Apache Software Foundation

347 tracked vulnerabilities.

CVE-2026-33557 CRITICAL
Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication
Apr 20, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-40948 MEDIUM
Apache Airflow: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager
Apr 18, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32690 LOW
Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1
Apr 18, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-32228 HIGH
Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to
Apr 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-30912 HIGH
Apache Airflow: Exposing stack trace in case of constraint error
Apr 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-30898 HIGH
Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf
Apr 18, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25917 HIGH
Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5)
Apr 18, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-31987 HIGH
Apache Airflow: JWT token appearing in logs
Apr 16, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25219 MEDIUM
Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
Apr 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-30778 HIGH
Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
Apr 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33929 MEDIUM
Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
Apr 14, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-31924 MEDIUM
Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP
Apr 14, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-31923 HIGH
Apache APISIX: Openid-connect `tls_verify` field is disabled by default
Apr 14, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-31908 CRITICAL
Apache APISIX: forward auth plugin allows header injection
Apr 14, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-33858 HIGH
Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
Apr 13, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-34476 HIGH
Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server
Apr 13, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35565 MEDIUM
Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
Apr 13, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35337 HIGH
Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Apr 13, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-40023 MEDIUM
Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-40021 MEDIUM
Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34481 HIGH
Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34480 HIGH
Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34479 HIGH
Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34478 HIGH
Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34477 MEDIUM
Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass
Apr 10, 2026
CVSS 5.9
EPSS 0.00
Products
Apache Tomcat 42 Apache HTTP Server 23 Apache OFBiz 20 Apache Airflow 19 Apache OpenMeetings 15 Apache Camel 11 Apache Struts 11 Apache Thrift 11 Apache CXF 9 Apache ActiveMQ 8 Apache Atlas 8 Apache NiFi 8 Apache CloudStack 7 Apache ActiveMQ All 6 Apache Hadoop 6 Apache OpenOffice 6 Apache Wicket 6 Apache ActiveMQ Broker 5 Apache Ranger 5 Apache Ambari 4 Apache Log4j Core 4 Apache MINA 4 Apache OpenNLP 4 Apache Polaris 4 Apache Traffic Server 4 Apache APISIX 3 Apache Brooklyn 3 Apache CXF Fediz 3 Apache Cassandra 3 Apache DolphinScheduler 3
Quick Filters
Critical CVEs With Exploits In CISA KEV