Apache Software Foundation
556 tracked vulnerabilities.
CVE-2026-59245
ANALYSIS PENDING
Apache Airflow Fab Provider < 3.7.2 - Privilege Escalation
Jul 13, 2026
CVE-2026-58065
ANALYSIS PENDING
Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
Jul 13, 2026
CVE-2026-49876
MEDIUM
Apache Gravitino <= 1.2.1 - Authenticated Server-Side Request Forgery
Jul 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41041
CRITICAL
Apache Gravitino < 1.2.1 - URL Path Injection
Jul 13, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-49844
MEDIUM
Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
Jul 10, 2026
EPSS 0.01
CVE-2026-40454
HIGH
Apache IoTDB C++ client: Out-of-bounds reads in C++ client TsBlock deserializer crash client process on malformed server data
Jul 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40452
HIGH
Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users
Jul 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40009
MEDIUM
Apache IoTDB 2.0.8 to < 2.0.10 - Authenticated Privilege Escalation
Jul 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-40008
CRITICAL
Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
Jul 10, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40007
HIGH
Apache IoTDB: Unauthenticated unbounded recursion in IoTDB AirGap receiver's E-language prefix parser causes per-connection StackOverflowError
Jul 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40006
HIGH
Apache IoTDB: Unauthenticated heap-exhaustion DoS via unbounded allocation in IoTDB AirGap pipe receiver
Jul 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40005
CRITICAL
Apache IoTDB: Path Traversal in Pipe File Transfer Receiver
Jul 10, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-28564
CRITICAL
Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials
Jul 10, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-57111
HIGH
Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Origin
Jul 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41042
CRITICAL
Apache Gravitino < 1.2.1 testConnection - Unauthenticated Remote Code Execution
Jul 08, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-49487
MEDIUM
Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-49296
MEDIUM
Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dagSources/{dag_id}
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-48892
MEDIUM
Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-48891
MEDIUM
Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target
Jul 07, 2026
CVSS 4.3
EPSS 0.01
CVE-2026-48828
MEDIUM
Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-33264
CRITICAL
Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Jul 07, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-43825
HIGH
Apache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserialization in SvmDoccatModel
Jul 06, 2026
CVSS 7.3
EPSS 0.09
CVE-2026-49297
HIGH
Apache Airflow Google provider: Path traversal via GCS object names → local/SFTP filesystem (GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)
Jul 06, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-49042
HIGH
Apache Camel: langchain4j-tools: filter tool argument headers against declared parameters
Jul 06, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-46588
HIGH
Apache Camel: CouchDB: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input
Jul 06, 2026
CVSS 7.3
EPSS 0.00
Products
Apache Tomcat 50
Apache Airflow 42
Apache HTTP Server 36
Apache Camel 33
Apache ActiveMQ 23
Apache OFBiz 22
Apache CXF 20
Apache ActiveMQ All 17
Apache APISIX 15
Apache OpenMeetings 15
Apache ActiveMQ Broker 13
Apache IoTDB 12
Apache NiFi 12
Apache Struts 12
Apache Thrift 11
Apache Atlas 9
Apache DolphinScheduler 8
Apache Answer 7
Apache CloudStack 7
Apache Hadoop 6
Apache OpenOffice 6
Apache Shiro 6
Apache Wicket 6
Apache Kvrocks 5
Apache MINA 5
Apache Ranger 5
Apache ActiveMQ Client 4
Apache Ambari 4
Apache Gravitino 4
Apache Log4j 1.x 4
Quick Filters