Apache Software Foundation
160 CVEsCVE IDSeverityProduct / summaryPublished
CVE-2026-54399
HIGH 7.5
Apache Httpcomponents Core — Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (…
2026-07-01
CVE-2026-54428
HIGH 7.5
Apache Httpcomponents Core — Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core…
2026-07-01
CVE-2026-49432
HIGH 7.5
Apache Activemq — Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.
A rem…
2026-06-30
CVE-2026-49434
HIGH 7.5
Apache Activemq Broker — Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.
An a…
2026-06-30
CVE-2026-49877
HIGH 8.1
Apache Activemq — Improper Authorization vulnerability in Apache ActiveMQ.
An authenticated low-privilege Web Console user by d…
2026-06-30
CVE-2026-50734
HIGH 7.5
Apache Activemq Client — Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache A…
2026-06-30
CVE-2026-50750
HIGH 7.5
Apache Activemq Broker — Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ …
2026-06-30
CVE-2026-52760
MEDIUM 6.1
Apache Activemq — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache A…
2026-06-30
CVE-2026-53916
HIGH 7.5
Apache Activemq — Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache Acti…
2026-06-30
CVE-2026-53917
HIGH 7.5
Apache Activemq — Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache Acti…
2026-06-30
CVE-2026-54475
HIGH 7.5
Apache Activemq Broker — Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.
Apache A…
2026-06-30
CVE-2025-53648
MEDIUM 5.4
Apache Gravitino — SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or t…
2026-06-30
CVE-2026-50229
MEDIUM 6.1
Apache Tomcat — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number gues…
2026-06-29
CVE-2026-53404
HIGH 7.3
Apache Tomcat — Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the …
2026-06-29
CVE-2026-53434
CRITICAL 9.1
Apache Tomcat — Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM bas…
2026-06-29
CVE-2026-55276
CRITICAL 9.1
Apache Tomcat — Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty…
2026-06-29
CVE-2026-55955
MEDIUM 6.5
Apache Tomcat — Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionIntercept…
2026-06-29
CVE-2026-55956
MEDIUM 6.5
Apache Tomcat — Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default …
2026-06-29
CVE-2026-55957
HIGH 7.3
Apache Tomcat — Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to au…
2026-06-29
CVE-2026-49486
HIGH 7.5
Apache Airflow Ftp Provider — The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never calle…
2026-06-26
CVE-2026-57914
MEDIUM 6.5
Apache Kerby — By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a Stac…
2026-06-26
CVE-2026-57915
HIGH 7.3
Apache Kerby — It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an un…
2026-06-26
CVE-2025-55017
CRITICAL 9.1
Apache Iotdb — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB.
…
2026-06-26
CVE-2025-64152
CRITICAL 9.1
Apache Iotdb — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB.
…
2026-06-26
CVE-2026-41566
CRITICAL 9.4
Apache Kvrocks — Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks.
This issue affec…
2026-06-25
CVE-2026-45188
LOW 2.4
Apache Kvrocks — Relative Path Traversal vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 1.0.0 throug…
2026-06-25
CVE-2026-46751
MEDIUM 5.5
Apache Kvrocks — A vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0.
Users are r…
2026-06-25
CVE-2026-46752
CRITICAL 10
Apache Kvrocks — Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: …
2026-06-25
CVE-2026-54226
MEDIUM 6.4
Apache Kvrocks — A vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 2.6.0 through 2.15.0.
Users are r…
2026-06-25
CVE-2026-56091
HIGH 8.2
Apache Shiro — When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request…
2026-06-25
CVE-2026-56130
LOW 2
Apache Shiro — "Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a val…
2026-06-25
CVE-2026-44911
LOW 2.3
Apache Nifi — Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 a…
2026-06-22
CVE-2026-44913
MEDIUM 5.2
Apache Nifi — Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 …
2026-06-22
CVE-2026-44914
HIGH 7.5
Apache Nifi — Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extensio…
2026-06-22
CVE-2026-54665
MEDIUM 6.3
Apache Nifi — Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that …
2026-06-22
CVE-2025-62198
MEDIUM 5.4
Apache Atlas — An authenticated user can perform XSS.
This issue affects Apache Atlas versions 2.4.0 and earlier.
Users are…
2026-06-22
CVE-2025-66336
HIGH 8.1
Apache Doris Mcp Server — Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled dat…
2026-06-22
CVE-2026-39998
MEDIUM 5.8
Apache Apisix — Improper Input Validation vulnerability in Apache APISIX.
The attacker can take advantage of certain configur…
2026-06-19
CVE-2026-39999
HIGH 7
Apache Apisix — Authentication Bypass by Spoofing vulnerability in Apache APISIX.
The attacker can completely bypass authenti…
2026-06-19
CVE-2026-44046
LOW 2.3
Apache Apisix — Use of Less Trusted Source vulnerability in Apache APISIX.
Attacker can take advantage of wolf-rbac plugin un…
2026-06-19
CVE-2026-44087
MEDIUM 5.3
Apache Apisix — Insufficient Verification of Data Authenticity vulnerability in Apache APISIX.
The openid-connect plugin unde…
2026-06-19
CVE-2026-44915
LOW 2.1
Apache Apisix — URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX.
The default configuration…
2026-06-19
CVE-2026-47339
MEDIUM 5.3
Apache Apisix — Incorrect Authorization vulnerability in Apache APISIX.
An attacker can capitalise on authz-casdoor plugin un…
2026-06-19
CVE-2026-47341
MEDIUM 6.3
Apache Apisix — Authentication Bypass by Capture-replay vulnerability in Apache APISIX.
Attacker can benefit from certain con…
2026-06-19
CVE-2026-48895
LOW 2.1
Apache Apisix — URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX.
The attacker could manipu…
2026-06-19
CVE-2026-49230
MEDIUM 6.3
Apache Apisix — Improper Validation of Integrity Check Value vulnerability in Apache APISIX.
The jwe-decrypt plugin under def…
2026-06-19
CVE-2026-49231
LOW 2.3
Apache Apisix — Authentication Bypass by Spoofing vulnerability in opa plugin.
An attacker could relay spoofed identity heade…
2026-06-19
CVE-2026-49871
LOW 2.1
Apache Apisix — Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations.
This def…
2026-06-19
CVE-2026-49872
MEDIUM 5.3
Apache Apisix — Improper Authentication vulnerability in Apache APISIX.
When the cas-auth plugin is used in a route, an attac…
2026-06-19
CVE-2026-32966
HIGH 7.5
Apache Dolphinscheduler — DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache Dolphi…
2026-06-17
CVE-2026-32967
MEDIUM 6.5
Apache Dolphinscheduler — Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.
This issue …
2026-06-17
CVE-2026-41280
MEDIUM 4.9
Apache Dolphinscheduler — Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in …
2026-06-17
CVE-2026-42357
MEDIUM 6.5
Apache Dolphinscheduler — Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projec…
2026-06-17
CVE-2026-47340
MEDIUM 6.5
Apache Dolphinscheduler — Allow authenticated users to access alert instances associated with alert groups they do not have permission t…
2026-06-17
CVE-2026-49268
HIGH 8.8
Apache Shiro — A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultL…
2026-06-17
CVE-2026-50203
CRITICAL 9.1
Apache Airflow Sftp Provider — A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a ma…
2026-06-17
CVE-2026-49875
MEDIUM 6.5
Apache Cxf — Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the…
2026-06-12
CVE-2026-50623
MEDIUM 4.8
Apache Cxf — An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a …
2026-06-12
CVE-2026-50627
CRITICAL 9.1
Apache Cxf — The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT …
2026-06-12
CVE-2026-50628
CRITICAL 9.8
Apache Cxf — A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while b…
2026-06-12
CVE-2026-50629
MEDIUM 5.3
Apache Cxf — The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning m…
2026-06-12
CVE-2026-50630
MEDIUM 6.5
Apache Cxf — A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authen…
2026-06-12
CVE-2026-50631
HIGH 7.4
Apache Cxf — A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypas…
2026-06-12
CVE-2026-50632
HIGH 8.1
Apache Cxf — A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) …
2026-06-12
CVE-2026-50633
HIGH 8.1
Apache Cxf — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for…
2026-06-12
CVE-2026-50634
MEDIUM 6.5
Apache Cxf — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadat…
2026-06-12
CVE-2026-50645
HIGH 7.5
Apache Cxf — There is no restriction on the amount of attachment headers that a message can contain when being deserialized…
2026-06-12
CVE-2026-25700
HIGH 7.2
Apache Answer — Improper Restriction of Security Token Assignment vulnerability in Apache Answer.
