apache
3,084 tracked vulnerabilities.
CVE-2026-42359
HIGH
Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator
Jun 01, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-42358
MEDIUM
Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42253
MEDIUM
Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties
Jun 01, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-42252
CRITICAL
Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern
Jun 01, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-41084
HIGH
Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation
Jun 01, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41017
MEDIUM
Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy
Jun 01, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-41014
MEDIUM
Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints
Jun 01, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40963
LOW
Apache Airflow: DAG authorization bypass on /ui/structure/structure_data
Jun 01, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-40961
HIGH
Apache Airflow: Open Redirect Bypass Vulnerability
Jun 01, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-40861
MEDIUM
Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler
Jun 01, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-45192
MEDIUM
Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35563
HIGH
Apache Directory LDAP API - Missing TLS Hostname Verification
Jun 01, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-40914
MEDIUM
Apache ActiveMQ Artemis STOMP - Address Routing Authorization Bypass
May 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40564
MEDIUM
Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator
May 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-48589
MEDIUM
Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
May 25, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44598
MEDIUM
Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)
May 25, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-43828
MEDIUM
Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
May 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43827
MEDIUM
Apache Shiro: Session fixation: new session is not created after login by default
May 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42797
MEDIUM
Apache Syncope: JexlContextBuilder Information Disclosure
May 25, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-42782
HIGH
Apache Syncope: Post-auth RCE via Groovy static
May 25, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-46745
MEDIUM
Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
May 25, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-45361
HIGH
Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
May 25, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-45249
MEDIUM
Apache ECharts: XSS in Lines series tooltip rendering
May 25, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-44930
CRITICAL
Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository
May 22, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-44618
MEDIUM
Apache CXF: XXE vulnerability in WS-Transfer functionality
May 22, 2026
CVSS 5.3
EPSS 0.00
Products
http_server 330
tomcat 261
airflow 143
struts 90
traffic_server 82
ofbiz 76
camel 75
activemq 72
superset 68
openoffice 60
cxf 57
nifi 50
solr 47
subversion 47
cloudstack 45
hadoop 37
dolphinscheduler 32
inlong 32
openmeetings 28
ambari 26
apisix 25
tika 25
jspwiki 24
shiro 24
geode 23
spark 22
wicket 22
zeppelin 22
kylin 21
ranger 21
Quick Filters