apache
3,084 tracked vulnerabilities.
CVE-2026-43515
CRITICAL
Apache Tomcat: Security constraints not correctly applied
May 12, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-43514
LOW
Apache Tomcat: AJP secret compared in non-constant time
May 12, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-43513
HIGH
Apache Tomcat: LockOutRealm treats user names as case-sensitive
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-43512
CRITICAL
Apache Tomcat: Digest authenticator will authenticate any unknown user
May 12, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-42498
HIGH
Apache Tomcat: WebSocket authentication header exposure
May 12, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-41293
CRITICAL
Apache Tomcat: HTTP/2 request headers not validated
May 12, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-41284
HIGH
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
May 12, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-43826
MEDIUM
Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL
May 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41018
MEDIUM
Apache Airflow Providers Elasticsearch: Elasticsearch task-log handler leaks credentials embedded in the host URL
May 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39816
HIGH
Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService
May 08, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-25199
CRITICAL
Apache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access
May 08, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-25077
HIGH
Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates
May 08, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-43975
MEDIUM
Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager
May 06, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-43646
HIGH
Apache Wicket: crafted URLs can bypass PackageResourceGuard
May 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42509
MEDIUM
Apache Wicket: crafted strings can break out of the JavaScript sequence
May 06, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-40010
CRITICAL
Apache Wicket: possible session fixation using AuthenticatedWebSession
May 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-28780
CRITICAL
Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
May 05, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-29168
HIGH
Apache HTTP Server: mod_md unrestricted OCSP response
May 05, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-43870
HIGH
Apache Thrift: Node.js web_server.js multi-vulnerability
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-43868
MEDIUM
Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern
May 05, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-43869
HIGH
Apache Thrift: TSSLTransportFactory.java hostname verification
May 05, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-42812
CRITICAL
Apache Polaris: No protection on `write.metadata.path`
May 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-42811
CRITICAL
Apache Polaris: could broaden vended GCS credentials through unescaped identifier content in access-boundary CEL conditions
May 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-42810
CRITICAL
Apache Polaris: could broaden vended S3 credentials through wildcard-bearing namespace or table names
May 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-42809
CRITICAL
Apache Polaris: staged table creation could vend storage credentials for unvalidated locations
May 04, 2026
CVSS 9.9
EPSS 0.00
Products
http_server 330
tomcat 261
airflow 143
struts 90
traffic_server 82
ofbiz 76
camel 75
activemq 72
superset 68
openoffice 60
cxf 57
nifi 50
solr 47
subversion 47
cloudstack 45
hadoop 37
dolphinscheduler 32
inlong 32
openmeetings 28
ambari 26
apisix 25
tika 25
jspwiki 24
shiro 24
geode 23
spark 22
wicket 22
zeppelin 22
kylin 21
ranger 21
Quick Filters