Apache Apache The Apache Software Foundation

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Apache product.

RSS Feeds for Apache security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Apache products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Apache Sorted by Most Security Vulnerabilities since 2018

Apache HTTP Server271 vulnerabilities

Apache Tomcat146 vulnerabilities
JEE Compliant Servlet Container

Apache AirFlow111 vulnerabilities

Apache Traffic Server68 vulnerabilities

Apache Superset59 vulnerabilities

Apache OpenOffice47 vulnerabilities

Apache CXF41 vulnerabilities

Apache OFBiz40 vulnerabilities

Apache ActiveMQ39 vulnerabilities

Apache Solr37 vulnerabilities
Search engine written in java

Apache NiFi35 vulnerabilities

Apache InLong32 vulnerabilities

Apache Struts28 vulnerabilities

Apache Tika22 vulnerabilities

Apache CloudStack22 vulnerabilities

Apache DolphinScheduler22 vulnerabilities

Apache JSPWiki22 vulnerabilities

Apache Camel20 vulnerabilities

Apache Plusar20 vulnerabilities

Apache Hive19 vulnerabilities

Apache Spark19 vulnerabilities

Apache Hadoop19 vulnerabilities

Apache Kafka19 vulnerabilities

Apache Dubbo19 vulnerabilities

Apache Kylin18 vulnerabilities

Apache Zeppelin17 vulnerabilities

Apache Linkis16 vulnerabilities

Apache Fineract15 vulnerabilities

Apache Log4j14 vulnerabilities

Apache Zookeeper14 vulnerabilities

Apache Iotdb14 vulnerabilities

Apache Jmeter14 vulnerabilities

Apache Ambari13 vulnerabilities

Apache Shiro13 vulnerabilities

Apache Guacamole13 vulnerabilities

Apache Hertzbeat13 vulnerabilities

Apache Cassandra13 vulnerabilities

Apache Streampark12 vulnerabilities

Apache James12 vulnerabilities

Apache Subversion11 vulnerabilities

Apache Ozone11 vulnerabilities

Apache Archiva11 vulnerabilities

Apache Commons Compress11 vulnerabilities

Apache Geode11 vulnerabilities

Apache Druid11 vulnerabilities

Apache Answer10 vulnerabilities

Apache Syncope10 vulnerabilities

Apache Activemq Artemis9 vulnerabilities

Apache Shenyu9 vulnerabilities

Apache Spamassassin9 vulnerabilities

Apache Roller8 vulnerabilities

Apache Openmeetings8 vulnerabilities

Apache Portable Runtime8 vulnerabilities

Apache Ranger8 vulnerabilities

Apache Apisix8 vulnerabilities

Apache Storm8 vulnerabilities

Apache Couchdb8 vulnerabilities

Apache Qpid Broker J8 vulnerabilities

Apache Thrift7 vulnerabilities

Apache Traffic Control7 vulnerabilities

Apache Avro7 vulnerabilities

Apache Drill7 vulnerabilities

Apache Nuttx6 vulnerabilities

Apache Apr Util6 vulnerabilities

Apache Bookkeeper6 vulnerabilities

Apache Xerces C6 vulnerabilities

Apache Commons Fileupload6 vulnerabilities

Apache Doris6 vulnerabilities

Apache Allura5 vulnerabilities

Apache Groovy5 vulnerabilities

Apache Httpclient5 vulnerabilities

Apache Axis5 vulnerabilities

Apache Nimble5 vulnerabilities

Apache Wicket5 vulnerabilities

Apache Streampipes5 vulnerabilities

Apache Seata4 vulnerabilities

Apache Mina4 vulnerabilities

Apache Any234 vulnerabilities

Apache Sshd4 vulnerabilities

Apache Jena4 vulnerabilities

Apache Sling Cms4 vulnerabilities

Apache Commons Beanutils4 vulnerabilities

Apache Commons Configuration4 vulnerabilities

Apache Qpid4 vulnerabilities

Recent Apache Security Advisories

Advisory Title Published
2.4.64 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.64 July 10, 2025
2.4.62 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.62 July 17, 2024
2.4.61 Vulnerability Fixed in Apache HTTP Server 2.4.61 July 16, 2024
2.4.60 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.60 July 15, 2024
2.4.59 3 Vulnerabilities Fixed in Apache HTTP Server 2.4.59 April 4, 2024
2.4.58 4 Vulnerabilities Fixed in Apache HTTP Server 2.4.58 October 19, 2023
2.4.56 2 Vulnerabilities Fixed in Apache HTTP Server 2.4.56 March 7, 2023
2.4.55 3 Vulnerabilities Fixed in Apache HTTP Server 2.4.55 January 17, 2023
2.4.54 8 Vulnerabilities Fixed in Apache HTTP Server 2.4.54 June 8, 2022
