Apache The Apache Software Foundation
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Apache product.
RSS Feeds for Apache security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Apache products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Apache Sorted by Most Security Vulnerabilities since 2018
Recent Apache Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2.4.66 | 5 Vulnerabilities Fixed in Apache HTTP Server 2.4.66 | December 4, 2025 |
| 2.4.65 | Vulnerability Fixed in Apache HTTP Server 2.4.65 | July 23, 2025 |
| 2.4.64 | 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.64 | July 10, 2025 |
| 2.4.62 | 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.62 | July 17, 2024 |
| 2.4.61 | Vulnerability Fixed in Apache HTTP Server 2.4.61 | July 16, 2024 |
| 2.4.60 | 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.60 | July 15, 2024 |
| 2.4.59 | 3 Vulnerabilities Fixed in Apache HTTP Server 2.4.59 | April 4, 2024 |
| 2.4.58 | 4 Vulnerabilities Fixed in Apache HTTP Server 2.4.58 | October 19, 2023 |
| 2.4.56 | 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.56 | March 7, 2023 |
| 2.4.55 | 3 Vulnerabilities Fixed in Apache HTTP Server 2.4.55 | January 17, 2023 |
Known Exploited Apache Vulnerabilities
The following Apache vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apache HTTP Server Improper Escaping of Output Vulnerability |
Apache HTTP Server contains an improper escaping of output vulnerability in mod_rewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. CVE-2024-38475 Exploit Probability: 93.9% |
May 1, 2025 |
| Apache Tomcat Path Equivalence Vulnerability |
Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request. CVE-2025-24813 Exploit Probability: 94.2% |
April 1, 2025 |
| Apache OFBiz Forced Browsing Vulnerability |
Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access. CVE-2024-45195 Exploit Probability: 94.1% |
February 4, 2025 |
| Apache HugeGraph-Server Improper Access Control Vulnerability |
Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. CVE-2024-27348 Exploit Probability: 94.3% |
September 18, 2024 |
| Apache OFBiz Incorrect Authorization Vulnerability |
Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. CVE-2024-38856 Exploit Probability: 94.4% |
August 27, 2024 |
| Apache OFBiz Path Traversal Vulnerability |
Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. CVE-2024-32113 Exploit Probability: 94.0% |
August 7, 2024 |
| Apache Flink Improper Access Control Vulnerability |
Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface. CVE-2020-17519 Exploit Probability: 94.4% |
May 23, 2024 |
| Apache Superset Insecure Default Initialization of Resource Vulnerability |
Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions. CVE-2023-27524 Exploit Probability: 84.1% |
January 8, 2024 |
| Apache ActiveMQ Deserialization of Untrusted Data Vulnerability |
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. CVE-2023-46604 Exploit Probability: 94.4% |
November 2, 2023 |
| Apache RocketMQ Command Execution Vulnerability |
Several components of Apache RocketMQ, including NameServer, Broker, and Controller, are exposed to the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as or achieve the same effect by forging the RocketMQ protocol content. CVE-2023-33246 Exploit Probability: 94.4% |
September 6, 2023 |
| Apache Tomcat Remote Code Execution Vulnerability |
Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types. CVE-2016-8735 Exploit Probability: 93.7% |
May 12, 2023 |
| Apache Log4j2 Deserialization of Untrusted Data Vulnerability |
Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations. CVE-2021-45046 Exploit Probability: 94.3% |
May 1, 2023 |
| Apache Spark Command Injection Vulnerability |
Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. CVE-2022-33891 Exploit Probability: 93.5% |
March 7, 2023 |
| Apache APISIX Authentication Bypass Vulnerability |
Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. CVE-2022-24112 Exploit Probability: 94.4% |
August 25, 2022 |
| Apache CouchDB Insecure Default Initialization of Resource Vulnerability |
Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. CVE-2022-24706 Exploit Probability: 94.2% |
August 25, 2022 |
| Apache Kylin OS Command Injection Vulnerability |
Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution. CVE-2020-1956 Exploit Probability: 93.7% |
March 25, 2022 |
| Apache Struts Improper Input Validation Vulnerability |
Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions. CVE-2013-2251 Exploit Probability: 94.3% |
March 25, 2022 |
