Server +1
NVD
CVSS 3.1
7.5
EPSS
3.9%
CVE-2021-4184 HIGH POC This Week

Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wireshark Fedora Debian Linux Http Server +1
NVD
CVSS 3.1
7.5
EPSS
3.9%
CVE-2021-4183 MEDIUM POC PATCH This Month

Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of service via crafted capture file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Denial Of Service Information Disclosure Wireshark Fedora +2
NVD
CVSS 3.1
5.5
EPSS
1.4%
CVE-2021-4182 HIGH POC PATCH This Week

Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Wireshark Fedora Http Server Zfs Storage Appliance Kit
NVD
CVSS 3.1
7.5
EPSS
3.3%
CVE-2021-4181 HIGH POC This Week

Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Denial Of Service Information Disclosure Wireshark Fedora +3
NVD
CVSS 3.1
7.5
EPSS
3.8%
CVE-2021-44790 CRITICAL POC PATCH THREAT Act Now

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Apache Memory Corruption Http Server Fedora +11
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
97.1%
CVE-2021-44224 HIGH PATCH This Week

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Null Pointer Dereference Apache Denial Of Service SSRF Http Server +10
NVD
CVSS 3.1
8.2
EPSS
82.3%
CVE-2021-43818 PyPI HIGH PATCH This Week

lxml is a library for processing XML and HTML in the Python language. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Lxml Fedora Debian Linux +8
NVD GitHub
CVSS 3.1
7.1
EPSS
2.5%
CVE-2021-42717 HIGH POC PATCH This Week

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Information Disclosure Modsecurity Nginx Modsecurity Waf Debian Linux +2
NVD
CVSS 3.1
7.5
EPSS
3.2%
CVE-2021-42697 Maven HIGH POC PATCH THREAT This Week

Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Http Server
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
36.1%
CVE-2021-25219 MEDIUM PATCH This Month

In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Bind Debian Linux Fedora H300s Firmware +11
NVD
CVSS 3.1
5.3
EPSS
8.0%
CVE-2021-35666 MEDIUM PATCH This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: OSSL Module). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Oracle Authentication Bypass Http Server
NVD
CVSS 3.1
5.9
EPSS
1.2%
CVE-2021-2480 LOW Monitor

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Oracle Authentication Bypass Http Server
NVD
CVSS 3.1
3.7
EPSS
0.8%
CVE-2021-42013 CRITICAL POC KEV PATCH THREAT Act Now

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Path Traversal RCE Http Server Fedora +4
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
100.0%
CVE-2021-41773 CRITICAL POC KEV PATCH THREAT Act Now

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Path Traversal RCE Http Server Fedora +2
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
100.0%
CVE-2021-41524 HIGH PATCH This Week

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Null Pointer Dereference Denial Of Service Http Server Fedora Instantis Enterprisetrack +1
NVD
CVSS 3.1
7.5
EPSS
25.0%
CVE-2021-41617 HIGH PATCH This Week

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Rated high severity (CVSS 7.0).

SSH Privilege Escalation Openssh Fedora Active Iq Unified Manager +9
NVD VulDB
CVSS 3.1
7.0
EPSS
0.3%
CVE-2021-40438 CRITICAL POC KEV PATCH THREAT Act Now

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.4.48 and earlier. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Apache SSRF Rocky Linux Enterprise Linux Enterprise Linux Eus +35
NVD
CVSS 3.1
9.0
EPSS
100.0%
CVE-2021-39275 CRITICAL PATCH Act Now

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Apache Memory Corruption Http Server Fedora +8
NVD
CVSS 3.1
9.8
EPSS
36.3%
CVE-2021-36160 HIGH PATCH This Week

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS).4.30 to 2.4.48 (inclusive). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Apache Information Disclosure Http Server Fedora +10
NVD
CVSS 3.1
7.5
EPSS
62.9%
CVE-2021-34798 HIGH PATCH This Week

Malformed requests may cause the server to dereference a NULL pointer.4.48 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Apache Denial Of Service Http Server Fedora +15
NVD
CVSS 3.1
7.5
EPSS
64.5%
CVE-2021-35940 HIGH PATCH This Week

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Apache Information Disclosure Portable Runtime Http Server
NVD
CVSS 3.1
7.1
EPSS
1.2%
CVE-2021-33193 HIGH POC PATCH THREAT This Week

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning.4.17 to 2.4.48. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Authentication Bypass Debian Linux Http Server Fedora +3
NVD GitHub
CVSS 3.1
7.5
EPSS
46.2%
CVE-2021-31618 HIGH PATCH This Week

Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Apache Denial Of Service Http Server Fedora +4
NVD
CVSS 3.1
7.5
EPSS
51.2%
CVE-2021-30641 MEDIUM This Month

Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Http Server Debian Linux Fedora +3
NVD
CVSS 3.1
5.3
EPSS
52.3%
CVE-2021-26691 CRITICAL PATCH Act Now

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Heap Overflow Apache Http Server Debian Linux +6
NVD
CVSS 3.1
9.8
EPSS
68.1%
CVE-2021-26690 HIGH This Week

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Apache Denial Of Service Http Server Debian Linux +4
NVD
CVSS 3.1
7.5
EPSS
65.1%
CVE-2021-2315 MEDIUM PATCH This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Oracle Authentication Bypass Http Server
NVD
CVSS 3.1
5.4
EPSS
1.0%
CVE-2020-5360 HIGH PATCH This Week

Dell BSAFE Micro Edition Suite, versions prior to 4.5, are vulnerable to a Buffer Under-Read Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Dell Bsafe Micro Edition Suite Database Http Server +2
NVD
CVSS 3.1
7.5
EPSS
2.2%
CVE-2020-1971 MEDIUM PATCH This Month

The X.509 GeneralName type is a generic type for representing different types of names. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

OpenSSL Denial Of Service Null Pointer Dereference Debian Linux Fedora +41
NVD VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2020-24977 MEDIUM POC PATCH This Month

GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Libxml2 Debian Linux Fedora +15
NVD
CVSS 3.1
6.5
EPSS
3.7%
CVE-2020-9490 HIGH PATCH This Week

Apache HTTP Server versions 2.4.20 to 2.4.43. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Apache Request Smuggling Denial Of Service Http Server Communications Element Manager +23
NVD
CVSS 3.1
7.5
EPSS
89.7%
CVE-2020-11993 HIGH POC PATCH THREAT This Week

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Request Smuggling Information Disclosure Http Server Clustered Data Ontap +11
NVD
CVSS 3.1
7.5
EPSS
58.7%
CVE-2020-11985 MEDIUM This Month

IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure PHP Http Server
NVD
CVSS 3.1
5.3
EPSS
6.8%
CVE-2020-11984 CRITICAL POC THREAT Act Now

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Apache Http Server Clustered Data Ontap Ubuntu Linux +10
NVD
CVSS 3.1
9.8
EPSS
90.0%
CVE-2020-1967 Cargo HIGH POC PATCH THREAT This Week

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service OpenSSL Debian Linux Freebsd +23
NVD GitHub
CVSS 3.1
7.5
EPSS
53.3%
CVE-2020-2952 MEDIUM PATCH This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Oracle Authentication Bypass Http Server
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-1927 MEDIUM PATCH This Month

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Apache Open Redirect Http Server Fedora Debian Linux +11
NVD
CVSS 3.1
6.1
EPSS
56.7%
CVE-2020-1934 MEDIUM PATCH This Month

In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Apache Information Disclosure Http Server Fedora Debian Linux +8
NVD
CVSS 3.1
5.3
EPSS
52.0%
CVE-2020-2545 MEDIUM PATCH This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: OSSL Module). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Oracle Http Server
NVD
CVSS 3.1
5.3
EPSS
1.5%
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthenticated attackers to exhaust server memory by sending crafted HTTP/2 requests whose cookie headers are not correctly counted against LimitRequestFields. Publicly available exploit code exists and a third-party write-up describes a 'hidden HTTP/2 bomb,' but EPSS exploitation probability is currently very low (0.02%, 5th percentile) and the CVE is not on the CISA KEV list.

Apache Denial Of Service Http Server +2
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Invalid pointer dereference in IBM HTTP Server 8.5 and 9.0 allows an authenticated privileged user on the Administration Server to expose sensitive information or trigger a denial-of-service condition. The flaw requires adjacent network access and existing low-level privileges, and no public exploit identified at time of analysis. EPSS exploitation probability is negligible (0.01%) and CISA SSVC indicates no observed exploitation.

Denial Of Service IBM Http Server
NVD VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Heap-based buffer overflow in IBM HTTP Server 8.5 and 9.0 allows an attacker already authenticated to the Administration Server to execute arbitrary code or crash the service. The flaw requires adjacent network access and existing low-level privileges, and no public exploit identified at time of analysis despite the high CVSS 8.0 rating. EPSS probability is negligible (0.01%) and SSVC marks exploitation as 'none,' indicating the issue is currently a patch-and-move-on item rather than an emergency.

