Apache Software Foundation
560 tracked vulnerabilities.
CVE-2026-27446
CRITICAL
Apache Artemis/ActiveMQ Artemis - Auth Bypass
Mar 04, 2026
CVSS 9.8
EPSS 0.11
CVE-2026-25747
HIGH
Apache Camel LevelDB - Deserialization
Feb 23, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-24734
HIGH
Apache Tomcat Native 1.3.0-1.3.4 - Auth Bypass
Feb 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25903
MEDIUM
Apache NiFi 1.1.0-2.7.2 - Privilege Escalation
Feb 17, 2026
CVSS 6.6
EPSS 0.01
CVE-2025-53648
MEDIUM
Apache Gravitino: SQL misconfiguration can access or truncate files
Jun 30, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-64152
CRITICAL
Apache IoTDB: Path Traversal Vulnerability
Jun 26, 2026
CVSS 9.1
EPSS 0.00
CVE-2025-55017
CRITICAL
Apache IoTDB: Path Traversal Vulnerability
Jun 26, 2026
CVSS 9.1
EPSS 0.00
CVE-2025-66336
HIGH
Apache Doris MCP Server: SQL injection leading the authentication bypass
Jun 22, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-62198
MEDIUM
Apache Atlas: Stored XSS in Create Entity page
Jun 22, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-48977
MEDIUM
Apache Ignite: REST HTTP arbitrary file read vulnerability
May 28, 2026
CVSS 6.5
EPSS 0.01
CVE-2025-69233
MEDIUM
Apache CloudStack: Domain/account resources limits not honored
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-66467
HIGH
Apache CloudStack: MinIO policy remains intact on bucket deletion
May 08, 2026
CVSS 8.0
EPSS 0.00
CVE-2025-66172
HIGH
Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to
May 08, 2026
CVSS 8.1
EPSS 0.01
CVE-2025-66171
MEDIUM
Apache CloudStack: Any user can create a new VM from backups they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.01
CVE-2025-66170
MEDIUM
Apache CloudStack: Any user can list backups that they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-48431
HIGH
Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.
Apr 28, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-62233
MEDIUM
Apache DolphinScheduler: Deserialization of untrusted data in RPC
Apr 24, 2026
CVSS 6.3
EPSS 0.01
CVE-2025-66335
MEDIUM
Apache Doris MCP Server: MCP SQL inject
Apr 20, 2026
CVSS 5.3
EPSS 0.01
CVE-2025-54550
HIGH
Apache Airflow: RCE by race condition in example_xcom dag
Apr 15, 2026
CVSS 8.1
EPSS 0.01
CVE-2025-66236
HIGH
Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
Apr 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-57735
CRITICAL
Apache Airflow: Airflow Logout Not Invalidating JWT
Apr 09, 2026
CVSS 9.1
EPSS 0.01
CVE-2025-62188
HIGH
Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.
Apr 09, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-65114
HIGH
Apache Traffic Server: Malformed chunked message body allows request smuggling
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-58136
HIGH
Apache Traffic Server: A simple legitimate POST request causes a crash
Apr 02, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-54920
HIGH
Apache Spark <3.5.7/4.0.1 - Deserialization
Mar 16, 2026
CVSS 8.8
EPSS 0.05
Products
Apache Tomcat 52
Apache Airflow 42
Apache HTTP Server 36
Apache Camel 33
Apache ActiveMQ 23
Apache OFBiz 22
Apache CXF 20
Apache ActiveMQ All 17
Apache APISIX 15
Apache OpenMeetings 15
Apache ActiveMQ Broker 13
Apache IoTDB 12
Apache NiFi 12
Apache Struts 12
Apache Thrift 11
Apache Atlas 9
Apache DolphinScheduler 8
Apache Answer 7
Apache CloudStack 7
Apache Hadoop 6
Apache OpenOffice 6
Apache Shiro 6
Apache Wicket 6
Apache Kvrocks 5
Apache MINA 5
Apache Ranger 5
Apache ActiveMQ Client 4
Apache Ambari 4
Apache Gravitino 4
Apache Log4j 1.x 4
Quick Filters