Apache Software Foundation
560 tracked vulnerabilities.
CVE-2026-30898
HIGH
Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf
Apr 18, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-25917
HIGH
Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5)
Apr 18, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-31987
HIGH
Apache Airflow: JWT token appearing in logs
Apr 16, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-25219
MEDIUM
Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
Apr 15, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-30778
HIGH
Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
Apr 15, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33929
MEDIUM
Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
Apr 14, 2026
CVSS 4.3
EPSS 0.01
CVE-2026-31924
MEDIUM
Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP
Apr 14, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-31923
HIGH
Apache APISIX: Openid-connect `tls_verify` field is disabled by default
Apr 14, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-31908
CRITICAL
Apache APISIX: forward auth plugin allows header injection
Apr 14, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-33858
HIGH
Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
Apr 13, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-34476
HIGH
Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server
Apr 13, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35565
MEDIUM
Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
Apr 13, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35337
HIGH
Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Apr 13, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-40023
MEDIUM
Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-40021
MEDIUM
Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-34481
HIGH
Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout
Apr 10, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34480
HIGH
Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34479
HIGH
Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34478
HIGH
Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility
Apr 10, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34477
MEDIUM
Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass
Apr 10, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-39304
HIGH
Apache ActiveMQ TLSv1.3 KeyUpdate - Memory Exhaustion Denial of Service
Apr 10, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34500
MEDIUM
Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34487
HIGH
Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34486
HIGH
NUCLEI
Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor
Apr 09, 2026
CVSS 7.5
EPSS 0.22
CVE-2026-34483
HIGH
Apache Tomcat: Incomplete escaping of JSON access logs
Apr 09, 2026
CVSS 7.5
EPSS 0.00
Products
Apache Tomcat 52
Apache Airflow 42
Apache HTTP Server 36
Apache Camel 33
Apache ActiveMQ 23
Apache OFBiz 22
Apache CXF 20
Apache ActiveMQ All 17
Apache APISIX 15
Apache OpenMeetings 15
Apache ActiveMQ Broker 13
Apache IoTDB 12
Apache NiFi 12
Apache Struts 12
Apache Thrift 11
Apache Atlas 9
Apache DolphinScheduler 8
Apache Answer 7
Apache CloudStack 7
Apache Hadoop 6
Apache OpenOffice 6
Apache Shiro 6
Apache Wicket 6
Apache Kvrocks 5
Apache MINA 5
Apache Ranger 5
Apache ActiveMQ Client 4
Apache Ambari 4
Apache Gravitino 4
Apache Log4j 1.x 4
Quick Filters