Denial Of Service Heap Overflow IBM +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution and denial of service in IBM HTTP Server 8.5 and 9.0 affects deployments configured with TLS mutual (client certificate) authentication, where an attacker can trigger code injection (CWE-94) over the network without prior authentication. The flaw carries a CVSS 8.1 score with high attack complexity, and IBM has published a patch (advisory node/7274065); no public exploit has been identified at time of analysis and SSVC marks exploitation as 'none' with total technical impact.

Denial Of Service Code Injection IBM +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in IBM HTTP Server 8.5 and 9.0 allows remote unauthenticated attackers to crash or degrade the service when the optional mod_mem_cache module is loaded. The flaw carries a CVSS 7.5 (availability-only impact) and has no public exploit identified at time of analysis, though the SSVC framework rates exploitation as automatable. EPSS probability is very low (0.01%, 3rd percentile), suggesting limited near-term exploitation interest.

Denial Of Service IBM Http Server
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Denial of service in IBM HTTP Server 8.5 and 9.0 allows local attackers with write access to server configuration files to crash or render the web server unavailable. The CVSS vector (AV:L/PR:N) indicates a local attack vector with high integrity and availability impact, and no public exploit has been identified at time of analysis. EPSS exploitation probability is very low at 0.03% (9th percentile), and SSVC scores exploitation as 'none' with partial technical impact, suggesting limited real-world urgency.

Denial Of Service IBM Http Server
NVD
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Denial of service in IBM HTTP Server 8.5 and 9.0 is achievable by a local, unprivileged attacker through the optional mod_fastcgi module, which triggers a reachable assertion (CWE-617) causing the server process to abort. Affected versions span IBM HTTP Server 9.0 and IBM HTTP Server 8.5.0 through Interim Fix 002. No public exploit exists and CISA has not listed this in the KEV catalog; EPSS exploitation probability is extremely low at 0.03% (9th percentile), indicating minimal real-world threat at present.

Denial Of Service IBM Http Server
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in IBM HTTP Server 8.5 and 9.0 allows remote unauthenticated attackers to crash the web server when the optional mod_ibm_upload module is loaded, triggering a null pointer dereference (CWE-476). No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02% (4th percentile), though SSVC flags the issue as automatable with partial technical impact. Affected deployments include HTTP Server 8.5 up to Interim Fix 002 and HTTP Server 9.0, with a vendor patch available via IBM support note 7274065.

Denial Of Service Null Pointer Dereference IBM +1
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer.

Oracle Apache IIS +2
NVD GitHub
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

CVE-2025-58098 is a security vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

Information Disclosure Apache Ubuntu +5
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

A security vulnerability in Apache HTTP Server (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Apache Ubuntu +5
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A security vulnerability in Apache HTTP Server (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure Apache Ubuntu +5
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Microsoft Apache SSRF +7
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Buffer Overflow Integer Overflow Apache +6
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

CVE-2025-53020 is a late release of memory after effective lifetime vulnerability (use-after-free) in Apache HTTP Server versions 2.4.17 through 2.4.63 that allows unauthenticated remote attackers to cause denial of service with high availability impact. The vulnerability has a CVSS score of 7.5 (high severity) with network-accessible attack vector and low attack complexity, making it easily exploitable without authentication. Affected organizations running vulnerable Apache HTTP Server versions should prioritize upgrading to version 2.4.64 immediately.

Apache Use After Free Denial Of Service +4
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

CVE-2025-49812 is an HTTP request smuggling/desynchronization vulnerability in Apache HTTP Server's mod_ssl that allows man-in-the-middle attackers to hijack HTTPS sessions by exploiting improper handling of TLS upgrades. Only Apache HTTP Server versions through 2.4.63 with 'SSLEngine optional' configurations are affected, enabling session hijacking with high confidentiality and integrity impact. The vulnerability requires network-level access and careful timing but does not require user interaction or privileges; upgrade to 2.4.64 (which removes TLS upgrade support entirely) is the recommended mitigation.

Apache TLS Session Fixation +4
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

CVE-2025-49630 is a denial of service vulnerability in Apache HTTP Server versions 2.4.26 through 2.4.63 that can be triggered by untrusted remote clients when a reverse proxy is configured with HTTP/2 backend support and ProxyPreserveHost enabled, causing an assertion failure that crashes the proxy process. The vulnerability has a CVSS score of 7.5 (High) with network-accessible attack vector and no authentication required, making it immediately exploitable by unauthenticated remote attackers.

