apache

2,899 tracked vulnerabilities.

CVE-2026-41409 CRITICAL
Apache MINA: CWE-502 Deserialization of Untrusted Data
Apr 27, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40858 HIGH
Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository
Apr 27, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-40022 HIGH
Apache Camel Platform HTTP Main: Authentication Bypass on Non-Root Context Paths in camel main runtime
Apr 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-33454 CRITICAL
Apache Camel MailHeaderFilterStrategy - MIME Header Injection RCE
Apr 27, 2026
CVSS 9.4
EPSS 0.00
CVE-2026-41635 CRITICAL
Apache MINA IoBuffer - Deserialization Remote Code Execution
Apr 27, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40860 CRITICAL
Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp
Apr 27, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-40473 HIGH
Apache Camel Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP
Apr 27, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-40453 CRITICAL
Apache Camel HeaderFilterStrategy - Case-Variant Internal Header Injection
Apr 27, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-40048 HIGH
Apache Camel PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager
Apr 27, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-40690 MEDIUM
Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users
Apr 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-38743 MEDIUM
Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities
Apr 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-23902 HIGH
Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.
Apr 24, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41044 HIGH
Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia
Apr 24, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41043 MEDIUM
Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues
Apr 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-40466 HIGH NUCLEI
Apache ActiveMQ Broker < 5.19.6 and 6.0.0 to before 6.2.5 - Remote Code Execution
Apr 24, 2026
CVSS 8.8
EPSS 0.16
CVE-2026-40542 HIGH
Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification
Apr 22, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-33558 MEDIUM
Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output
Apr 20, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33557 CRITICAL
Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication
Apr 20, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-40948 MEDIUM
Apache Airflow: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager
Apr 18, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32690 LOW
Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1
Apr 18, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-32228 HIGH
Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to
Apr 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-30912 HIGH
Apache Airflow: Exposing stack trace in case of constraint error
Apr 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-30898 HIGH
Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf
Apr 18, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25917 HIGH
Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5)
Apr 18, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-31987 HIGH
Apache Airflow: JWT token appearing in logs
Apr 16, 2026
CVSS 7.5
EPSS 0.00
Products
http_server 317 tomcat 254 airflow 120 struts 90 traffic_server 82 ofbiz 74 superset 68 openoffice 60 activemq 57 subversion 47 nifi 46 solr 46 cloudstack 45 cxf 43 camel 40 hadoop 37 inlong 32 openmeetings 28 dolphinscheduler 27 ambari 26 tika 25 jspwiki 24 geode 23 spark 22 wicket 22 zeppelin 22 kylin 21 ranger 21 archiva 20 couchdb 20
Quick Filters
Critical CVEs With Exploits In CISA KEV