Apache Software Foundation
556 tracked vulnerabilities.
CVE-2026-41014
MEDIUM
Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints
Jun 01, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40963
LOW
Apache Airflow: DAG authorization bypass on /ui/structure/structure_data
Jun 01, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-40961
HIGH
Apache Airflow: Open Redirect Bypass Vulnerability
Jun 01, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-40861
MEDIUM
Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler
Jun 01, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-45192
MEDIUM
Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35563
HIGH
Apache Directory LDAP API - Missing TLS Hostname Verification
Jun 01, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-40914
MEDIUM
Apache ActiveMQ Artemis STOMP - Address Routing Authorization Bypass
May 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40564
MEDIUM
Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator
May 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-48589
MEDIUM
Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
May 25, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44598
MEDIUM
Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)
May 25, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-43828
MEDIUM
Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
May 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43827
MEDIUM
Apache Shiro: Session fixation: new session is not created after login by default
May 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42797
MEDIUM
Apache Syncope: JexlContextBuilder Information Disclosure
May 25, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-42782
HIGH
Apache Syncope: Post-auth RCE via Groovy static
May 25, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-46745
MEDIUM
Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
May 25, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-45361
HIGH
Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
May 25, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-45249
MEDIUM
Apache ECharts: XSS in Lines series tooltip rendering
May 25, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-44930
CRITICAL
Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository
May 22, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-44618
MEDIUM
Apache CXF: XXE vulnerability in WS-Transfer functionality
May 22, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44417
HIGH
Apache CXF JMS Configuration - Remote Code Execution
May 22, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-48207
CRITICAL
Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement
May 21, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-45760
HIGH
Apache Camel K: Camel K Cross-Namespace Build Deputy Attack
May 21, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-42526
MEDIUM
Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends
May 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-27173
HIGH
Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments
May 19, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-47323
CRITICAL
Apache Camel: Camel-CXF Message Header Injection via Missing Inbound Filtering
May 19, 2026
CVSS 9.8
EPSS 0.01
Products
Apache Tomcat 50
Apache Airflow 42
Apache HTTP Server 36
Apache Camel 33
Apache ActiveMQ 23
Apache OFBiz 22
Apache CXF 20
Apache ActiveMQ All 17
Apache APISIX 15
Apache OpenMeetings 15
Apache ActiveMQ Broker 13
Apache IoTDB 12
Apache NiFi 12
Apache Struts 12
Apache Thrift 11
Apache Atlas 9
Apache DolphinScheduler 8
Apache Answer 7
Apache CloudStack 7
Apache Hadoop 6
Apache OpenOffice 6
Apache Shiro 6
Apache Wicket 6
Apache Kvrocks 5
Apache MINA 5
Apache Ranger 5
Apache ActiveMQ Client 4
Apache Ambari 4
Apache Gravitino 4
Apache Log4j 1.x 4
Quick Filters