Apache Denial Of Service Http Server +3
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

CVE-2025-23048 is an authentication bypass vulnerability in Apache HTTP Server 2.4.35-2.4.63 affecting mod_ssl configurations with multiple virtual hosts using different client certificate restrictions. An attacker with valid client certificates trusted by one virtual host can exploit TLS 1.3 session resumption to access another restricted virtual host if SSLStrictSNIVHostCheck is not enabled, achieving unauthorized access to confidential information and potentially modifying data. This is a network-accessible vulnerability with no authentication required and high real-world impact.

Apache Authentication Bypass TLS +4
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

CVE-2024-47252 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Apache Information Disclosure TLS +4
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

CVE-2024-43394 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows (versions 2.4.0-2.4.63) that allows unauthenticated remote attackers to leak NTLM credential hashes to malicious servers through unvalidated request input processed by mod_rewrite or Apache expressions. The vulnerability exploits Windows SMB/UNC path handling to trigger NTLM authentication, potentially compromising domain credentials. This is a high-severity issue affecting all default Windows installations without explicit UNC path filtering.

Apache SSRF Windows +5
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

CVE-2024-43204 is a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server when mod_proxy is loaded, allowing unauthenticated attackers to initiate outbound proxy requests to attacker-controlled URLs. The vulnerability requires an uncommon configuration where mod_headers is used to modify Content-Type headers based on user-supplied HTTP request values. Apache recommends immediate upgrade to version 2.4.64 to remediate this high-integrity-impact issue.

Apache SSRF Http Server +3
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

HTTP response splitting vulnerability in Apache HTTP Server core allows network-based attackers without authentication to inject arbitrary HTTP headers and content into responses by manipulating Content-Type headers in proxied or hosted applications, potentially enabling cache poisoning, session hijacking, or XSS attacks. Affects Apache HTTP Server versions prior to 2.4.64, with a critical note that the initial patch in 2.4.59 was incomplete. This is a regression/incomplete fix of CVE-2023-38709, indicating patch evasion and suggesting active exploitation interest.

Apache Information Disclosure Http Server +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in the mod_auth_openidc module for Apache httpd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Http Server +2
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Oracle Http Server
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Oracle Http Server
NVD
EPSS 3% CVSS 5.9
MEDIUM This Month

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Http Server Fedora +1
NVD
EPSS 71% CVSS 7.5
HIGH This Week

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Http Server
NVD
EPSS 3% CVSS 7.5
HIGH This Week

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.4.57. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Apache +3
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Authentication Bypass Information Disclosure Oracle +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure IBM Http Server
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.4.30 through 2.4.55. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Request Smuggling +3
NVD
EPSS 84% CVSS 9.8
CRITICAL Act Now

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Request Smuggling Authentication Bypass +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

IBM HTTP Server 8.5 used by IBM WebSphere Application Server could allow a remote user to cause a denial of service using a specially crafted URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service IBM Http Server
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: OHS Config MBeans). Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Oracle Http Server
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Http Server +2
NVD
EPSS 5% CVSS 7.5
HIGH This Week

Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Http Server +2
NVD
EPSS 90% CVSS 7.5
HIGH This Week

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Http Server +2
NVD
EPSS 6% CVSS 7.5
HIGH This Week

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Apache Http Server +2
NVD
EPSS 6% CVSS 9.1
CRITICAL Act Now

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Integer Overflow Apache +3
NVD
EPSS 4% CVSS 5.3
MEDIUM This Month

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Apache Information Disclosure +3
NVD
EPSS 3% CVSS 5.3
MEDIUM This Month

Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Microsoft Buffer Overflow +2
NVD
EPSS 19% CVSS 7.5
HIGH This Week

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Request Smuggling +3
NVD
EPSS 50% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.4 version 2.4.52 and prior versions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

Integer Overflow Apache Buffer Overflow +4
NVD
EPSS 42% CVSS 9.1
CRITICAL PATCH Act Now

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.4.52 and earlier. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow Apache Buffer Overflow +7
NVD
EPSS 28% CVSS 9.8
CRITICAL PATCH Act Now

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Apache Request Smuggling +7
NVD
EPSS 70% CVSS 7.5
HIGH PATCH This Week

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.4.52 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Apache Http Server +5
NVD
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Python Twisted +4
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL POC PATCH Act Now

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Buffer Overflow Libexpat +5
NVD GitHub
EPSS 5% CVSS 7.5
HIGH PATCH This Week

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow Buffer Overflow Libexpat +5
NVD GitHub
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Libexpat Debian Linux +4
NVD GitHub
EPSS 4% CVSS 7.5
HIGH POC This Week

Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wireshark Fedora +3
NVD
EPSS 4% CVSS 7.5
HIGH POC This Week

Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wireshark Fedora +3
NVD
EPSS 1% CVSS 5.5
MEDIUM POC PATCH This Month

Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of service via crafted capture file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Denial Of Service Information Disclosure +4
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Wireshark Fedora +2
NVD
EPSS 4% CVSS 7.5
HIGH POC This Week

Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Denial Of Service Information Disclosure +5
NVD
EPSS 97% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Apache Memory Corruption +13
NVD Exploit-DB
EPSS 82% CVSS 8.2
HIGH PATCH This Week

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Null Pointer Dereference Apache Denial Of Service +12
NVD
EPSS 2% CVSS 7.1
HIGH PATCH This Week

lxml is a library for processing XML and HTML in the Python language. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Lxml +10
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Nginx Information Disclosure Modsecurity +4
NVD
EPSS 36% CVSS 7.5
HIGH POC PATCH THREAT This Week

Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Http Server
NVD Exploit-DB
EPSS 8% CVSS 5.3
MEDIUM PATCH This Month

In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Bind Debian Linux +13
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: OSSL Module). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Oracle Authentication Bypass Http Server
NVD
EPSS 1% CVSS 3.7
LOW Monitor

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Oracle Authentication Bypass Http Server
NVD
EPSS 100% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Path Traversal RCE +6
NVD Exploit-DB
EPSS 100% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Path Traversal RCE +4
NVD Exploit-DB
EPSS 25% CVSS 7.5
HIGH PATCH This Week

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Null Pointer Dereference Denial Of Service Http Server +3
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Rated high severity (CVSS 7.0).

SSH Privilege Escalation Openssh +11
NVD VulDB
EPSS 100% CVSS 9.0
CRITICAL POC KEV PATCH THREAT Act Now

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.4.48 and earlier. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Apache SSRF Rocky Linux +37
NVD
EPSS 36% CVSS 9.8
CRITICAL PATCH Act Now

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Apache Memory Corruption +10
NVD
EPSS 63% CVSS 7.5
HIGH PATCH This Week

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS).4.30 to 2.4.48 (inclusive). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Apache Information Disclosure +12
NVD
EPSS 65% CVSS 7.5
HIGH PATCH This Week

Malformed requests may cause the server to dereference a NULL pointer.4.48 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Apache Denial Of Service +17
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Apache Information Disclosure +2
NVD
EPSS 46% CVSS 7.5
HIGH POC PATCH THREAT This Week

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning.4.17 to 2.4.48. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Authentication Bypass Debian Linux +5
NVD GitHub
EPSS 51% CVSS 7.5
HIGH PATCH This Week

Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Apache Denial Of Service +6
NVD
EPSS 52% CVSS 5.3
MEDIUM This Month

Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Http Server +5
NVD
EPSS 68% CVSS 9.8
CRITICAL PATCH Act Now

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Heap Overflow Apache +8
NVD
EPSS 65% CVSS 7.5
HIGH This Week

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Apache Denial Of Service +6
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Oracle Authentication Bypass Http Server
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Dell BSAFE Micro Edition Suite, versions prior to 4.5, are vulnerable to a Buffer Under-Read Vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Dell Bsafe Micro Edition Suite +4
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

The X.509 GeneralName type is a generic type for representing different types of names. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

OpenSSL Denial Of Service Null Pointer Dereference +43
NVD VulDB
EPSS 4% CVSS 6.5
MEDIUM POC PATCH This Month

GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Information Disclosure Libxml2 +17
NVD
EPSS 90% CVSS 7.5
HIGH PATCH This Week

Apache HTTP Server versions 2.4.20 to 2.4.43. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Apache Request Smuggling Denial Of Service +25
NVD
EPSS 59% CVSS 7.5
HIGH POC PATCH THREAT This Week

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Apache Request Smuggling Information Disclosure +13
NVD
EPSS 7% CVSS 5.3
MEDIUM This Month

IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure PHP +1
NVD
EPSS 90% CVSS 9.8
CRITICAL POC THREAT Act Now

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Apache Http Server +12
NVD
EPSS 53% CVSS 7.5
HIGH POC PATCH THREAT This Week

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service OpenSSL +25
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Oracle Authentication Bypass Http Server
NVD
EPSS 57% CVSS 6.1
MEDIUM PATCH This Month

In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Apache Open Redirect Http Server +13
NVD
EPSS 52% CVSS 5.3
MEDIUM PATCH This Month

In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.

Apache Information Disclosure Http Server +10
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: OSSL Module). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Oracle Http Server
NVD
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy