Apache Software Foundation

560 tracked vulnerabilities.

CVE-2026-27446 CRITICAL
Apache Artemis/ActiveMQ Artemis - Auth Bypass
Mar 04, 2026
CVSS 9.8
EPSS 0.11
CVE-2026-25747 HIGH
Apache Camel LevelDB - Deserialization
Feb 23, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-24734 HIGH
Apache Tomcat Native 1.3.0-1.3.4 - Auth Bypass
Feb 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25903 MEDIUM
Apache NiFi 1.1.0-2.7.2 - Privilege Escalation
Feb 17, 2026
CVSS 6.6
EPSS 0.01
CVE-2025-53648 MEDIUM
Apache Gravitino: SQL misconfiguration can access or truncate files
Jun 30, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-64152 CRITICAL
Apache IoTDB: Path Traversal Vulnerability
Jun 26, 2026
CVSS 9.1
EPSS 0.00
CVE-2025-55017 CRITICAL
Apache IoTDB: Path Traversal Vulnerability
Jun 26, 2026
CVSS 9.1
EPSS 0.00
CVE-2025-66336 HIGH
Apache Doris MCP Server: SQL injection leading the authentication bypass
Jun 22, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-62198 MEDIUM
Apache Atlas: Stored XSS in Create Entity page
Jun 22, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-48977 MEDIUM
Apache Ignite: REST HTTP arbitrary file read vulnerability
May 28, 2026
CVSS 6.5
EPSS 0.01
CVE-2025-69233 MEDIUM
Apache CloudStack: Domain/account resources limits not honored
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-66467 HIGH
Apache CloudStack: MinIO policy remains intact on bucket deletion
May 08, 2026
CVSS 8.0
EPSS 0.00
CVE-2025-66172 HIGH
Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to
May 08, 2026
CVSS 8.1
EPSS 0.01
CVE-2025-66171 MEDIUM
Apache CloudStack: Any user can create a new VM from backups they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.01
CVE-2025-66170 MEDIUM
Apache CloudStack: Any user can list backups that they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-48431 HIGH
Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.
Apr 28, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-62233 MEDIUM
Apache DolphinScheduler: Deserialization of untrusted data in RPC
Apr 24, 2026
CVSS 6.3
EPSS 0.01
CVE-2025-66335 MEDIUM
Apache Doris MCP Server: MCP SQL inject
Apr 20, 2026
CVSS 5.3
EPSS 0.01
CVE-2025-54550 HIGH
Apache Airflow: RCE by race condition in example_xcom dag
Apr 15, 2026
CVSS 8.1
EPSS 0.01
CVE-2025-66236 HIGH
Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
Apr 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-57735 CRITICAL
Apache Airflow: Airflow Logout Not Invalidating JWT
Apr 09, 2026
CVSS 9.1
EPSS 0.01
CVE-2025-62188 HIGH
Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.
Apr 09, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-65114 HIGH
Apache Traffic Server: Malformed chunked message body allows request smuggling
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-58136 HIGH
Apache Traffic Server: A simple legitimate POST request causes a crash
Apr 02, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-54920 HIGH
Apache Spark <3.5.7/4.0.1 - Deserialization
Mar 16, 2026
CVSS 8.8
EPSS 0.05