Apache Software Foundation

556 tracked vulnerabilities.

CVE-2026-41014 MEDIUM
Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints
Jun 01, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40963 LOW
Apache Airflow: DAG authorization bypass on /ui/structure/structure_data
Jun 01, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-40961 HIGH
Apache Airflow: Open Redirect Bypass Vulnerability
Jun 01, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-40861 MEDIUM
Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler
Jun 01, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-45192 MEDIUM
Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35563 HIGH
Apache Directory LDAP API - Missing TLS Hostname Verification
Jun 01, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-40914 MEDIUM
Apache ActiveMQ Artemis STOMP - Address Routing Authorization Bypass
May 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40564 MEDIUM
Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator
May 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-48589 MEDIUM
Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
May 25, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44598 MEDIUM
Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)
May 25, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-43828 MEDIUM
Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
May 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43827 MEDIUM
Apache Shiro: Session fixation: new session is not created after login by default
May 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42797 MEDIUM
Apache Syncope: JexlContextBuilder Information Disclosure
May 25, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-42782 HIGH
Apache Syncope: Post-auth RCE via Groovy static
May 25, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-46745 MEDIUM
Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
May 25, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-45361 HIGH
Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
May 25, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-45249 MEDIUM
Apache ECharts: XSS in Lines series tooltip rendering
May 25, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-44930 CRITICAL
Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository
May 22, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-44618 MEDIUM
Apache CXF: XXE vulnerability in WS-Transfer functionality
May 22, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44417 HIGH
Apache CXF JMS Configuration - Remote Code Execution
May 22, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-48207 CRITICAL
Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement
May 21, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-45760 HIGH
Apache Camel K: Camel K Cross-Namespace Build Deputy Attack
May 21, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-42526 MEDIUM
Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends
May 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-27173 HIGH
Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments
May 19, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-47323 CRITICAL
Apache Camel: Camel-CXF Message Header Injection via Missing Inbound Filtering
May 19, 2026
CVSS 9.8
EPSS 0.01