apache
3,084 tracked vulnerabilities.
CVE-2026-32690
LOW
Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1
Apr 18, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-32228
HIGH
Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to
Apr 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-30912
HIGH
Apache Airflow: Exposing stack trace in case of constraint error
Apr 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-30898
HIGH
Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf
Apr 18, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-25917
HIGH
Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5)
Apr 18, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-31987
HIGH
Apache Airflow: JWT token appearing in logs
Apr 16, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-25219
MEDIUM
Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
Apr 15, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-30778
HIGH
Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
Apr 15, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33929
MEDIUM
Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
Apr 14, 2026
CVSS 4.3
EPSS 0.01
CVE-2026-31924
MEDIUM
Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP
Apr 14, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-31923
HIGH
Apache APISIX: Openid-connect `tls_verify` field is disabled by default
Apr 14, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-31908
CRITICAL
Apache APISIX: forward auth plugin allows header injection
Apr 14, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-33858
HIGH
Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
Apr 13, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-34476
HIGH
Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server
Apr 13, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35565
MEDIUM
Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
Apr 13, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35337
HIGH
Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Apr 13, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-40023
MEDIUM
Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-40021
MEDIUM
Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-34481
HIGH
Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout
Apr 10, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34480
HIGH
Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34479
HIGH
Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34478
HIGH
Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility
Apr 10, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34477
MEDIUM
Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass
Apr 10, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-39304
HIGH
Apache ActiveMQ TLSv1.3 KeyUpdate - Memory Exhaustion Denial of Service
Apr 10, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34500
MEDIUM
Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
Apr 09, 2026
CVSS 6.5
EPSS 0.00
Products
http_server 330
tomcat 261
airflow 143
struts 90
traffic_server 82
ofbiz 76
camel 75
activemq 72
superset 68
openoffice 60
cxf 57
nifi 50
solr 47
subversion 47
cloudstack 45
hadoop 37
dolphinscheduler 32
inlong 32
openmeetings 28
ambari 26
apisix 25
tika 25
jspwiki 24
shiro 24
geode 23
spark 22
wicket 22
zeppelin 22
kylin 21
ranger 21
Quick Filters