This issue affects Apache A…
2026-06-10
CVE-2026-47342
HIGH 8.8
Apache Ofbiz — A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain high…
2026-06-10
CVE-2026-50223
HIGH 8.8
Apache Ofbiz — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privilege…
2026-06-10
CVE-2026-25688
MEDIUM 6.1
Apache Answer — Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer.
This issue affects Apache Ans…
2026-06-09
CVE-2026-25699
MEDIUM 6.1
Apache Answer — Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer.
This issue …
2026-06-09
CVE-2026-33582
MEDIUM 6.5
Apache Answer — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.
This issue affects Apache Ans…
2026-06-09
CVE-2026-34031
MEDIUM 6.5
Apache Answer — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.
This issue affects Apache Ans…
2026-06-09
CVE-2026-34033
MEDIUM 5.4
Apache Answer — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer.
…
2026-06-09
CVE-2026-34905
MEDIUM 6.5
Apache Answer — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer.
This issue affects…
2026-06-09
CVE-2026-49818
MEDIUM 6.5
Apache Airflow Samba Provider — The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path w…
2026-06-09
CVE-2026-29167
CRITICAL 9.8
Apache Http Server — Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration
This issue af…
2026-06-08
CVE-2026-29170
MEDIUM 6.1
Apache Http Server — A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP S…
2026-06-08
CVE-2026-34355
HIGH 7.5
Apache Http Server — A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted …
2026-06-08
CVE-2026-34356
HIGH 7.5
Apache Http Server — Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassRev…
2026-06-08
CVE-2026-42535
CRITICAL 9.1
Apache Http Server — A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly ma…
2026-06-08
CVE-2026-42536
HIGH 7.5
Apache Http Server — Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted…
2026-06-08
CVE-2026-43951
MEDIUM 6.5
Apache Http Server — Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response lan…
2026-06-08
CVE-2026-44119
MEDIUM 5.5
Apache Http Server — Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess au…
2026-06-08
CVE-2026-44185
HIGH 7.3
Apache Http Server — Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP…
2026-06-08
CVE-2026-44186
HIGH 7.3
Apache Http Server — Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTT…
2026-06-08
CVE-2026-44631
CRITICAL 9.8
Apache Http Server — Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
Th…
2026-06-08
CVE-2026-47430
CRITICAL 9.5
Cordova Plugin Inappbrowser — ## Summary
The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMess…
2026-06-08
CVE-2026-48913
HIGH 7.3
Apache Http Server — Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted.
…
2026-06-08
CVE-2026-49975
HIGH 7.5
Apache Http Server — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of …● PoC
2026-06-08
CVE-2026-50076
CRITICAL 9.1
Apache Fory — Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.…
2026-06-04
CVE-2026-47065
CRITICAL 9.8
Apache Mina — ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy
Asses…
2026-06-03
CVE-2026-41115
MEDIUM 4.3
Apache Kafka — An improper authorization vulnerability has been identified in Apache Kafka.
The implementation of the CONSUM…
2026-06-02
CVE-2026-46718
MEDIUM 6.5
Apache Calcite — Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Cal…
2026-06-02
CVE-2026-35563
HIGH 8.8
Apache Directory Ldap Api — It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certifica…
2026-06-01
CVE-2026-40861
MEDIUM 6.5
Apache Airflow — A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file …
2026-06-01
CVE-2026-40961
HIGH 7.2
Apache Airflow — A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed th…
2026-06-01
CVE-2026-40963
LOW 3.1
Apache Airflow — The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without…
2026-06-01
CVE-2026-41014
MEDIUM 4.3
Apache Airflow — The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag aut…
2026-06-01
CVE-2026-41017
MEDIUM 5.9
Apache Airflow — Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments runn…
2026-06-01
CVE-2026-41084
HIGH 7.5
Apache Airflow — A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/ta…
2026-06-01
CVE-2026-42252
CRITICAL 9.1
Apache Airflow — Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering D…
2026-06-01
CVE-2026-42253
MEDIUM 6.1
Apache Activemq — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache A…
2026-06-01
CVE-2026-42358
MEDIUM 6.5
Apache Airflow — A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed k…
2026-06-01
CVE-2026-42359
HIGH 8.8
Apache Airflow — A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/AP…
2026-06-01
CVE-2026-42360
MEDIUM 6.5
Apache Airflow — A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `p…
2026-06-01
CVE-2026-42588
HIGH 8.1
Apache Activemq Broker — Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache A…
2026-06-01
CVE-2026-44825
HIGH 8.1
Apache Solr — Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.…
2026-06-01
CVE-2026-45192
MEDIUM 6.5
Apache Airflow — A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenti…
2026-06-01
CVE-2026-45360
HIGH 7.3
Apache Airflow — Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`)…
2026-06-01
CVE-2026-45426
LOW 3.1
Apache Airflow — Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JW…
2026-06-01
CVE-2026-45505
HIGH 8.8
Apache Activemq Broker — Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache A…
2026-06-01
CVE-2026-46605
MEDIUM 4.3
Apache Activemq Broker — Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated con…
2026-06-01
CVE-2026-46764
MEDIUM 4.3
Apache Airflow — The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows …
2026-06-01
CVE-2026-48726
MEDIUM 6.5
Apache Airflow — A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user …
2026-06-01
CVE-2026-48827
HIGH 7.1
Apache Mina Sshd — Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, …
2026-06-01
CVE-2026-49157
HIGH 8.8
Apache Activemq — Incorrect Default Permissions vulnerability in Apache ActiveMQ.
This issue affects Apache ActiveMQ: before 5.…
2026-06-01
CVE-2026-49267
MEDIUM 5.9
Apache Airflow — Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS conn…
2026-06-01
CVE-2026-49270
MEDIUM 5.9
Apache Activemq Broker — Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, A…
2026-06-01
CVE-2026-49298
HIGH 8.8
Apache Airflow — A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the…
2026-06-01
CVE-2026-49328
MEDIUM 5.3
Apache Fesod (Incubating) — Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet…
2026-06-01
CVE-2026-49361
HIGH 7.5
Apache Fluss (Incubating) — Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE a…
2026-06-01
CVE-2026-40914
MEDIUM 4.3
Apache Artemis Stomp Protocol — A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credent…
2026-05-28
CVE-2025-48977
HIGH 8.5
Apache Ignite — Relative Path Traversal vulnerability in Apache Ignite REST API.
Authenticated REST API users can read any fi…
2026-05-28
CVE-2026-40564
MEDIUM 6.5
Apache Flink Kubernetes Operator — Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apach…
2026-05-26
CVE-2026-42782
HIGH 7.2
Apache Syncope — Improper Isolation or Compartmentalization vulnerability in Apache Syncope.
An administrator with adequate en…
2026-05-25
CVE-2026-42797
MEDIUM 4.9
Apache Syncope — Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.
An administrator with…
2026-05-25
CVE-2026-43827
MEDIUM 5.9
Apache Shiro — Default configurations of Apache Shiro have a session fixation vulnerability.
This issue affects Apache Shiro…
2026-05-25
CVE-2026-43828
MEDIUM 5.9
Apache Shiro — Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.
…
2026-05-25
CVE-2026-44598
MEDIUM 5.1
Apache Shiro Jakarta Ee Module — With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery…
2026-05-25
CVE-2026-45249
MEDIUM 6.1
Apache Echarts — A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logi…
2026-05-25
CVE-2026-45361
HIGH 8.1
Apache Airflow Google Provider — Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposi…
2026-05-25
CVE-2026-46745
MEDIUM 5.3
Apache Airflow Fab Provider — Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthent…
2026-05-25
CVE-2026-48589
N/A 0
Apache Shiro — Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user …
2026-05-25
CVE-2026-44417
HIGH 7.5
Apache Cxf — The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning …
2026-05-22
CVE-2026-44618
MEDIUM 5.3
Apache Cxf — Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attack…
2026-05-22
CVE-2026-44930
MEDIUM 4.3
Apache Cxf — An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow …
2026-05-22
CVE-2026-45760
HIGH 8.1
Apache Camel K — (Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controll…
2026-05-21
CVE-2026-48207
CRITICAL 9.8
Apache Fory — Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented Des…
2026-05-21
CVE-2026-27173
HIGH 8.7
Apache Airflow Cncf Kubernetes Provider — JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only acce…
2026-05-19
CVE-2026-29207
MEDIUM 6.5
Apache Ofbiz — Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz.
This iss…
2026-05-19
CVE-2026-29220
MEDIUM 6.5
Apache Ofbiz — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.
…
2026-05-19
CVE-2026-29226
HIGH 7.3
Apache Ofbiz — Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations.
This issue…
2026-05-19
CVE-2026-31378
MEDIUM 6.5
Apache Ofbiz — Improper Input Validation vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
U…
2026-05-19
CVE-2026-31379
MEDIUM 6.1
Apache Ofbiz — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a…
2026-05-19
CVE-2026-31380
MEDIUM 6.5
Apache Ofbiz — Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Inj…
2026-05-19
CVE-2026-31387
MEDIUM 5.3
Apache Ofbiz — Improper Authentication vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.06.
Use…
2026-05-19
CVE-2026-31388
MEDIUM 5.3
Apache Ofbiz — Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments.
This issue affects Apache …
2026-05-19
CVE-2026-31906
MEDIUM 6.1
Apache Ofbiz — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache O…
2026-05-19
CVE-2026-31909
HIGH 7.5
Apache Ofbiz — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz.
This issue affects …
2026-05-19
CVE-2026-31910
HIGH 7.5
Apache Ofbiz — Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.…
2026-05-19
CVE-2026-31986
CRITICAL 9.1
Apache Ofbiz — Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24…
2026-05-19
CVE-2026-35086
MEDIUM 6.5
Apache Ofbiz — Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz.
Th…
2026-05-19
CVE-2026-41919
CRITICAL 9.1
Apache Ofbiz — Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache O…
2026-05-19
CVE-2026-42526
MEDIUM 5.3
Apache Airflow Amazon Provider — In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior…
2026-05-19
CVE-2026-45187
MEDIUM 6.5
Apache Ofbiz — Improper Authorization vulnerability in Apache OFBiz Webtools.
This issue affects Apache OFBiz: before 24.09.…
2026-05-19
CVE-2026-45434
CRITICAL 9.8
Apache Ofbiz — Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Ex…
2026-05-19
CVE-2026-46586
HIGH 8.8
Apache Ofbiz — Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamicall…
2026-05-19
CVE-2026-47323
CRITICAL 9.8
Apache Camel — Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative Header…
2026-05-19