apache
3,082 tracked vulnerabilities.
CVE-2026-49876
MEDIUM
Apache Gravitino <= 1.2.1 - Authenticated Server-Side Request Forgery
Jul 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41041
CRITICAL
Apache Gravitino < 1.2.1 - URL Path Injection
Jul 13, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-57111
HIGH
Apache Helix REST: Permissive CORS Configuration in REST API Allows Unrestricted Cross-Origin
Jul 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-49487
MEDIUM
Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-49296
MEDIUM
Apache Airflow: Per-DAG read bypass discloses co-located DAGs' source via GET /api/v2/dagSources/{dag_id}
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-48892
MEDIUM
Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-48891
MEDIUM
Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target
Jul 07, 2026
CVSS 4.3
EPSS 0.01
CVE-2026-48828
MEDIUM
Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
Jul 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-33264
CRITICAL
Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Jul 07, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-43825
HIGH
Apache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserialization in SvmDoccatModel
Jul 06, 2026
CVSS 7.3
EPSS 0.09
CVE-2026-49297
HIGH
Apache Airflow Google provider: Path traversal via GCS object names → local/SFTP filesystem (GCSToSFTPOperator + GCSTimeSpanFileTransformOperator)
Jul 06, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-49042
HIGH
Apache Camel: langchain4j-tools: filter tool argument headers against declared parameters
Jul 06, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-46588
HIGH
Apache Camel: CouchDB: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input
Jul 06, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-46587
HIGH
Apache Camel: Couchbase: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input
Jul 06, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-56140
CRITICAL
Apache Camel AWS2 SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStrategy to align it with sibling components
Jul 06, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-56139
MEDIUM
Apache Camel Undertow - Stack Trace Information Disclosure
Jul 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-55994
HIGH
Apache Camel Iggy - Server-Side Request Forgery via Iggy User Headers
Jul 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-55993
HIGH
Apache Camel Atmosphere Websocket - Server-Side Request Forgery via Query Parameters
Jul 06, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-53913
CRITICAL
Apache Camel Keycloak 4.18.3 and 4.21.0 - Remote Code Execution
Jul 06, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-49365
MEDIUM
Apache Camel Netty HTTP - Stack Trace Information Disclosure
Jul 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-49099
MEDIUM
Apache Camel Salesforce: Non-Camel-prefixed Exchange header constants bypass the HTTP header filter, allowing an HTTP client to influence internal behaviour
Jul 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-49098
MEDIUM
Apache Camel Kafka - Kafka Header Control Injection
Jul 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-49097
MEDIUM
Apache Camel IRC - Message Redirection via irc.* Headers
Jul 06, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-49086
MEDIUM
Apache Camel Dapr - Pub/Sub Message Rerouting via CloudEvent Headers
Jul 06, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-48206
MEDIUM
Apache Camel Jira 4.14.8, 4.18.3, and 4.21.0 - Authorization Bypass
Jul 06, 2026
CVSS 5.3
EPSS 0.00
Products
http_server 330
tomcat 261
airflow 143
struts 90
traffic_server 82
ofbiz 76
camel 75
activemq 72
superset 68
openoffice 60
cxf 57
nifi 50
solr 47
subversion 47
cloudstack 45
hadoop 37
dolphinscheduler 32
inlong 32
openmeetings 28
ambari 26
apisix 25
tika 25
jspwiki 24
shiro 24
geode 23
spark 22
wicket 22
zeppelin 22
kylin 21
ranger 21
Quick Filters