apache
3,082 tracked vulnerabilities.
CVE-2026-49871
CRITICAL
Apache APISIX: cas-auth login CSRF / session injection issue
Jun 19, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-49231
MEDIUM
Apache APISIX 3.5.0-3.16.0 OPA Plugin - Identity Spoofing
Jun 19, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-49230
CRITICAL
Apache APISIX: Authentication bypass in jwe-decrypt
Jun 19, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-48895
HIGH
Apache APISIX: Cas-auth Host header influence on CAS service URL
Jun 19, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-47341
MEDIUM
Apache APISIX 3.11.0-3.16.0 hmac-auth - Session Replay
Jun 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-47339
HIGH
Apache APISIX: authz-casdoor incorrect session sharing
Jun 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44915
MEDIUM
Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value
Jun 19, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44087
CRITICAL
Apache APISIX: Openid-connect plugin Identity Header Spoofing
Jun 19, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-44046
MEDIUM
Apache APISIX: wolf-rbac plugin Identity Spoofing
Jun 19, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-39999
CRITICAL
Apache APISIX: JWT Algorithm Confusion allows authentication bypass
Jun 19, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-39998
HIGH
Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup
Jun 19, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-49268
CRITICAL
Apache Shiro: LDAP DN Injection in DefaultLdapRealm
Jun 17, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-50203
CRITICAL
Apache Airflow Sftp Provider < 5.8.1 - Path Traversal
Jun 17, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-47340
MEDIUM
Apache DolphinScheduler < 3.4.2 - Unauthorized Alert Instance Access
Jun 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42357
MEDIUM
Apache DolphinScheduler < 3.4.2 - Unauthorized Workflow Instance Access
Jun 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41280
MEDIUM
Apache DolphinScheduler < 3.4.2 - Unauthorized Task Definition Deletion
Jun 17, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-32967
CRITICAL
Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
Jun 17, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-32966
CRITICAL
Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
Jun 17, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-50645
HIGH
Apache CXF: No restriction on attachment headers per message
Jun 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-50634
MEDIUM
Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-50633
HIGH
Apache CXF JCA Integration - JNDI Injection Remote Code Execution
Jun 12, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-50632
HIGH
Apache CXF JMSConfigFactory - JNDI Injection Remote Code Execution
Jun 12, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-50631
HIGH
Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing
Jun 12, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-50630
MEDIUM
Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-50629
MEDIUM
Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
Jun 12, 2026
CVSS 5.3
EPSS 0.00
Products
http_server 330
tomcat 261
airflow 143
struts 90
traffic_server 82
ofbiz 76
camel 75
activemq 72
superset 68
openoffice 60
cxf 57
nifi 50
solr 47
subversion 47
cloudstack 45
hadoop 37
dolphinscheduler 32
inlong 32
openmeetings 28
ambari 26
apisix 25
tika 25
jspwiki 24
shiro 24
geode 23
spark 22
wicket 22
zeppelin 22
kylin 21
ranger 21
Quick Filters