apache

3,082 tracked vulnerabilities.

CVE-2026-49876 MEDIUM
Apache Gravitino <= 1.2.1 - Authenticated Server-Side Request Forgery
Jul 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41041 CRITICAL
Apache Gravitino < 1.2.1 - URL Path Injection
Jul 13, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-57111 HIGH
Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Origin
Jul 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-49487 MEDIUM
Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-49296 MEDIUM
Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dagSources/{dag_id}
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-48892 MEDIUM
Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-48891 MEDIUM
Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target
Jul 07, 2026
CVSS 4.3
EPSS 0.01
CVE-2026-48828 MEDIUM
Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-33264 CRITICAL
Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Jul 07, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-43825 HIGH
Apache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserialization in SvmDoccatModel
Jul 06, 2026
CVSS 7.3
EPSS 0.09
CVE-2026-49297 HIGH
Apache Airflow Google provider: Path traversal via GCS object names → local/SFTP filesystem (GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)
Jul 06, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-49042 HIGH
Apache Camel: langchain4j-tools: filter tool argument headers against declared parameters
Jul 06, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-46588 HIGH
Apache Camel: CouchDB: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input
Jul 06, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-46587 HIGH
Apache Camel: Couchbase: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input
Jul 06, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-56140 CRITICAL
Apache Camel AWS2 SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStrategy to align it with sibling components
Jul 06, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-56139 MEDIUM
Apache Camel Undertow - Stack Trace Information Disclosure
Jul 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-55994 HIGH
Apache Camel Iggy - Server-Side Request Forgery via Iggy User Headers
Jul 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-55993 HIGH
Apache Camel Atmosphere Websocket - Server-Side Request Forgery via Query Parameters
Jul 06, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-53913 CRITICAL
Apache Camel Keycloak 4.18.3 and 4.21.0 - Remote Code Execution
Jul 06, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-49365 MEDIUM
Apache Camel Netty HTTP - Stack Trace Information Disclosure
Jul 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-49099 MEDIUM
Apache Camel Salesforce: Non-Camel-prefixed Exchange header constants bypass the HTTP header filter, allowing an HTTP client to influence internal behaviour
Jul 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-49098 MEDIUM
Apache Camel Kafka - Kafka Header Control Injection
Jul 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-49097 MEDIUM
Apache Camel IRC - Message Redirection via irc.* Headers
Jul 06, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-49086 MEDIUM
Apache Camel Dapr - Pub/Sub Message Rerouting via CloudEvent Headers
Jul 06, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-48206 MEDIUM
Apache Camel Jira 4.14.8, 4.18.3, and 4.21.0 - Authorization Bypass
Jul 06, 2026
CVSS 5.3
EPSS 0.00