Apache Software Foundation

556 tracked vulnerabilities.

CVE-2026-59245 ANALYSIS PENDING
Apache Airflow Fab Provider < 3.7.2 - Privilege Escalation
Jul 13, 2026
CVE-2026-58065 ANALYSIS PENDING
Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
Jul 13, 2026
CVE-2026-49876 MEDIUM
Apache Gravitino <= 1.2.1 - Authenticated Server-Side Request Forgery
Jul 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41041 CRITICAL
Apache Gravitino < 1.2.1 - URL Path Injection
Jul 13, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-49844 MEDIUM
Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
Jul 10, 2026
EPSS 0.01
CVE-2026-40454 HIGH
Apache IoTDB C++ client: Out-of-bounds reads in C++ client TsBlock deserializer crash client process on malformed server data
Jul 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40452 HIGH
Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users
Jul 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40009 MEDIUM
Apache IoTDB 2.0.8 to < 2.0.10 - Authenticated Privilege Escalation
Jul 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-40008 CRITICAL
Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
Jul 10, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40007 HIGH
Apache IoTDB: Unauthenticated unbounded recursion in IoTDB AirGap receiver's E-language prefix parser causes per-connection StackOverflowError
Jul 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40006 HIGH
Apache IoTDB: Unauthenticated heap-exhaustion DoS via unbounded allocation in IoTDB AirGap pipe receiver
Jul 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40005 CRITICAL
Apache IoTDB: Path Traversal in Pipe File Transfer Receiver
Jul 10, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-28564 CRITICAL
Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials
Jul 10, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-57111 HIGH
Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Origin
Jul 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41042 CRITICAL
Apache Gravitino < 1.2.1 testConnection - Unauthenticated Remote Code Execution
Jul 08, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-49487 MEDIUM
Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-49296 MEDIUM
Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dagSources/{dag_id}
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-48892 MEDIUM
Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-48891 MEDIUM
Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target
Jul 07, 2026
CVSS 4.3
EPSS 0.01
CVE-2026-48828 MEDIUM
Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-33264 CRITICAL
Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Jul 07, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-43825 HIGH
Apache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserialization in SvmDoccatModel
Jul 06, 2026
CVSS 7.3
EPSS 0.09
CVE-2026-49297 HIGH
Apache Airflow Google provider: Path traversal via GCS object names → local/SFTP filesystem (GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)
Jul 06, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-49042 HIGH
Apache Camel: langchain4j-tools: filter tool argument headers against declared parameters
Jul 06, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-46588 HIGH
Apache Camel: CouchDB: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input
Jul 06, 2026
CVSS 7.3
EPSS 0.00