apache

3,084 tracked vulnerabilities.

CVE-2026-34487 HIGH
Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34486 HIGH NUCLEI
Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor
Apr 09, 2026
CVSS 7.5
EPSS 0.22
CVE-2026-34483 HIGH
Apache Tomcat: Incomplete escaping of JSON access logs
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32990 MEDIUM
Apache Tomcat: Fix for CVE-2025-66614 is incomplete
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-29146 HIGH
Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default
Apr 09, 2026
CVSS 7.5
EPSS 0.05
CVE-2026-29145 CRITICAL
Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
Apr 09, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-29129 HIGH
Apache Tomcat: TLS cipher order is not preserved
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25854 MEDIUM
Apache Tomcat: Occasionally open redirect
Apr 09, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-24880 HIGH
Apache Tomcat: Request smuggling via invalid chunk extension
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34020 HIGH
Apache OpenMeetings: Login Credentials Passed via GET Query Parameters
Apr 09, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33266 HIGH
Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33005 MEDIUM
Apache OpenMeetings: Insufficient checks in FileWebService
Apr 09, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34538 MEDIUM
Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure)
Apr 09, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-32588 MEDIUM
Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing
Apr 07, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-27315 MEDIUM
Apache Cassandra: cqlsh history sensitive information leak
Apr 07, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-27314 HIGH
Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass
Apr 07, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-34197 HIGH KEVNUCLEI
Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans
Apr 07, 2026
CVSS 8.8
EPSS 0.97
CVE-2026-33227 MEDIUM
Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ Web: Improper Limitation of a Pathname to a Restricted Classpath Directory
Apr 07, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32794 MEDIUM
Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token Exchange
Mar 30, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32642 MEDIUM
Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission
Mar 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-30911 HIGH
Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization
Mar 17, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-28779 HIGH
Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications
Mar 17, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-28563 MEDIUM
Apache Airflow: DAG authorization bypass
Mar 17, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-26929 MEDIUM
Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata
Mar 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-23907 MEDIUM
Apache PDFBox 2.0.24-2.0.35, 3.0.0-3.0.6 - Path Traversal
Mar 10, 2026
CVSS 5.3
EPSS 0.01