Apache Software Foundation

347 tracked vulnerabilities.

CVE-2026-35194 HIGH
Apache Flink: Remote code execution via SQL injection in code generation
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45205 MEDIUM
Apache Commons Configuration: StackOverflowError for YAML input with cycles
May 14, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43515 CRITICAL
Apache Tomcat: Security constraints not correctly applied
May 12, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-43514 LOW
Apache Tomcat: AJP secret compared in non-constant time
May 12, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-43513 HIGH
Apache Tomcat: LockOutRealm treats user names as case-sensitive
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-43512 CRITICAL
Apache Tomcat: Digest authenticator will authenticate any unknown user
May 12, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42498 HIGH
Apache Tomcat: WebSocket authentication header exposure
May 12, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41293 CRITICAL
Apache Tomcat: HTTP/2 request headers not validated
May 12, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-41284 HIGH
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-43826 MEDIUM
Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL
May 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41018 MEDIUM
Apache Airflow Providers Elasticsearch: Elasticsearch task-log handler leaks credentials embedded in the host URL
May 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39816 HIGH
Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService
May 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25199 CRITICAL
Apache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access
May 08, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-25077 HIGH
Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates
May 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43975 MEDIUM
Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager
May 06, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-43646 HIGH
Apache Wicket: crafted URLs can bypass PackageResourceGuard
May 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42509 MEDIUM
Apache Wicket: crafted strings can break out of the JavaScript sequence
May 06, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-40010 CRITICAL
Apache Wicket: possible session fixation using AuthenticatedWebSession
May 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-28780 CRITICAL
Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
May 05, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-29168 HIGH
Apache HTTP Server: mod_md unrestricted OCSP response
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-43870 HIGH
Apache Thrift: Node.js web_server.js multi-vulnerability
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-43868 MEDIUM
Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern
May 05, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43869 HIGH
Apache Thrift: TSSLTransportFactory.java hostname verification
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-42812 CRITICAL
Apache Polaris: No protection on `write.metadata.path`
May 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-42811 CRITICAL
Apache Polaris: could broaden vended GCS credentials through unescaped identifier content in access-boundary CEL conditions
May 04, 2026
CVSS 9.9
EPSS 0.00
Products
Apache Tomcat 42 Apache HTTP Server 23 Apache OFBiz 20 Apache Airflow 19 Apache OpenMeetings 15 Apache Camel 11 Apache Struts 11 Apache Thrift 11 Apache CXF 9 Apache ActiveMQ 8 Apache Atlas 8 Apache NiFi 8 Apache CloudStack 7 Apache ActiveMQ All 6 Apache Hadoop 6 Apache OpenOffice 6 Apache Wicket 6 Apache ActiveMQ Broker 5 Apache Ranger 5 Apache Ambari 4 Apache Log4j Core 4 Apache MINA 4 Apache OpenNLP 4 Apache Polaris 4 Apache Traffic Server 4 Apache APISIX 3 Apache Brooklyn 3 Apache CXF Fediz 3 Apache Cassandra 3 Apache DolphinScheduler 3
Quick Filters
Critical CVEs With Exploits In CISA KEV