Apache Software Foundation

556 tracked vulnerabilities.

CVE-2026-46453 MEDIUM
Apache Camel 4.14.8, 4.18.3, and 4.21.0 - Authorization Bypass
Jul 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43867 CRITICAL
Apache Camel PQC - AWS Secrets Manager Metadata Deserialization
Jul 06, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-43866 HIGH
Apache Camel, Apache Camel: Camel JMS - CVE-2026-40860 fix bypass via DefaultExchangeHolder
Jul 06, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-43865 HIGH
Apache Camel: Camel-Hazelcast: Unsafe Java deserialization in default-configured managed Hazelcast instances enables remote code execution
Jul 06, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-42527 HIGH
Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure
Jul 06, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-40859 HIGH
Apache Camel: Camel-Vertx-Http: Unsafe Java deserialization of HTTP response bodies via a raw ObjectInputStream when transferException is enabled
Jul 06, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-40047 CRITICAL
Apache Camel: Camel-Docling: Insufficient validation of custom CLI arguments enables argument injection and path traversal in DoclingProducer
Jul 06, 2026
CVSS 9.1
EPSS 0.02
CVE-2026-24014 CRITICAL
Apache IoTDB: Path Traversal in DataNode Internal RPC Trigger JAR Upload Allows Arbitrary File Write
Jul 06, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-24013 CRITICAL
Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC
Jul 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-24012 HIGH
Apache IoTDB: Denial of Service via Resource Exhaustion in Aggregation Query
Jul 06, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-47896 HIGH
Apache Lucene.Net: Unauthenticated arbitrary file read on the Lucene.Net.Replicator replication server
Jul 03, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-47898 CRITICAL
Apache Lucene.Net Analysis.Common PatternParser - XML External Entity Injection
Jul 03, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-47897 HIGH
Apache Lucene.Net: Arbitrary file write from malicious server to Lucene.Net.Replicator client
Jul 03, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-54428 HIGH
Apache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACK
Jul 01, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-54399 HIGH
Apache HttpComponents Core: Unbounded HTTP Header/Line Length in Default Configuration
Jul 01, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-54475 HIGH
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover
Jun 30, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-53917 HIGH
Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker: Unbounded memory allocation in OpenWire property unmarshalling
Jun 30, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-53916 HIGH
Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: Unbounded header buffer in STOMP NIO codec
Jun 30, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-52760 MEDIUM
Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS via Unescaped values in ActiveMQ Web Console
Jun 30, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-50750 HIGH
Apache ActiveMQ 5.19.7 and 6.2.6 - Unauthenticated OpenWire Denial of Service
Jun 30, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-50734 HIGH
Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire memory-allocation DoS during wire format negotiation
Jun 30, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-49877 HIGH
Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console
Jun 30, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-49434 HIGH
Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: LdapNetworkConnector instantiates denied transports and a remote-properties broker
Jun 30, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-49432 HIGH
Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: STOMP negative content-length enables denial of service
Jun 30, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-55957 HIGH
Apache Tomcat: Authentication bypass with JNDIRealm and GSSAPI authenticated bind
Jun 29, 2026
CVSS 7.3
EPSS 0.00