Apache Software Foundation

347 tracked vulnerabilities.

CVE-2026-42810 CRITICAL
Apache Polaris: could broaden vended S3 credentials through wildcard-bearing namespace or table names
May 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-42809 CRITICAL
Apache Polaris: staged table creation could vend storage credentials for unvalidated locations
May 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-42440 HIGH
Apache OpenNLP: OOM DoS via Unbounded Array Allocation in AbstractModelReader
May 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42027 CRITICAL
Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader
May 04, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40682 CRITICAL
Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistor
May 04, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-40563 HIGH
Apache Atlas: Script injection allows access to unintended data
May 04, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33523 MEDIUM
Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line
May 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33007 MEDIUM
Apache HTTP Server: mod_authn_socache crash
May 04, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-33006 MEDIUM
Apache HTTP Server: mod_auth_digest timing attack
May 04, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-29169 HIGH
Apache HTTP Server: mod_dav_lock indirect lock crash
May 04, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-23918 HIGH
Apache HTTP Server: http2: double free and possible RCE on early reset
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-34032 MEDIUM
Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)
May 04, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33857 MEDIUM
Apache HTTP Server: Off-by-one OOB reads in AJP getter functions
May 04, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34059 HIGH
Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()
May 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-24072 HIGH
Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42779 CRITICAL
Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE (take 2)
May 01, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42778 CRITICAL
Apache MINA: CWE-502 Deserialization of Untrusted Data (take 2)
May 01, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42404 MEDIUM
Apache Neethi: Unrestricted HTTP Redirect Following in Policy References
May 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42403 HIGH
Apache Neethi: Circular Policy Reference Infinite Loop
May 01, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42402 HIGH
Apache Neethi: Policy Normalization Unbounded Resource Allocation DoS
May 01, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41016 MEDIUM
Apache Airflow Providers SMTP: No certificate validation on SMTP STARTTLS connections in SMTP provider
Apr 30, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-41873 CRITICAL
Pony Mail: Admin account takeover via request smuggling
Apr 28, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-41636 HIGH
Apache Thrift: Node.js skip() recursion
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41607 MEDIUM
Apache Thrift: C++ JSON OOB read
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41606 MEDIUM
Apache Thrift: c_glib dispatch stack overflow
Apr 28, 2026
CVSS 5.3
EPSS 0.00
Products
Apache Tomcat 42 Apache HTTP Server 23 Apache OFBiz 20 Apache Airflow 19 Apache OpenMeetings 15 Apache Camel 11 Apache Struts 11 Apache Thrift 11 Apache CXF 9 Apache ActiveMQ 8 Apache Atlas 8 Apache NiFi 8 Apache CloudStack 7 Apache ActiveMQ All 6 Apache Hadoop 6 Apache OpenOffice 6 Apache Wicket 6 Apache ActiveMQ Broker 5 Apache Ranger 5 Apache Ambari 4 Apache Log4j Core 4 Apache MINA 4 Apache OpenNLP 4 Apache Polaris 4 Apache Traffic Server 4 Apache APISIX 3 Apache Brooklyn 3 Apache CXF Fediz 3 Apache Cassandra 3 Apache DolphinScheduler 3
Quick Filters
Critical CVEs With Exploits In CISA KEV