Apache Software Foundation

560 tracked vulnerabilities.

CVE-2026-32990 MEDIUM
Apache Tomcat: Fix for CVE-2025-66614 is incomplete
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-29146 HIGH
Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default
Apr 09, 2026
CVSS 7.5
EPSS 0.05
CVE-2026-29145 CRITICAL
Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
Apr 09, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-29129 HIGH
Apache Tomcat: TLS cipher order is not preserved
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25854 MEDIUM
Apache Tomcat: Occasionally open redirect
Apr 09, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-24880 HIGH
Apache Tomcat: Request smuggling via invalid chunk extension
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40046 HIGH
Apache ActiveMQ MQTT 6.0.0-6.2.3 - Remaining Length Integer Overflow
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34020 HIGH
Apache OpenMeetings: Login Credentials Passed via GET Query Parameters
Apr 09, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33266 HIGH
Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33005 MEDIUM
Apache OpenMeetings: Insufficient checks in FileWebService
Apr 09, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34538 MEDIUM
Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure)
Apr 09, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-32588 MEDIUM
Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing
Apr 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-27315 MEDIUM
Apache Cassandra: cqlsh history sensitive information leak
Apr 07, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-27314 HIGH
Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass
Apr 07, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35554 HIGH
Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition
Apr 07, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-34197 HIGH KEVNUCLEI
Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
Apr 07, 2026
CVSS 8.8
EPSS 0.97
CVE-2026-33227 MEDIUM
Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ Web: Improper Limitation of a Pathname to a Restricted Classpath Directory
Apr 07, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32794 MEDIUM
Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange
Mar 30, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32642 MEDIUM
Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission
Mar 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-30911 HIGH
Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
Mar 17, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-28779 HIGH
Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications
Mar 17, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-28563 MEDIUM
Apache Airflow: DAG authorization bypass
Mar 17, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-26929 MEDIUM
Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
Mar 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-24308 HIGH
Apache ZooKeeper 3.8.5/3.9.4 - Info Disclosure
Mar 07, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-24281 HIGH
Apache ZooKeeper <3.8.6/3.9.5 - Auth Bypass
Mar 07, 2026
CVSS 7.4
EPSS 0.01