2.4.53 4 Vulnerabilities Fixed in Apache HTTP Server 2.4.53 March 14, 2022

Known Exploited Apache Vulnerabilities

The following Apache vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Apache HTTP Server Improper Escaping of Output Vulnerability Apache HTTP Server contains an improper escaping of output vulnerability in mod_rewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.
CVE-2024-38475 Exploit Probability: 93.6%
May 1, 2025
Apache Tomcat Path Equivalence Vulnerability Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.
CVE-2025-24813 Exploit Probability: 93.8%
April 1, 2025
Apache OFBiz Forced Browsing Vulnerability Apache OFBiz contains a forced browsing vulnerability that allows a remote attacker to obtain unauthorized access.
CVE-2024-45195 Exploit Probability: 94.2%
February 4, 2025
Apache HugeGraph-Server Improper Access Control Vulnerability Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code.
CVE-2024-27348 Exploit Probability: 94.0%
September 18, 2024
Apache OFBiz Incorrect Authorization Vulnerability Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker.
CVE-2024-38856 Exploit Probability: 94.4%
August 27, 2024
Apache OFBiz Path Traversal Vulnerability Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution.
CVE-2024-32113 Exploit Probability: 93.5%
August 7, 2024
Apache Flink Improper Access Control Vulnerability Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface.
CVE-2020-17519 Exploit Probability: 94.4%
May 23, 2024
Apache Superset Insecure Default Initialization of Resource Vulnerability Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altered the default configured SECRET_KEY according to installation instructions.
CVE-2023-27524 Exploit Probability: 80.3%
January 8, 2024
Apache ActiveMQ Deserialization of Untrusted Data Vulnerability Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
CVE-2023-46604 Exploit Probability: 94.4%
November 2, 2023
Apache RocketMQ Command Execution Vulnerability Several components of Apache RocketMQ, including NameServer, Broker, and Controller, are exposed to the extranet and lack permission verification. An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as or achieve the same effect by forging the RocketMQ protocol content.
CVE-2023-33246 Exploit Probability: 94.4%
September 6, 2023
Apache Tomcat Remote Code Execution Vulnerability Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.
CVE-2016-8735 Exploit Probability: 94.0%
May 12, 2023
Apache Log4j2 Deserialization of Untrusted Data Vulnerability Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
CVE-2021-45046 Exploit Probability: 94.3%
May 1, 2023
Apache Spark Command Injection Vulnerability Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.
CVE-2022-33891 Exploit Probability: 94.3%
March 7, 2023
Apache APISIX Authentication Bypass Vulnerability Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution.
CVE-2022-24112 Exploit Probability: 94.4%
August 25, 2022
Apache CouchDB Insecure Default Initialization of Resource Vulnerability Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges.
CVE-2022-24706 Exploit Probability: 94.4%
August 25, 2022
Apache Kylin OS Command Injection Vulnerability Apache Kylin contains an OS command injection vulnerability which could permit an attacker to perform remote code execution.
CVE-2020-1956 Exploit Probability: 93.7%
March 25, 2022
Apache Struts Improper Input Validation Vulnerability Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions.
CVE-2013-2251 Exploit Probability: 94.2%
March 25, 2022
Apache Tomcat on Windows Remote Code Execution Vulnerability When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12615 Exploit Probability: 94.4%
March 25, 2022
Apache Tomcat Remote Code Execution Vulnerability When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12617 Exploit Probability: 94.4%
March 25, 2022
Apache Tomcat Improper Privilege Management Vulnerability Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited.
CVE-2020-1938 Exploit Probability: 94.5%
March 3, 2022

Of the known exploited vulnerabilities above, 20 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

Top 10 Riskiest Apache Vulnerabilities

Based on the current exploit probability, these Apache vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.

Rank CVE EPSS Vulnerability
1 CVE-2019-17558 94.5% Apache Solr 5.0.0-8.3.1 Remote Code Execution Vulnerability
2 CVE-2020-1938 94.5% Apache Tomcat Improper Privilege Management Vulnerability
3 CVE-2023-46604 94.4% Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
4 CVE-2021-40438 94.4% Apache HTTP Server-Side Request Forgery (SSRF)
5 CVE-2021-42013 94.4% Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal
6 CVE-2018-11776 94.4% Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 Remote Code Execution Vulnerability
7 CVE-2022-24112 94.4% Apache APISIX Authentication Bypass Vulnerability
8 CVE-2020-17519 94.4% Apache Flink Improper Access Control Vulnerability
9 CVE-2022-24706 94.4% Apache CouchDB Insecure Default Initialization of Resource Vulnerability
10 CVE-2021-41773 94.4% Apache HTTP Server Path Traversal Vulnerability

By the Year

In 2025 there have been 105 vulnerabilities in Apache with an average score of 7.7 out of ten. Last year, in 2024 Apache had 267 security vulnerabilities published. Right now, Apache is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.39.




Year Vulnerabilities Average Score
2025 105 7.73
2024 267 7.34
2023 269 7.48
2022 224 7.64
2021 212 7.60
2020 160 7.58
2019 159 7.29
2018 144 7.26

It may take a day or so for new Apache vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Security Vulnerabilities

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame

CVE-2025-53506 - July 10, 2025

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

Resource Exhaustion

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector

CVE-2025-52434 - July 10, 2025

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

Race Condition

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS

CVE-2025-52520 - July 10, 2025

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

Integer Overflow or Wraparound

HTTP response splitting in the core of Apache HTTP Server

CVE-2024-42516 - July 10, 2025

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.

Improper Input Validation

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker

CVE-2024-43204 - July 10, 2025

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.  Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.

SSRF

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite or apache expressions

CVE-2024-43394 - July 10, 2025

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note:  The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.

SSRF

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier

CVE-2024-47252 - July 10, 2025

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

Improper Neutralization of Escape, Meta, or Control Sequences

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63

CVE-2025-23048 - July 10, 2025

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Authorization

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63

CVE-2025-49630 - July 10, 2025

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

assertion failure

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack

CVE-2025-49812 - July 10, 2025

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

authentification

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server

CVE-2025-53020 - July 10, 2025

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.

Memory Leak

A vulnerability of plugin openid-connect in Apache APISIX

CVE-2025-46647 - July 02, 2025

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3. Multiple issuers share the same private key and relies only on the issuer being different If affected by this vulnerability, it would allow an attacker with a valid account on one of the issuers to log into the other issuer. This issue affects Apache APISIX: until 3.12.0. Users are recommended to upgrade to version 3.12.0 or higher.

Authentication Bypass by Assumed-Immutable Data

The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers

CVE-2024-35164 7.5 - High - July 02, 2025

The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.6.0, which fixes this issue.

out-of-bounds array index

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating)

CVE-2025-32897 - June 28, 2025

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

Marshaling, Unmarshaling

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake

CVE-2025-50213 - June 24, 2025

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue.

