Apache Software Foundation
556 tracked vulnerabilities.
CVE-2026-47065
CRITICAL
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232
Jun 03, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-46718
MEDIUM
Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution
Jun 02, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41115
MEDIUM
Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API
Jun 02, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-49328
MEDIUM
Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF
Jun 01, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-49361
HIGH
Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability
Jun 01, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-49298
HIGH
Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments
Jun 01, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-49270
MEDIUM
Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)
Jun 01, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-49267
MEDIUM
Apache Airflow: No certificate validation on SMTP STARTTLS connections
Jun 01, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-49157
HIGH
Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default
Jun 01, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-48827
HIGH
Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git
Jun 01, 2026
CVSS 7.1
EPSS 0.01
CVE-2026-48726
MEDIUM
Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-46764
MEDIUM
Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter
Jun 01, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-46605
MEDIUM
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal
Jun 01, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-45505
HIGH
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass
Jun 01, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-45426
LOW
Apache Airflow Log Server - JWT Authorization Bypass
Jun 01, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-45360
HIGH
Apache Airflow: Arbitrary import in custom deadline-reference deserialization
Jun 01, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-44825
HIGH
Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users
Jun 01, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-42588
HIGH
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector
Jun 01, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-42360
MEDIUM
Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42359
HIGH
Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator
Jun 01, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-42358
MEDIUM
Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42253
MEDIUM
Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties
Jun 01, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-42252
CRITICAL
Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern
Jun 01, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-41084
HIGH
Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation
Jun 01, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41017
MEDIUM
Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy
Jun 01, 2026
CVSS 5.9
EPSS 0.00
Products
Apache Tomcat 50
Apache Airflow 42
Apache HTTP Server 36
Apache Camel 33
Apache ActiveMQ 23
Apache OFBiz 22
Apache CXF 20
Apache ActiveMQ All 17
Apache APISIX 15
Apache OpenMeetings 15
Apache ActiveMQ Broker 13
Apache IoTDB 12
Apache NiFi 12
Apache Struts 12
Apache Thrift 11
Apache Atlas 9
Apache DolphinScheduler 8
Apache Answer 7
Apache CloudStack 7
Apache Hadoop 6
Apache OpenOffice 6
Apache Shiro 6
Apache Wicket 6
Apache Kvrocks 5
Apache MINA 5
Apache Ranger 5
Apache ActiveMQ Client 4
Apache Ambari 4
Apache Gravitino 4
Apache Log4j 1.x 4
Quick Filters