apache
2,899 tracked vulnerabilities.
CVE-2026-25219
MEDIUM
Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access
Apr 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-30778
HIGH
Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.
Apr 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33929
MEDIUM
Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code
Apr 14, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-31924
MEDIUM
Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP
Apr 14, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-31923
HIGH
Apache APISIX: Openid-connect `tls_verify` field is disabled by default
Apr 14, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-31908
CRITICAL
Apache APISIX: forward auth plugin allows header injection
Apr 14, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-33858
HIGH
Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
Apr 13, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-34476
HIGH
Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server
Apr 13, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35565
MEDIUM
Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI
Apr 13, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35337
HIGH
Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
Apr 13, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-40023
MEDIUM
Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-40021
MEDIUM
Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34481
HIGH
Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34480
HIGH
Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34479
HIGH
Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34478
HIGH
Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34477
MEDIUM
Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass
Apr 10, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-39304
HIGH
Apache ActiveMQ TLSv1.3 KeyUpdate - Memory Exhaustion Denial of Service
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34500
MEDIUM
Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34487
HIGH
Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34486
HIGH
NUCLEI
Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor
Apr 09, 2026
CVSS 7.5
EPSS 0.02
CVE-2026-34483
HIGH
Apache Tomcat: Incomplete escaping of JSON access logs
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32990
MEDIUM
Apache Tomcat: Fix for CVE-2025-66614 is incomplete
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-29146
HIGH
Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default
Apr 09, 2026
CVSS 7.5
EPSS 0.13
CVE-2026-29145
CRITICAL
Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
Apr 09, 2026
CVSS 9.1
EPSS 0.00
Products
http_server 317
tomcat 254
airflow 120
struts 90
traffic_server 82
ofbiz 74
superset 68
openoffice 60
activemq 57
subversion 47
nifi 46
solr 46
cloudstack 45
cxf 43
camel 40
hadoop 37
inlong 32
openmeetings 28
dolphinscheduler 27
ambari 26
tika 25
jspwiki 24
geode 23
spark 22
wicket 22
zeppelin 22
kylin 21
ranger 21
archiva 20
couchdb 20
Quick Filters