apache
3,084 tracked vulnerabilities.
CVE-2026-23794
MEDIUM
Apache Syncope <3.0.15/<4.0.3 - XSS
Feb 03, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-24656
LOW
Apache Karaf Decanter - Deserialization
Jan 26, 2026
CVSS 3.7
EPSS 0.01
CVE-2026-22444
HIGH
Apache Solr 8.6.0-9.10.0 - Unauthenticated Path Traversal via Create Core API
Jan 21, 2026
CVSS 7.1
EPSS 0.01
CVE-2026-22022
HIGH
Apache Solr 5.3.0-9.10.0 - Improper Authorization in RuleBasedAuthorizationPlugin
Jan 21, 2026
CVSS 8.2
EPSS 0.00
CVE-2025-53648
MEDIUM
Apache Gravitino: SQL misconfiguration can access or truncate files
Jun 30, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-66336
HIGH
Apache Doris MCP Server: SQL injection leading the authentication bypass
Jun 22, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-62198
MEDIUM
Apache Atlas: Stored XSS in Create Entity page
Jun 22, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-48977
MEDIUM
Apache Ignite: REST HTTP arbitrary file read vulnerability
May 28, 2026
CVSS 6.5
EPSS 0.01
CVE-2025-69233
MEDIUM
Apache CloudStack: Domain/account resources limits not honored
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-66467
HIGH
Apache CloudStack: MinIO policy remains intact on bucket deletion
May 08, 2026
CVSS 8.0
EPSS 0.00
CVE-2025-66172
HIGH
Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to
May 08, 2026
CVSS 8.1
EPSS 0.01
CVE-2025-66171
MEDIUM
Apache CloudStack: Any user can create a new VM from backups they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.01
CVE-2025-66170
MEDIUM
Apache CloudStack: Any user can list backups that they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-48431
HIGH
Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.
Apr 28, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-62233
MEDIUM
Apache DolphinScheduler: Deserialization of untrusted data in RPC
Apr 24, 2026
CVSS 6.3
EPSS 0.01
CVE-2025-66335
MEDIUM
Apache Doris MCP Server: MCP SQL inject
Apr 20, 2026
CVSS 5.3
EPSS 0.01
CVE-2025-54550
HIGH
Apache Airflow: RCE by race condition in example_xcom dag
Apr 15, 2026
CVSS 8.1
EPSS 0.01
CVE-2025-66236
HIGH
Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
Apr 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-57735
CRITICAL
Apache Airflow: Airflow Logout Not Invalidating JWT
Apr 09, 2026
CVSS 9.1
EPSS 0.01
CVE-2025-62188
HIGH
Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.
Apr 09, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-65114
HIGH
Apache Traffic Server: Malformed chunked message body allows request smuggling
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-58136
HIGH
Apache Traffic Server: A simple legitimate POST request causes a crash
Apr 02, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-54920
HIGH
Apache Spark <3.5.7/4.0.1 - Deserialization
Mar 16, 2026
CVSS 8.8
EPSS 0.05
CVE-2025-66249
MEDIUM
Apache Livy 0.3.0-0.9.0 - Path Traversal
Mar 13, 2026
CVSS 6.3
EPSS 0.01
CVE-2025-60012
MEDIUM
Apache Livy 0.7.0-0.8.0 - Unauthorized File Access
Mar 13, 2026
CVSS 6.3
EPSS 0.00
Products
http_server 330
tomcat 261
airflow 143
struts 90
traffic_server 82
ofbiz 76
camel 75
activemq 72
superset 68
openoffice 60
cxf 57
nifi 50
solr 47
subversion 47
cloudstack 45
hadoop 37
dolphinscheduler 32
inlong 32
openmeetings 28
ambari 26
apisix 25
tika 25
jspwiki 24
shiro 24
geode 23
spark 22
wicket 22
zeppelin 22
kylin 21
ranger 21
Quick Filters