| Apache Tomcat on Windows Remote Code Execution Vulnerability |
When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12615 Exploit Probability: 94.2% |
March 25, 2022 |
| Apache Tomcat Remote Code Execution Vulnerability |
When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12617 Exploit Probability: 94.4% |
March 25, 2022 |
| Apache Tomcat Improper Privilege Management Vulnerability |
Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited. CVE-2020-1938 Exploit Probability: 94.5% |
March 3, 2022 |
Of the known exploited vulnerabilities above, 20 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
Top 10 Riskiest Apache Vulnerabilities
Based on the current exploit probability, these Apache vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2019-17558 | 94.5% | Apache Solr 5.0.0-8.3.1 Remote Code Execution Vulnerability |
| 2 | CVE-2020-1938 | 94.5% | Apache Tomcat Improper Privilege Management Vulnerability |
| 3 | CVE-2023-46604 | 94.4% | Apache ActiveMQ Deserialization of Untrusted Data Vulnerability |
| 4 | CVE-2022-24112 | 94.4% | Apache APISIX Authentication Bypass Vulnerability |
| 5 | CVE-2021-40438 | 94.4% | Apache HTTP Server-Side Request Forgery (SSRF) |
| 6 | CVE-2018-11776 | 94.4% | Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 Remote Code Execution Vulnerability |
| 7 | CVE-2021-42013 | 94.4% | Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal |
| 8 | CVE-2023-33246 | 94.4% | Apache RocketMQ Command Execution Vulnerability |
| 9 | CVE-2020-17519 | 94.4% | Apache Flink Improper Access Control Vulnerability |
| 10 | CVE-2021-41773 | 94.4% | Apache HTTP Server Path Traversal Vulnerability |
By the Year
In 2026 there have been 28 vulnerabilities in Apache with an average score of 7.0 out of ten. Last year, in 2025 Apache had 229 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Apache in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.25
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 28 | 7.00 |
| 2025 | 229 | 7.25 |
| 2024 | 275 | 7.45 |
| 2023 | 274 | 7.47 |
| 2022 | 228 | 7.63 |
| 2021 | 212 | 7.60 |
| 2020 | 160 | 7.60 |
| 2019 | 159 | 7.29 |
| 2018 | 144 | 7.26 |
It may take a day or so for new Apache vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-22922 | Feb 09, 2026 |
Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flawApache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this issue. |
AirFlow
|
| CVE-2026-24098 | Feb 09, 2026 |
Apache Airflow versions before 3.1.7, has vulnerabilityApache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue |
AirFlow
|
| CVE-2026-23903 | Feb 09, 2026 |
Authentication Bypass by Alternate Name vulnerability in Apache ShiroAuthentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, such as default macOS setup, static files may be accessed by varying the case of the filename in the request. If only lower-case (common default) filters are present in Shiro, they may be bypassed this way. Shiro 2.0.7 and later has a new parameters to remediate this issue shiro.ini: filterChainResolver.caseInsensitive = true application.propertie: shiro.caseInsensitive=true Shiro 3.0.0 and later (upcoming) makes this the default. |
Shiro
|
| CVE-2026-24735 | Feb 04, 2026 |
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache AnswerExposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue. |
Answer
|
| CVE-2026-23794 | Feb 03, 2026 |
Reflected XSS in Apache Syncope's Enduser Login pageReflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. |
Syncope
|
| CVE-2026-23795 | Feb 03, 2026 |
Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope ConsoleImproper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. |
Syncope
|
| CVE-2016-15057 | Jan 26, 2026 |
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum. This issue affects Apache Continuum: all versions. Attackers with access to the installations REST API can use this to invoke arbitrary commands on the server. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. |
|
| CVE-2025-27821 | Jan 26, 2026 |
Out-of-bounds Write vulnerability in Apache Hadoop HDFS native clientOut-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. |
|
| CVE-2026-24656 | Jan 26, 2026 |
Deserialization of Untrusted Data vulnerability in Apache Karaf DecanterDeserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue. This issue affects Apache Karaf Decanter before 2.12.0. Users are recommended to upgrade to version 2.12.0, which fixes the issue. |
Karaf
|
| CVE-2026-22022 | Jan 21, 2026 |
