apache

3,084 tracked vulnerabilities.

CVE-2026-42359 HIGH
Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator
Jun 01, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-42358 MEDIUM
Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42253 MEDIUM
Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties
Jun 01, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-42252 CRITICAL
Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern
Jun 01, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-41084 HIGH
Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation
Jun 01, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41017 MEDIUM
Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy
Jun 01, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-41014 MEDIUM
Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints
Jun 01, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40963 LOW
Apache Airflow: DAG authorization bypass on /ui/structure/structure_data
Jun 01, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-40961 HIGH
Apache Airflow: Open Redirect Bypass Vulnerability
Jun 01, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-40861 MEDIUM
Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler
Jun 01, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-45192 MEDIUM
Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response
Jun 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35563 HIGH
Apache Directory LDAP API - Missing TLS Hostname Verification
Jun 01, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-40914 MEDIUM
Apache ActiveMQ Artemis STOMP - Address Routing Authorization Bypass
May 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40564 MEDIUM
Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator
May 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-48589 MEDIUM
Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow
May 25, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44598 MEDIUM
Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)
May 25, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-43828 MEDIUM
Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
May 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43827 MEDIUM
Apache Shiro: Session fixation: new session is not created after login by default
May 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42797 MEDIUM
Apache Syncope: JexlContextBuilder Information Disclosure
May 25, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-42782 HIGH
Apache Syncope: Post-auth RCE via Groovy static
May 25, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-46745 MEDIUM
Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
May 25, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-45361 HIGH
Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
May 25, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-45249 MEDIUM
Apache ECharts: XSS in Lines series tooltip rendering
May 25, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-44930 CRITICAL
Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository
May 22, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-44618 MEDIUM
Apache CXF: XXE vulnerability in WS-Transfer functionality
May 22, 2026
CVSS 5.3
EPSS 0.00