Apache Software Foundation

347 tracked vulnerabilities.

CVE-2026-28779 HIGH
Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications
Mar 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-28563 MEDIUM
Apache Airflow: DAG authorization bypass
Mar 17, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-26929 MEDIUM
Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
Mar 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27446 CRITICAL
Apache Artemis/ActiveMQ Artemis - Auth Bypass
Mar 04, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-25747 HIGH
Apache Camel LevelDB - Deserialization
Feb 23, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25903 MEDIUM
Apache NiFi 1.1.0-2.7.2 - Privilege Escalation
Feb 17, 2026
CVSS 6.6
EPSS 0.00
CVE-2025-69233 MEDIUM
Apache CloudStack: Domain/account resources limits not honored
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-66467 HIGH
Apache CloudStack: MinIO policy remains intact on bucket deletion
May 08, 2026
CVSS 8.0
EPSS 0.00
CVE-2025-66172 HIGH
Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to
May 08, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-66171 MEDIUM
Apache CloudStack: Any user can create a new VM from backups they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-66170 MEDIUM
Apache CloudStack: Any user can list backups that they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-48431 HIGH
Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-62233 MEDIUM
Apache DolphinScheduler: Deserialization of untrusted data in RPC
Apr 24, 2026
CVSS 6.3
EPSS 0.00
CVE-2025-66335 MEDIUM
Apache Doris MCP Server: MCP SQL inject
Apr 20, 2026
CVSS 5.3
EPSS 0.00
CVE-2025-54550 HIGH
Apache Airflow: RCE by race condition in example_xcom dag
Apr 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-66236 HIGH
Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
Apr 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-57735 CRITICAL
Apache Airflow: Airflow Logout Not Invalidating JWT
Apr 09, 2026
CVSS 9.1
EPSS 0.00
CVE-2025-62188 HIGH
Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-65114 HIGH
Apache Traffic Server: Malformed chunked message body allows request smuggling
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-58136 HIGH
Apache Traffic Server: A simple legitimate POST request causes a crash
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-54920 HIGH
Apache Spark <3.5.7/4.0.1 - Deserialization
Mar 16, 2026
CVSS 8.8
EPSS 0.00
CVE-2025-66249 MEDIUM
Apache Livy 0.3.0-0.9.0 - Path Traversal
Mar 13, 2026
CVSS 6.3
EPSS 0.00
CVE-2025-60012 MEDIUM
Apache Livy 0.7.0-0.8.0 - Unauthorized File Access
Mar 13, 2026
CVSS 6.3
EPSS 0.00
CVE-2025-66168 MEDIUM
Apache ActiveMQ - Memory Corruption
Mar 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-66614 CRITICAL
Apache Tomcat 11.0.0-M1-11.0.14 - DoS
Feb 17, 2026
CVSS 9.1
EPSS 0.00
Products
Apache Tomcat 42 Apache HTTP Server 23 Apache OFBiz 20 Apache Airflow 19 Apache OpenMeetings 15 Apache Camel 11 Apache Struts 11 Apache Thrift 11 Apache CXF 9 Apache ActiveMQ 8 Apache Atlas 8 Apache NiFi 8 Apache CloudStack 7 Apache ActiveMQ All 6 Apache Hadoop 6 Apache OpenOffice 6 Apache Wicket 6 Apache ActiveMQ Broker 5 Apache Ranger 5 Apache Ambari 4 Apache Log4j Core 4 Apache MINA 4 Apache OpenNLP 4 Apache Polaris 4 Apache Traffic Server 4 Apache APISIX 3 Apache Brooklyn 3 Apache CXF Fediz 3 Apache Cassandra 3 Apache DolphinScheduler 3
Quick Filters
Critical CVEs With Exploits In CISA KEV