Deployments of Apache Solr 5.3.0 through 9.10.0Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role. Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1. |
Solr
|
| CVE-2026-22444 | Jan 21, 2026 |
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system pathsThe "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue. |
Solr
|
| CVE-2025-59355 | Jan 19, 2026 |
A vulnerability. When org.apache.linkis.metadata.util.HiveUA vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage. Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 1.7.0 Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators. Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed. Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error("URL decode failed: {}", e.getMessage()); // str Users are recommended to upgrade to version 1.8.0, which fixes the issue. |
Linkis
|
| CVE-2025-29847 | Jan 19, 2026 |
A vulnerability in Apache LinkisA vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve |
Linkis
|
| CVE-2025-68675 | Jan 16, 2026 |
In Apache Airflow versions before 3.1.6In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue |
AirFlow
|
| CVE-2025-68438 | Jan 16, 2026 |
In Apache Airflow versions before 3.1.6In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue |
AirFlow
|
| CVE-2025-60021 | Jan 16, 2026 |
Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platformsRemote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually. |
Brpc
|
| CVE-2025-66169 | Jan 14, 2026 |
Cypher Injection vulnerability in Apache Camel camel-neo4j componentCypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0. |
Camel
|
| CVE-2025-68493 | Jan 11, 2026 |
Missing XML Validation vulnerability in Apache Struts, Apache StrutsMissing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. |
Struts
|
| CVE-2025-52435 | Jan 10, 2026 |
J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLEJ2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange. This issue affects Apache NimBLE: through <= 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. |
|
| CVE-2025-53470 | Jan 10, 2026 |
Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driverOut-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could lead to invalid memory read in H4 driver. This issue affects Apache NimBLE: through 1.8. This issue requires a broken or bogus Bluetooth controller and thus severity is considered low. Users are recommended to upgrade to version 1.9, which fixes the issue. |
|
| CVE-2025-53477 | Jan 10, 2026 |
NULL Pointer Dereference vulnerability in Apache NimbleNULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. This issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. |
|
| CVE-2025-62235 | Jan 10, 2026 |
Authentication Bypass by Spoofing vulnerability in Apache NimBLEAuthentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. |
|
| CVE-2025-68637 | Jan 07, 2026 |
The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by defaultThe Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue. |
|
| CVE-2025-68280 | Jan 05, 2026 |
Improper Restriction of XML External Entity Reference vulnerability in Apache SISImproper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML format. * Parsing of Coordinate Reference Systems defined in the GML format. * Parsing of files in GPS Exchange Format (GPX). This issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example: java -Djavax.xml.accessExternalDTD="" ... |
|
| CVE-2025-66518 | Jan 05, 2026 |
Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue. |
|
| CVE-2025-47411 | Jan 01, 2026 |
A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipesA user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over the application by manipulating JWT tokens, which can lead to data tampering, unauthorized access and other security issues. This issue affects Apache StreamPipes: through 0.97.0. Users are recommended to upgrade to version 0.98.0, which fixes the issue. |
Streampipes
|
| CVE-2025-48769 | Jan 01, 2026 |
Use After Free vulnerability was discovered in fs/vfs/fs_rename code of the Apache NuttX RTOSUse After Free vulnerability was discovered in fs/vfs/fs_rename code of the Apache NuttX RTOS, that due recursive implementation and single buffer use by two different pointer variables allowed arbitrary user provided size buffer reallocation and write to the previously freed heap chunk, that in specific cases could cause unintended virtual filesystem rename/move operation results. This issue affects Apache NuttX RTOS: from 7.20 before 12.11.0. Users of virtual filesystem based services with write access especially when exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.11.0 that fixes the issue. |
|
| CVE-2025-48768 | Jan 01, 2026 |
Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOSRelease of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service. This issue affects Apache NuttX RTOS: from 10.0.0 before 12.10.0. Users of filesystem based services with write access that were exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.10.0 that fixes the issue. |
|
| CVE-2025-66524 | Dec 19, 2025 |
Apache NiFi GetAsanaObject: Unfiltered Java Object Deserialization (pre2.7.0)Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation. |
NiFi
|
| CVE-2025-68161 | Dec 18, 2025 |
Log4j Core 2.0-2.25.2 Socket Appender TLS Hostname Verification BypassThe Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appenders configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates. |
Log4j
|
| CVE-2025-67895 | Dec 17, 2025 |
Edge3 Provider RCE via Worker RPC in Apache Airflow 2 (<2.0.0)Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do. If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2. If you used Edge Provider in Airflow 3, you are not affected. |
AirFlow
|
| CVE-2025-66388 | Dec 15, 2025 |
Apache Airflow <3.1.4 UI Secret Exposure via Unredacted TemplatesA vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue. |
AirFlow
|
| CVE-2025-53960 | Dec 12, 2025 |
Apache StreamPark: Weak Fixed Encryption Keys (v2.0.02.1.6)When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. |
Streampark
|
| CVE-2025-54947 | Dec 12, 2025 |
Apache StreamPark Hard-Coded Encryption Key (2.0.0-2.1.6)In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. |
Streampark
|
| CVE-2025-54981 | Dec 12, 2025 |
Apache StreamPark <2.1.7: Weak AES-ECB Encryption Exposes JWTWeak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. |
Streampark
|
| CVE-2025-26866 | Dec 12, 2025 |
RCE in TiDB PD via Hessian deserialization before 1.7A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue. |
|
| CVE-2025-58137 | Dec 12, 2025 |
Apache Fineract Auth Bypass via UCK in 1.11.x (fixed 1.12.1)Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release. |
Fineract
|
| CVE-2025-58130 | Dec 12, 2025 |
Apache Fineract Insufficiently Protected Credentials (1.11.0)Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release. |
Fineract
|
| CVE-2025-23408 | Dec 12, 2025 |
Weak PassReq in Apache Fineract v1.10.1 (fixed 1.11.0)Weak Password Requirements vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0. Users are encouraged to upgrade to version 1.13.0, the latest release. |
Fineract
|
| CVE-2025-66675 | Dec 10, 2025 |
Apache Struts 2.0.0-6.7.4 / 7.0.0-7.0.3 DoS via multipart file leakDenial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. It's related to https://cve.org/CVERecord?id=CVE-2025-64775 - this CVE addresses missing affected version 6.7.4 |
Struts
|
| CVE-2025-48631 | Dec 08, 2025 |
Java LocalImageResolver DoS via onHeaderDecodedIn onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. |
Pdfbox
|
| CVE-2025-58098 | Dec 05, 2025 |
Apache HTTP Server <2.4.66: SSI Exec Cmd Shell Injection via mod_cgidApache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. |
HTTP Server
|
| CVE-2025-66200 | Dec 05, 2025 |
Apache HTTP Server 2.4.765 AllowOverride FileInfo Bypassmod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. |
HTTP Server
|
| CVE-2025-65082 | Dec 05, 2025 |
Apache HTTP Server 2.4.02.4.65 ENV Var XSS via config, fixed in 2.4.66Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue. |
HTTP Server
|
| CVE-2025-59775 | Dec 05, 2025 |
Apache HTTP Server SSRF NTLM Leak via AllowEncodedSlashes, Fixed 2.4.66Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue. |
HTTP Server
|
| CVE-2025-55753 | Dec 05, 2025 |
Apache HTTPd 2.4.30-2.4.65 Integer Overflow in ACME Renewal Zero Backoff TimerAn integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. |
HTTP Server
|
| CVE-2025-66516 | Dec 04, 2025 |
Apache Tika XXE prior 3.2.2 & 1.28.5 (tika-core, pdf-module, parsers)Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. |
Tika
|
| CVE-2025-64775 | Dec 01, 2025 |
Apache Struts DOS via multipart request file leak (6.7.0/7.0.3)Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. |
Struts
|
| CVE-2025-59789 | Dec 01, 2025 |
Uncontrolled Recursion in Apache bRPC json2pb <1.15.0Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options) 1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit. |
Brpc
|
| CVE-2025-59792 | Nov 28, 2025 |
Apache Kvrocks 1.0.02.13.0 MONITOR plaintext creds leak (CVE202559792)Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue. |
Kvrocks
|