Apache Software Foundation

556 tracked vulnerabilities.

CVE-2026-47065 CRITICAL
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232
Jun 03, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-46718 MEDIUM
Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution
Jun 02, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41115 MEDIUM
Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API
Jun 02, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-49328 MEDIUM
Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF
Jun 01, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-49361 HIGH
Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability
Jun 01, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-49298 HIGH
Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments
Jun 01, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-49270 MEDIUM
Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)
Jun 01, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-49267 MEDIUM
Apache Airflow: No certificate validation on SMTP STARTTLS connections
Jun 01, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-49157 HIGH
Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default
Jun 01, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-48827 HIGH
Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git
Jun 01, 2026
CVSS 7.1
EPSS 0.01
CVE-2026-48726 MEDIUM
Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-46764 MEDIUM
Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter
Jun 01, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-46605 MEDIUM
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal
Jun 01, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-45505 HIGH
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass
Jun 01, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-45426 LOW
Apache Airflow Log Server - JWT Authorization Bypass
Jun 01, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-45360 HIGH
Apache Airflow: Arbitrary import in custom deadline-reference deserialization
Jun 01, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-44825 HIGH
Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users
Jun 01, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-42588 HIGH
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector
Jun 01, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-42360 MEDIUM
Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42359 HIGH
Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator
Jun 01, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-42358 MEDIUM
Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42253 MEDIUM
Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties
Jun 01, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-42252 CRITICAL
Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern
Jun 01, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-41084 HIGH
Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation
Jun 01, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41017 MEDIUM
Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy
Jun 01, 2026
CVSS 5.9
EPSS 0.00