Apache Software Foundation

556 tracked vulnerabilities.

CVE-2026-55956 MEDIUM
Apache Tomcat: Security constraints for default servlet ignored method
Jun 29, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-55955 MEDIUM
Apache Tomcat: EncryptInterceptor not protected against replay attacks
Jun 29, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-55276 CRITICAL
Apache Tomcat: Logged effective web.xml is incomplete
Jun 29, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-53434 CRITICAL
Apache Tomcat: Invalid CRL configuration doesn't trigger failure for FFM Connector
Jun 29, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-53404 HIGH
Apache Tomcat: Bad ornext processing in RewriteValve
Jun 29, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-50229 MEDIUM
Apache Tomcat: XSS in number guess example
Jun 29, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-57915 HIGH
Apache Kerby: Kerberos Pre-Authentication Bypass
Jun 26, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-57914 MEDIUM
Apache Kerby: StackOverflow on parsing deeply nested ASN1 structures
Jun 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-49486 HIGH
Apache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)
Jun 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-56130 LOW
Apache Shiro: Remember-me cookie isn't checked for expiry on the server
Jun 25, 2026
EPSS 0.00
CVE-2026-56091 HIGH
Apache Shiro: Authentication bypass in Guice-Web integration
Jun 25, 2026
EPSS 0.00
CVE-2026-54226 MEDIUM
Apache Kvrocks: RESTORE IntSet Integer Overflow Leads to Remote DoS
Jun 25, 2026
EPSS 0.00
CVE-2026-46752 CRITICAL
Apache Kvrocks: Stack buffer overflow in Lua bit.tohex()
Jun 25, 2026
EPSS 0.00
CVE-2026-46751 MEDIUM
Apache Kvrocks 2.2.0-2.15.0 Lua Sandbox - Remote Denial of Service
Jun 25, 2026
EPSS 0.00
CVE-2026-45188 LOW
Apache Kvrocks: Replication Fullsync Path Traversal via Unvalidated Filename Handling
Jun 25, 2026
EPSS 0.00
CVE-2026-41566 CRITICAL
Apache Kvrocks: Improper permission for the APPLYBATCH command
Jun 25, 2026
EPSS 0.00
CVE-2026-54665 MEDIUM
Apache NiFi: Missing Validation for Proxy Host Headers
Jun 22, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44914 HIGH
Apache NiFi: Missing Authorization of Restricted Permissions when Replacing Flow Contents
Jun 22, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-44913 HIGH
Apache NiFi: Improper Escaping of Table Names in CaptureChangeMySQL
Jun 22, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-44911 MEDIUM
Apache NiFi: Incorrect Authorization for Configuration Verification Requests
Jun 22, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-49872 HIGH
Apache APISIX: Improper authentication in cas-auth plugin
Jun 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-49871 CRITICAL
Apache APISIX: cas-auth login CSRF / session injection issue
Jun 19, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-49231 MEDIUM
Apache APISIX 3.5.0-3.16.0 OPA Plugin - Identity Spoofing
Jun 19, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-49230 CRITICAL
Apache APISIX: Authentication bypass in jwe-decrypt
Jun 19, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-48895 HIGH
Apache APISIX: Cas-auth Host header influence on CAS service URL
Jun 19, 2026
CVSS 7.2
EPSS 0.00