Apache Software Foundation

347 tracked vulnerabilities.

CVE-2026-39304 HIGH
Apache ActiveMQ TLSv1.3 KeyUpdate - Memory Exhaustion Denial of Service
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34500 MEDIUM
Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34487 HIGH
Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34486 HIGH NUCLEI
Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor
Apr 09, 2026
CVSS 7.5
EPSS 0.02
CVE-2026-34483 HIGH
Apache Tomcat: Incomplete escaping of JSON access logs
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32990 MEDIUM
Apache Tomcat: Fix for CVE-2025-66614 is incomplete
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-29146 HIGH
Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default
Apr 09, 2026
CVSS 7.5
EPSS 0.13
CVE-2026-29145 CRITICAL
Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
Apr 09, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-29129 HIGH
Apache Tomcat: TLS cipher order is not preserved
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25854 MEDIUM
Apache Tomcat: Occasionally open redirect
Apr 09, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-24880 HIGH
Apache Tomcat: Request smuggling via invalid chunk extension
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-40046 HIGH
Apache ActiveMQ MQTT 6.0.0-6.2.3 - Remaining Length Integer Overflow
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34020 HIGH
Apache OpenMeetings: Login Credentials Passed via GET Query Parameters
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33266 HIGH
Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33005 MEDIUM
Apache OpenMeetings: Insufficient checks in FileWebService
Apr 09, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34538 MEDIUM
Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure)
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32588 MEDIUM
Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing
Apr 07, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27315 MEDIUM
Apache Cassandra: cqlsh history sensitive information leak
Apr 07, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-27314 HIGH
Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass
Apr 07, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35554 HIGH
Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition
Apr 07, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-34197 HIGH KEVNUCLEI
Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
Apr 07, 2026
CVSS 8.8
EPSS 0.70
CVE-2026-33227 MEDIUM
Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ Web: Improper Limitation of a Pathname to a Restricted Classpath Directory
Apr 07, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32794 MEDIUM
Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange
Mar 30, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32642 MEDIUM
Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission
Mar 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-30911 HIGH
Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
Mar 17, 2026
CVSS 8.1
EPSS 0.00
Products
Apache Tomcat 42 Apache HTTP Server 23 Apache OFBiz 20 Apache Airflow 19 Apache OpenMeetings 15 Apache Camel 11 Apache Struts 11 Apache Thrift 11 Apache CXF 9 Apache ActiveMQ 8 Apache Atlas 8 Apache NiFi 8 Apache CloudStack 7 Apache ActiveMQ All 6 Apache Hadoop 6 Apache OpenOffice 6 Apache Wicket 6 Apache ActiveMQ Broker 5 Apache Ranger 5 Apache Ambari 4 Apache Log4j Core 4 Apache MINA 4 Apache OpenNLP 4 Apache Polaris 4 Apache Traffic Server 4 Apache APISIX 3 Apache Brooklyn 3 Apache CXF Fediz 3 Apache Cassandra 3 Apache DolphinScheduler 3
Quick Filters
Critical CVEs With Exploits In CISA KEV