apache

2,899 tracked vulnerabilities.

CVE-2025-66172 HIGH
Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to
May 08, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-66171 MEDIUM
Apache CloudStack: Any user can create a new VM from backups they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-66170 MEDIUM
Apache CloudStack: Any user can list backups that they should not have access to
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-48431 HIGH
Apache Thrift: Specially crafted input can crash a c_glib Thrift server with invalid pointer error.
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-62233 MEDIUM
Apache DolphinScheduler: Deserialization of untrusted data in RPC
Apr 24, 2026
CVSS 6.3
EPSS 0.00
CVE-2025-66335 MEDIUM
Apache Doris MCP Server: MCP SQL inject
Apr 20, 2026
CVSS 5.3
EPSS 0.00
CVE-2025-54550 HIGH
Apache Airflow: RCE by race condition in example_xcom dag
Apr 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-66236 HIGH
Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
Apr 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-57735 CRITICAL
Apache Airflow: Airflow Logout Not Invalidating JWT
Apr 09, 2026
CVSS 9.1
EPSS 0.00
CVE-2025-62188 HIGH
Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.
Apr 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-65114 HIGH
Apache Traffic Server: Malformed chunked message body allows request smuggling
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-58136 HIGH
Apache Traffic Server: A simple legitimate POST request causes a crash
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-54920 HIGH
Apache Spark <3.5.7/4.0.1 - Deserialization
Mar 16, 2026
CVSS 8.8
EPSS 0.00
CVE-2025-66249 MEDIUM
Apache Livy 0.3.0-0.9.0 - Path Traversal
Mar 13, 2026
CVSS 6.3
EPSS 0.00
CVE-2025-60012 MEDIUM
Apache Livy 0.7.0-0.8.0 - Unauthorized File Access
Mar 13, 2026
CVSS 6.3
EPSS 0.00
CVE-2025-69219 HIGH
apache-airflow-providers-http < 6.0.0 - Authenticated Remote Code Execution via Crafted Database Entry
Mar 09, 2026
CVSS 8.8
EPSS 0.00
CVE-2025-66168 MEDIUM
Apache ActiveMQ - Memory Corruption
Mar 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-59060 MEDIUM
Apache Ranger <=2.7.0 - Auth Bypass
Mar 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2025-59059 CRITICAL
Apache Ranger <= 2.7.0 - Remote Code Execution via NashornScriptEngineCreator
Mar 03, 2026
CVSS 9.8
EPSS 0.00
CVE-2025-27555 MEDIUM
Apache Airflow < 2.11.1 - Authenticated Sensitive Information Exposure in Audit Logs
Feb 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-65995 MEDIUM
Airflow <3.1.4/2.11.1 - Info Disclosure
Feb 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-66614 CRITICAL
Apache Tomcat 11.0.0-M1-11.0.14 - DoS
Feb 17, 2026
CVSS 9.1
EPSS 0.00
CVE-2025-33042 HIGH
Apache Avro Java SDK <1.12.1-1.11.5 - Code Injection
Feb 13, 2026
CVSS 7.3
EPSS 0.00
CVE-2025-27821 HIGH
Apache Hadoop 3.2.0-3.4.1 - Out-of-bounds Write in HDFS Native Client
Jan 26, 2026
CVSS 7.3
EPSS 0.00
CVE-2025-59355 MEDIUM
Apache Linkis 1.0.0-1.7.0 - Sensitive Information Disclosure in HiveUtils Base64 Decode Error Log
Jan 19, 2026
CVSS 6.5
EPSS 0.00
Products
http_server 317 tomcat 254 airflow 120 struts 90 traffic_server 82 ofbiz 74 superset 68 openoffice 60 activemq 57 subversion 47 nifi 46 solr 46 cloudstack 45 cxf 43 camel 40 hadoop 37 inlong 32 openmeetings 28 dolphinscheduler 27 ambari 26 tika 25 jspwiki 24 geode 23 spark 22 wicket 22 zeppelin 22 kylin 21 ranger 21 archiva 20 couchdb 20
Quick Filters
Critical CVEs With Exploits In CISA KEV