Skip to main content

Apache

Vendor security scorecard – 511 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 2116
511
CVEs
101
Critical
210
High
1
KEV
27
PoC
62
Unpatched C/H
78.3%
Patch Rate
0.2%
Avg EPSS

Severity Breakdown

CRITICAL
101
HIGH
210
MEDIUM
173
LOW
20

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-34197 Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( HIGH 8.8 0.1% 129
KEV PoC
CVE-2016-15057 Command injection in Apache Continuum (unsupported). EPSS 37.9% indicates active exploitation of this legacy CI/CD system. No patch available — product is end-of-life. CRITICAL 9.9 37.9% 122
PoC No patch
CVE-2026-27636 Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration. HIGH 8.8 0.3% 79
PoC
CVE-2026-33453 Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's cam CRITICAL 10.0 0.5% 71
PoC
CVE-2026-33439 Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue CRITICAL 9.3 0.1% 67
PoC
CVE-2016-20026 Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unauthenticated remote attackers to upload malicious WAR files and execute arbitrary code with SYSTEM privileges. Multiple public exploits are available (Exploit-DB, Packet Storm), making this a high-risk vulnerability for organizations using this biometric security management software. CRITICAL 9.3 0.1% 67
PoC No patch
CVE-2026-39920 Remote code execution in BridgeHead FileStore pre-24A via Apache Axis2 default credentials allows unauthenticated attackers to deploy malicious web services and execute arbitrary OS commands. The vulnerability exploits exposed Axis2 admin console with unchanged default credentials, enabling full system compromise over the network with no authentication required. Publicly available exploit code exists (GitHub Gist), and CVSS 9.8 reflects critical risk with network vector, low complexity, and no privileges required. EPSS data not provided but exploitation prerequisites are minimal given default credential exposure. CRITICAL 9.3 0.2% 66
PoC
CVE-2026-23552 Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to properly validate token issuers, accepting tokens from different Keycloak realms. PoC available. CRITICAL 9.1 0.0% 66
PoC
CVE-2026-23697 Remote code execution in Vtiger CRM before 8.4.0 lets an authenticated low-privileged user upload a malicious .phar file through the Documents module and execute arbitrary PHP. The extension denylist in config.inc.php omits .phar, and a stale Apache 2.2-syntax .htaccess is silently ignored on Apache 2.4, so the payload lands in a web-accessible directory reachable by unauthenticated HTTP - the attack begins authenticated but the final execution step is unauthenticated. Publicly available exploit code exists (published by VulnCheck/Jiva Security); no CISA KEV listing and no EPSS score were provided. HIGH 8.7 0.8% 64
PoC No patch
CVE-2026-25747 Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. [CVSS 8.8 HIGH] HIGH 8.8 0.1% 64
PoC
CVE-2026-40473 The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any HIGH 8.8 0.1% 64
PoC
CVE-2026-40858 The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.O HIGH 8.8 0.1% 64
PoC
CVE-2026-23918 Remote code execution via double-free memory corruption in Apache HTTP Server 2.4.66's HTTP/2 protocol implementation allows authenticated attackers to compromise server integrity and confidentiality with high impact. Vendor-released patch 2.4.67 addresses the issue. No public exploit or active exploitation confirmed at time of analysis, but SSVC framework rates technical impact as total, indicating complete system compromise potential. HIGH 8.8 0.1% 64
PoC
CVE-2026-40466 Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to bypass prior security fixes (CVE-2026-34197) by injecting malicious Spring XML configurations through HTTP Discovery transport connectors via Jolokia. Attackers leverage a VM transport loophole to invoke arbitrary bean factory methods like Runtime.exec() during Spring context initialization. EPSS score is low (0.06%, 19th percentile) with no confirmed active exploitation (not in CISA KEV), suggesting limited widespread targeting despite high CVSS 8.8 score. Exploitation requires authenticated Jolokia access and presence of activemq-http module on classpath. HIGH 8.8 0.1% 64
PoC
CVE-2019-25671 VA MAX 8.3.4 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by injecting shell metacharacters into the mtu_eth0 parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. HIGH 8.7 0.4% 64
PoC No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy