← Browse

Apache Software Foundation

160 CVEs
CVE IDSeverityProduct / summaryPublished
CVE-2026-54399 HIGH 7.5 Apache Httpcomponents Core — Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (… 2026-07-01 CVE-2026-54428 HIGH 7.5 Apache Httpcomponents Core — Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core… 2026-07-01 CVE-2026-49432 HIGH 7.5 Apache Activemq — Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. A rem… 2026-06-30 CVE-2026-49434 HIGH 7.5 Apache Activemq Broker — Improper Input Validation vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. An a… 2026-06-30 CVE-2026-49877 HIGH 8.1 Apache Activemq — Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by d… 2026-06-30 CVE-2026-50734 HIGH 7.5 Apache Activemq Client — Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache A… 2026-06-30 CVE-2026-50750 HIGH 7.5 Apache Activemq Broker — Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ … 2026-06-30 CVE-2026-52760 MEDIUM 6.1 Apache Activemq — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache A… 2026-06-30 CVE-2026-53916 HIGH 7.5 Apache Activemq — Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache Acti… 2026-06-30 CVE-2026-53917 HIGH 7.5 Apache Activemq — Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache Acti… 2026-06-30 CVE-2026-54475 HIGH 7.5 Apache Activemq Broker — Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache A… 2026-06-30 CVE-2025-53648 MEDIUM 5.4 Apache Gravitino — SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or t… 2026-06-30 CVE-2026-50229 MEDIUM 6.1 Apache Tomcat — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number gues… 2026-06-29 CVE-2026-53404 HIGH 7.3 Apache Tomcat — Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the … 2026-06-29 CVE-2026-53434 CRITICAL 9.1 Apache Tomcat — Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM bas… 2026-06-29 CVE-2026-55276 CRITICAL 9.1 Apache Tomcat — Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty… 2026-06-29 CVE-2026-55955 MEDIUM 6.5 Apache Tomcat — Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionIntercept… 2026-06-29 CVE-2026-55956 MEDIUM 6.5 Apache Tomcat — Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default … 2026-06-29 CVE-2026-55957 HIGH 7.3 Apache Tomcat — Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to au… 2026-06-29 CVE-2026-49486 HIGH 7.5 Apache Airflow Ftp Provider — The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never calle… 2026-06-26 CVE-2026-57914 MEDIUM 6.5 Apache Kerby — By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a Stac… 2026-06-26 CVE-2026-57915 HIGH 7.3 Apache Kerby — It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an un… 2026-06-26 CVE-2025-55017 CRITICAL 9.1 Apache Iotdb — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. … 2026-06-26 CVE-2025-64152 CRITICAL 9.1 Apache Iotdb — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. … 2026-06-26 CVE-2026-41566 CRITICAL 9.4 Apache Kvrocks — Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affec… 2026-06-25 CVE-2026-45188 LOW 2.4 Apache Kvrocks — Relative Path Traversal vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 throug… 2026-06-25 CVE-2026-46751 MEDIUM 5.5 Apache Kvrocks — A vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0. Users are r… 2026-06-25 CVE-2026-46752 CRITICAL 10 Apache Kvrocks — Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: … 2026-06-25 CVE-2026-54226 MEDIUM 6.4 Apache Kvrocks — A vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.6.0 through 2.15.0. Users are r… 2026-06-25 CVE-2026-56091 HIGH 8.2 Apache Shiro — When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request… 2026-06-25 CVE-2026-56130 LOW 2 Apache Shiro — "Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a val… 2026-06-25 CVE-2026-44911 LOW 2.3 Apache Nifi — Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 a… 2026-06-22 CVE-2026-44913 MEDIUM 5.2 Apache Nifi — Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 … 2026-06-22 CVE-2026-44914 HIGH 7.5 Apache Nifi — Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extensio… 2026-06-22 CVE-2026-54665 MEDIUM 6.3 Apache Nifi — Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that … 2026-06-22 CVE-2025-62198 MEDIUM 5.4 Apache Atlas — An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are… 2026-06-22 CVE-2025-66336 HIGH 8.1 Apache Doris Mcp Server — Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled dat… 2026-06-22 CVE-2026-39998 MEDIUM 5.8 Apache Apisix — Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configur… 2026-06-19 CVE-2026-39999 HIGH 7 Apache Apisix — Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authenti… 2026-06-19 CVE-2026-44046 LOW 2.3 Apache Apisix — Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin un… 2026-06-19 CVE-2026-44087 MEDIUM 5.3 Apache Apisix — Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin unde… 2026-06-19 CVE-2026-44915 LOW 2.1 Apache Apisix — URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration… 2026-06-19 CVE-2026-47339 MEDIUM 5.3 Apache Apisix — Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin un… 2026-06-19 CVE-2026-47341 MEDIUM 6.3 Apache Apisix — Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain con… 2026-06-19 CVE-2026-48895 LOW 2.1 Apache Apisix — URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipu… 2026-06-19 CVE-2026-49230 MEDIUM 6.3 Apache Apisix — Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under def… 2026-06-19 CVE-2026-49231 LOW 2.3 Apache Apisix — Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity heade… 2026-06-19 CVE-2026-49871 LOW 2.1 Apache Apisix — Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This def… 2026-06-19 CVE-2026-49872 MEDIUM 5.3 Apache Apisix — Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attac… 2026-06-19 CVE-2026-32966 HIGH 7.5 Apache Dolphinscheduler — DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache Dolphi… 2026-06-17 CVE-2026-32967 MEDIUM 6.5 Apache Dolphinscheduler — Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue … 2026-06-17 CVE-2026-41280 MEDIUM 4.9 Apache Dolphinscheduler — Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in … 2026-06-17 CVE-2026-42357 MEDIUM 6.5 Apache Dolphinscheduler — Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projec… 2026-06-17 CVE-2026-47340 MEDIUM 6.5 Apache Dolphinscheduler — Allow authenticated users to access alert instances associated with alert groups they do not have permission t… 2026-06-17 CVE-2026-49268 HIGH 8.8 Apache Shiro — A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultL… 2026-06-17 CVE-2026-50203 CRITICAL 9.1 Apache Airflow Sftp Provider — A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a ma… 2026-06-17 CVE-2026-49875 MEDIUM 6.5 Apache Cxf — Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the… 2026-06-12 CVE-2026-50623 MEDIUM 4.8 Apache Cxf — An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a … 2026-06-12 CVE-2026-50627 CRITICAL 9.1 Apache Cxf — The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT … 2026-06-12 CVE-2026-50628 CRITICAL 9.8 Apache Cxf — A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while b… 2026-06-12 CVE-2026-50629 MEDIUM 5.3 Apache Cxf — The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning m… 2026-06-12 CVE-2026-50630 MEDIUM 6.5 Apache Cxf — A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authen… 2026-06-12 CVE-2026-50631 HIGH 7.4 Apache Cxf — A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypas… 2026-06-12 CVE-2026-50632 HIGH 8.1 Apache Cxf — A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) … 2026-06-12 CVE-2026-50633 HIGH 8.1 Apache Cxf — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for… 2026-06-12 CVE-2026-50634 MEDIUM 6.5 Apache Cxf — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadat… 2026-06-12 CVE-2026-50645 HIGH 7.5 Apache Cxf — There is no restriction on the amount of attachment headers that a message can contain when being deserialized… 2026-06-12 CVE-2026-25700 HIGH 7.2 Apache Answer — Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache A… 2026-06-10 CVE-2026-47342 HIGH 8.8 Apache Ofbiz — A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain high… 2026-06-10 CVE-2026-50223 HIGH 8.8 Apache Ofbiz — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privilege… 2026-06-10 CVE-2026-25688 MEDIUM 6.1 Apache Answer — Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Ans… 2026-06-09 CVE-2026-25699 MEDIUM 6.1 Apache Answer — Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue … 2026-06-09 CVE-2026-33582 MEDIUM 6.5 Apache Answer — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Ans… 2026-06-09 CVE-2026-34031 MEDIUM 6.5 Apache Answer — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Ans… 2026-06-09 CVE-2026-34033 MEDIUM 5.4 Apache Answer — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer. … 2026-06-09 CVE-2026-34905 MEDIUM 6.5 Apache Answer — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects… 2026-06-09 CVE-2026-49818 MEDIUM 6.5 Apache Airflow Samba Provider — The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path w… 2026-06-09 CVE-2026-29167 CRITICAL 9.8 Apache Http Server — Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue af… 2026-06-08 CVE-2026-29170 MEDIUM 6.1 Apache Http Server — A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP S… 2026-06-08 CVE-2026-34355 HIGH 7.5 Apache Http Server — A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted … 2026-06-08 CVE-2026-34356 HIGH 7.5 Apache Http Server — Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassRev… 2026-06-08 CVE-2026-42535 CRITICAL 9.1 Apache Http Server — A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly ma… 2026-06-08 CVE-2026-42536 HIGH 7.5 Apache Http Server — Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted… 2026-06-08 CVE-2026-43951 MEDIUM 6.5 Apache Http Server — Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response lan… 2026-06-08 CVE-2026-44119 MEDIUM 5.5 Apache Http Server — Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess au… 2026-06-08 CVE-2026-44185 HIGH 7.3 Apache Http Server — Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP… 2026-06-08 CVE-2026-44186 HIGH 7.3 Apache Http Server — Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTT… 2026-06-08 CVE-2026-44631 CRITICAL 9.8 Apache Http Server — Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. Th… 2026-06-08 CVE-2026-47430 CRITICAL 9.5 Cordova Plugin Inappbrowser — ## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMess… 2026-06-08 CVE-2026-48913 HIGH 7.3 Apache Http Server — Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. … 2026-06-08 CVE-2026-49975 HIGH 7.5 Apache Http Server — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of …● PoC 2026-06-08 CVE-2026-50076 CRITICAL 9.1 Apache Fory — Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.… 2026-06-04 CVE-2026-47065 CRITICAL 9.8 Apache Mina — ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Asses… 2026-06-03 CVE-2026-41115 MEDIUM 4.3 Apache Kafka — An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUM… 2026-06-02 CVE-2026-46718 MEDIUM 6.5 Apache Calcite — Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Cal… 2026-06-02 CVE-2026-35563 HIGH 8.8 Apache Directory Ldap Api — It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certifica… 2026-06-01 CVE-2026-40861 MEDIUM 6.5 Apache Airflow — A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file … 2026-06-01 CVE-2026-40961 HIGH 7.2 Apache Airflow — A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed th… 2026-06-01 CVE-2026-40963 LOW 3.1 Apache Airflow — The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without… 2026-06-01 CVE-2026-41014 MEDIUM 4.3 Apache Airflow — The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag aut… 2026-06-01 CVE-2026-41017 MEDIUM 5.9 Apache Airflow — Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments runn… 2026-06-01 CVE-2026-41084 HIGH 7.5 Apache Airflow — A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/ta… 2026-06-01 CVE-2026-42252 CRITICAL 9.1 Apache Airflow — Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering D… 2026-06-01 CVE-2026-42253 MEDIUM 6.1 Apache Activemq — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache A… 2026-06-01 CVE-2026-42358 MEDIUM 6.5 Apache Airflow — A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed k… 2026-06-01 CVE-2026-42359 HIGH 8.8 Apache Airflow — A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/AP… 2026-06-01 CVE-2026-42360 MEDIUM 6.5 Apache Airflow — A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `p… 2026-06-01 CVE-2026-42588 HIGH 8.1 Apache Activemq Broker — Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache A… 2026-06-01 CVE-2026-44825 HIGH 8.1 Apache Solr — Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.… 2026-06-01 CVE-2026-45192 MEDIUM 6.5 Apache Airflow — A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenti… 2026-06-01 CVE-2026-45360 HIGH 7.3 Apache Airflow — Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`)… 2026-06-01 CVE-2026-45426 LOW 3.1 Apache Airflow — Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JW… 2026-06-01 CVE-2026-45505 HIGH 8.8 Apache Activemq Broker — Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache A… 2026-06-01 CVE-2026-46605 MEDIUM 4.3 Apache Activemq Broker — Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated con… 2026-06-01 CVE-2026-46764 MEDIUM 4.3 Apache Airflow — The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows … 2026-06-01 CVE-2026-48726 MEDIUM 6.5 Apache Airflow — A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user … 2026-06-01 CVE-2026-48827 HIGH 7.1 Apache Mina Sshd — Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, … 2026-06-01 CVE-2026-49157 HIGH 8.8 Apache Activemq — Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.… 2026-06-01 CVE-2026-49267 MEDIUM 5.9 Apache Airflow — Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS conn… 2026-06-01 CVE-2026-49270 MEDIUM 5.9 Apache Activemq Broker — Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, A… 2026-06-01 CVE-2026-49298 HIGH 8.8 Apache Airflow — A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the… 2026-06-01 CVE-2026-49328 MEDIUM 5.3 Apache Fesod (Incubating) — Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet… 2026-06-01 CVE-2026-49361 HIGH 7.5 Apache Fluss (Incubating) — Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE a… 2026-06-01 CVE-2026-40914 MEDIUM 4.3 Apache Artemis Stomp Protocol — A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credent… 2026-05-28 CVE-2025-48977 HIGH 8.5 Apache Ignite — Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any fi… 2026-05-28 CVE-2026-40564 MEDIUM 6.5 Apache Flink Kubernetes Operator — Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apach… 2026-05-26 CVE-2026-42782 HIGH 7.2 Apache Syncope — Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate en… 2026-05-25 CVE-2026-42797 MEDIUM 4.9 Apache Syncope — Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with… 2026-05-25 CVE-2026-43827 MEDIUM 5.9 Apache Shiro — Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro… 2026-05-25 CVE-2026-43828 MEDIUM 5.9 Apache Shiro — Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. … 2026-05-25 CVE-2026-44598 MEDIUM 5.1 Apache Shiro Jakarta Ee Module — With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery… 2026-05-25 CVE-2026-45249 MEDIUM 6.1 Apache Echarts — A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logi… 2026-05-25 CVE-2026-45361 HIGH 8.1 Apache Airflow Google Provider — Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposi… 2026-05-25 CVE-2026-46745 MEDIUM 5.3 Apache Airflow Fab Provider — Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthent… 2026-05-25 CVE-2026-48589 N/A 0 Apache Shiro — Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user … 2026-05-25 CVE-2026-44417 HIGH 7.5 Apache Cxf — The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning … 2026-05-22 CVE-2026-44618 MEDIUM 5.3 Apache Cxf — Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attack… 2026-05-22 CVE-2026-44930 MEDIUM 4.3 Apache Cxf — An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow … 2026-05-22 CVE-2026-45760 HIGH 8.1 Apache Camel K — (Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controll… 2026-05-21 CVE-2026-48207 CRITICAL 9.8 Apache Fory — Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented Des… 2026-05-21 CVE-2026-27173 HIGH 8.7 Apache Airflow Cncf Kubernetes Provider — JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only acce… 2026-05-19 CVE-2026-29207 MEDIUM 6.5 Apache Ofbiz — Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This iss… 2026-05-19 CVE-2026-29220 MEDIUM 6.5 Apache Ofbiz — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. … 2026-05-19 CVE-2026-29226 HIGH 7.3 Apache Ofbiz — Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue… 2026-05-19 CVE-2026-31378 MEDIUM 6.5 Apache Ofbiz — Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. U… 2026-05-19 CVE-2026-31379 MEDIUM 6.1 Apache Ofbiz — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a… 2026-05-19 CVE-2026-31380 MEDIUM 6.5 Apache Ofbiz — Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Inj… 2026-05-19 CVE-2026-31387 MEDIUM 5.3 Apache Ofbiz — Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Use… 2026-05-19 CVE-2026-31388 MEDIUM 5.3 Apache Ofbiz — Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache … 2026-05-19 CVE-2026-31906 MEDIUM 6.1 Apache Ofbiz — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache O… 2026-05-19 CVE-2026-31909 HIGH 7.5 Apache Ofbiz — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects … 2026-05-19 CVE-2026-31910 HIGH 7.5 Apache Ofbiz — Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.… 2026-05-19 CVE-2026-31986 CRITICAL 9.1 Apache Ofbiz — Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24… 2026-05-19 CVE-2026-35086 MEDIUM 6.5 Apache Ofbiz — Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. Th… 2026-05-19 CVE-2026-41919 CRITICAL 9.1 Apache Ofbiz — Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache O… 2026-05-19 CVE-2026-42526 MEDIUM 5.3 Apache Airflow Amazon Provider — In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior… 2026-05-19 CVE-2026-45187 MEDIUM 6.5 Apache Ofbiz — Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.… 2026-05-19 CVE-2026-45434 CRITICAL 9.8 Apache Ofbiz — Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Ex… 2026-05-19 CVE-2026-46586 HIGH 8.8 Apache Ofbiz — Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamicall… 2026-05-19 CVE-2026-47323 CRITICAL 9.8 Apache Camel — Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative Header… 2026-05-19