apache

3,082 tracked vulnerabilities.

CVE-2026-49871 CRITICAL
Apache APISIX: cas-auth login CSRF / session injection issue
Jun 19, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-49231 MEDIUM
Apache APISIX 3.5.0-3.16.0 OPA Plugin - Identity Spoofing
Jun 19, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-49230 CRITICAL
Apache APISIX: Authentication bypass in jwe-decrypt
Jun 19, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-48895 HIGH
Apache APISIX: Cas-auth Host header influence on CAS service URL
Jun 19, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-47341 MEDIUM
Apache APISIX 3.11.0-3.16.0 hmac-auth - Session Replay
Jun 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-47339 HIGH
Apache APISIX: authz-casdoor incorrect session sharing
Jun 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44915 MEDIUM
Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value
Jun 19, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44087 CRITICAL
Apache APISIX: Openid-connect plugin Identity Header Spoofing
Jun 19, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-44046 MEDIUM
Apache APISIX: wolf-rbac plugin Identity Spoofing
Jun 19, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-39999 CRITICAL
Apache APISIX: JWT Algorithm Confusion allows authentication bypass
Jun 19, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-39998 HIGH
Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup
Jun 19, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-49268 CRITICAL
Apache Shiro: LDAP DN Injection in DefaultLdapRealm
Jun 17, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-50203 CRITICAL
Apache Airflow Sftp Provider < 5.8.1 - Path Traversal
Jun 17, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-47340 MEDIUM
Apache DolphinScheduler < 3.4.2 - Unauthorized Alert Instance Access
Jun 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42357 MEDIUM
Apache DolphinScheduler < 3.4.2 - Unauthorized Workflow Instance Access
Jun 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41280 MEDIUM
Apache DolphinScheduler < 3.4.2 - Unauthorized Task Definition Deletion
Jun 17, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-32967 CRITICAL
Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
Jun 17, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-32966 CRITICAL
Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
Jun 17, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-50645 HIGH
Apache CXF: No restriction on attachment headers per message
Jun 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-50634 MEDIUM
Apache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entry
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-50633 HIGH
Apache CXF JCA Integration - JNDI Injection Remote Code Execution
Jun 12, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-50632 HIGH
Apache CXF JMSConfigFactory - JNDI Injection Remote Code Execution
Jun 12, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-50631 HIGH
Apache CXF: OAuth2: TOCTOU Race Condition in Refresh Token Processing
Jun 12, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-50630 MEDIUM
Apache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm Injection
Jun 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-50629 MEDIUM
Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
Jun 12, 2026
CVSS 5.3
EPSS 0.00