Apache Software Foundation
556 tracked vulnerabilities.
CVE-2026-47341
MEDIUM
Apache APISIX 3.11.0-3.16.0 hmac-auth - Session Replay
Jun 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-47339
HIGH
Apache APISIX: authz-casdoor incorrect session sharing
Jun 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44915
MEDIUM
Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value
Jun 19, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44087
CRITICAL
Apache APISIX: Openid-connect plugin Identity Header Spoofing
Jun 19, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-44046
MEDIUM
Apache APISIX: wolf-rbac plugin Identity Spoofing
Jun 19, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-39999
CRITICAL
Apache APISIX: JWT Algorithm Confusion allows authentication bypass
Jun 19, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-39998
HIGH
Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup
Jun 19, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-49268
CRITICAL
Apache Shiro: LDAP DN Injection in DefaultLdapRealm
Jun 17, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-50203
CRITICAL
Apache Airflow Sftp Provider < 5.8.1 - Path Traversal
Jun 17, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-47340
MEDIUM
Apache DolphinScheduler < 3.4.2 - Unauthorized Alert Instance Access
Jun 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42357
MEDIUM
Apache DolphinScheduler < 3.4.2 - Unauthorized Workflow Instance Access
Jun 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41280
MEDIUM
Apache DolphinScheduler < 3.4.2 - Unauthorized Task Definition Deletion
Jun 17, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-32967
CRITICAL
Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
Jun 17, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-32966
CRITICAL
Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
Jun 17, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-50645
HIGH
Apache CXF: No restriction on attachment headers per message
Jun 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-50634
MEDIUM
Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-50633
HIGH
Apache CXF JCA Integration - JNDI Injection Remote Code Execution
Jun 12, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-50632
HIGH
Apache CXF JMSConfigFactory - JNDI Injection Remote Code Execution
Jun 12, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-50631
HIGH
Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing
Jun 12, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-50630
MEDIUM
Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-50629
MEDIUM
Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
Jun 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-50628
CRITICAL
Apache CXF: OAuth2: Inverted IP Binding Check Defeats Security Control
Jun 12, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-50627
CRITICAL
Apache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token Validator
Jun 12, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-50623
MEDIUM
Apache CXF: Authentication Bypass in OAuth2 TokenIntrospectionService
Jun 12, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-49875
CRITICAL
Apache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtils
Jun 12, 2026
CVSS 9.8
EPSS 0.01
Products
Apache Tomcat 50
Apache Airflow 42
Apache HTTP Server 36
Apache Camel 33
Apache ActiveMQ 23
Apache OFBiz 22
Apache CXF 20
Apache ActiveMQ All 17
Apache APISIX 15
Apache OpenMeetings 15
Apache ActiveMQ Broker 13
Apache IoTDB 12
Apache NiFi 12
Apache Struts 12
Apache Thrift 11
Apache Atlas 9
Apache DolphinScheduler 8
Apache Answer 7
Apache CloudStack 7
Apache Hadoop 6
Apache OpenOffice 6
Apache Shiro 6
Apache Wicket 6
Apache Kvrocks 5
Apache MINA 5
Apache Ranger 5
Apache ActiveMQ Client 4
Apache Ambari 4
Apache Gravitino 4
Apache Log4j 1.x 4
Quick Filters