apache
2,899 tracked vulnerabilities.
CVE-2026-41284
HIGH
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-43826
MEDIUM
Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL
May 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41018
MEDIUM
Apache Airflow Providers Elasticsearch: Elasticsearch task-log handler leaks credentials embedded in the host URL
May 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39816
HIGH
Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService
May 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25199
CRITICAL
Apache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access
May 08, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-25077
HIGH
Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates
May 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43975
MEDIUM
Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager
May 06, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-43646
HIGH
Apache Wicket: crafted URLs can bypass PackageResourceGuard
May 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42509
MEDIUM
Apache Wicket: crafted strings can break out of the JavaScript sequence
May 06, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-40010
CRITICAL
Apache Wicket: possible session fixation using AuthenticatedWebSession
May 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-28780
CRITICAL
Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
May 05, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-29168
HIGH
Apache HTTP Server: mod_md unrestricted OCSP response
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-43870
HIGH
Apache Thrift: Node.js web_server.js multi-vulnerability
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-43868
MEDIUM
Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern
May 05, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43869
HIGH
Apache Thrift: TSSLTransportFactory.java hostname verification
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-42812
CRITICAL
Apache Polaris: No protection on `write.metadata.path`
May 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-42811
CRITICAL
Apache Polaris: could broaden vended GCS credentials through unescaped identifier content in access-boundary CEL conditions
May 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-42810
CRITICAL
Apache Polaris: could broaden vended S3 credentials through wildcard-bearing namespace or table names
May 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-42809
CRITICAL
Apache Polaris: staged table creation could vend storage credentials for unvalidated locations
May 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-42440
HIGH
Apache OpenNLP: OOM DoS via Unbounded Array Allocation in AbstractModelReader
May 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42027
CRITICAL
Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader
May 04, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40682
CRITICAL
Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistor
May 04, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-40563
HIGH
Apache Atlas: Script injection allows access to unintended data
May 04, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33523
MEDIUM
Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line
May 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33007
MEDIUM
Apache HTTP Server: mod_authn_socache crash
May 04, 2026
CVSS 5.3
EPSS 0.01
Products
http_server 317
tomcat 254
airflow 120
struts 90
traffic_server 82
ofbiz 74
superset 68
openoffice 60
activemq 57
subversion 47
nifi 46
solr 46
cloudstack 45
cxf 43
camel 40
hadoop 37
inlong 32
openmeetings 28
dolphinscheduler 27
ambari 26
tika 25
jspwiki 24
geode 23
spark 22
wicket 22
zeppelin 22
kylin 21
ranger 21
archiva 20
couchdb 20
Quick Filters