apache

3,084 tracked vulnerabilities.

CVE-2026-23794 MEDIUM
Apache Syncope <3.0.15/<4.0.3 - XSS
Feb 03, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-24656 LOW
Apache Karaf Decanter - Deserialization
Jan 26, 2026
CVSS 3.7
EPSS 0.01
CVE-2026-22444 HIGH
Apache Solr 8.6.0-9.10.0 - Unauthenticated Path Traversal via Create Core API
Jan 21, 2026
CVSS 7.1
EPSS 0.01
CVE-2026-22022 HIGH
Apache Solr 5.3.0-9.10.0 - Improper Authorization in RuleBasedAuthorizationPlugin
Jan 21, 2026
CVSS 8.2
EPSS 0.00
CVE-2025-53648 MEDIUM
Apache Gravitino: SQL misconfiguration can access or truncate files
Jun 30, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-66336 HIGH
Apache Doris MCP Server: SQL injection leading the authentication bypass
Jun 22, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-62198 MEDIUM
Apache Atlas: Stored XSS in Create Entity page
Jun 22, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-48977 MEDIUM
Apache Ignite: REST HTTP arbitrary file read vulnerability
May 28, 2026
CVSS 6.5
EPSS 0.01
CVE-2025-69233 MEDIUM
Apache CloudStack: Domain/account resources limits not honored
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-66467 HIGH
Apache CloudStack: MinIO policy remains intact on bucket deletion
May 08, 2026
CVSS 8.0
EPSS 0.00
CVE-2025-66172 HIGH
Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to
May 08, 2026
CVSS 8.1
EPSS 0.01
CVE-2025-66171 MEDIUM
Apache CloudStack: Any user can create a new VM from backups they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.01
CVE-2025-66170 MEDIUM
Apache CloudStack: Any user can list backups that they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-48431 HIGH
Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.
Apr 28, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-62233 MEDIUM
Apache DolphinScheduler: Deserialization of untrusted data in RPC
Apr 24, 2026
CVSS 6.3
EPSS 0.01
CVE-2025-66335 MEDIUM
Apache Doris MCP Server: MCP SQL inject
Apr 20, 2026
CVSS 5.3
EPSS 0.01
CVE-2025-54550 HIGH
Apache Airflow: RCE by race condition in example_xcom dag
Apr 15, 2026
CVSS 8.1
EPSS 0.01
CVE-2025-66236 HIGH
Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
Apr 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-57735 CRITICAL
Apache Airflow: Airflow Logout Not Invalidating JWT
Apr 09, 2026
CVSS 9.1
EPSS 0.01
CVE-2025-62188 HIGH
Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.
Apr 09, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-65114 HIGH
Apache Traffic Server: Malformed chunked message body allows request smuggling
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-58136 HIGH
Apache Traffic Server: A simple legitimate POST request causes a crash
Apr 02, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-54920 HIGH
Apache Spark <3.5.7/4.0.1 - Deserialization
Mar 16, 2026
CVSS 8.8
EPSS 0.05
CVE-2025-66249 MEDIUM
Apache Livy 0.3.0-0.9.0 - Path Traversal
Mar 13, 2026
CVSS 6.3
EPSS 0.01
CVE-2025-60012 MEDIUM
Apache Livy 0.7.0-0.8.0 - Unauthorized File Access
Mar 13, 2026
CVSS 6.3
EPSS 0.00