Special Element Injection

# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1

CVE-2025-32896 - June 19, 2025

# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

Missing Authentication for Critical Function

ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol

CVE-2025-31698 - June 19, 2025

ACL configured in ip_allow.config or remap.config does not use IP addresses that are provided by PROXY protocol. Users can use a new setting (proxy.config.acl.subjects) to choose which IP addresses to use for the ACL if Apache Traffic Server is configured to accept PROXY protocol.  This issue affects undefined: from 10.0.0 through 10.0.6, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

Authorization

ESI plugin does not have the limit for maximum inclusion depth, and

CVE-2025-49763 - June 19, 2025

ESI plugin does not have the limit for maximum inclusion depth, and that allows excessive memory consumption if malicious instructions are inserted. Users can use a new setting for the plugin (--max-inclusion-depth) to limit it. This issue affects Apache Traffic Server: from 10.0.0 through 10.0.5, from 9.0.0 through 9.2.10. Users are recommended to upgrade to version 9.2.11 or 10.0.6, which fixes the issue.

Resource Exhaustion

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload

CVE-2025-48976 - June 16, 2025

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat

CVE-2025-49125 - June 16, 2025

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Authentication Bypass Using an Alternate Path or Channel

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows

CVE-2025-49124 - June 16, 2025

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Untrusted Path

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat

CVE-2025-48988 - June 16, 2025

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Allocation of Resources Without Limits or Throttling

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability was discovered in Apache NuttX RTOS apps/exapmles/xmlrpc application

CVE-2025-47869 - June 16, 2025

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability was discovered in Apache NuttX RTOS apps/exapmles/xmlrpc application. In this example application device stats structure that stored remotely provided parameters had hardcoded buffer size which could lead to buffer overflow. Structure members buffers were updated to valid size of CONFIG_XMLRPC_STRINGSIZE+1. This issue affects Apache NuttX RTOS users that may have used or base their code on example application as presented in releases from 6.22 before 12.9.0. Users of XMLRPC in Apache NuttX RTOS are advised to review their code for this pattern and update buffer sizes as presented in the version of the example in release 12.9.0.

Buffer Overflow

Out-of-bounds Write resulting in possible Heap-based Buffer Overflow vulnerability was discovered in tools/bdf-converter font conversion utility

CVE-2025-47868 - June 16, 2025

Out-of-bounds Write resulting in possible Heap-based Buffer Overflow vulnerability was discovered in tools/bdf-converter font conversion utility that is part of Apache NuttX RTOS repository. This standalone program is optional and neither part of NuttX RTOS nor Applications runtime, but active bdf-converter users may be affected when this tool is exposed to external provided user data data (i.e. publicly available automation). This issue affects Apache NuttX: from 6.9 before 12.9.0. Users are recommended to upgrade to version 12.9.0, which fixes the issue.

Memory Corruption

In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs

CVE-2025-30675 - June 11, 2025

In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain. A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.  This vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller's scope rather than defaulting to the ROOT domain. Affected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.

Information Disclosure

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain

CVE-2025-47849 - June 10, 2025

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: * Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role.  * API privilege comparison: the caller must possess all privileges of the user they are operating on.  * Two new domain-level settings (restricted to the default admin):  - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".  - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.

Improper Privilege Management

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain

CVE-2025-47713 - June 10, 2025

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: * Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role. * API privilege comparison: the caller must possess all privileges of the user they are operating on. * Two new domain-level settings (restricted to the default Admin): - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".    - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.

Improper Privilege Management

When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project

CVE-2025-26521 - June 10, 2025

When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account. An attacker who's a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator's account. CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role "Project Kubernetes Service Role" with the following details: Account Name kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID> First Name Kubernetes Last Name Service User Account Type 0 (Normal User) Role ID <ID_OF_SERVICE_ROLE> 2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted. 3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account. 4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:    api-url = <API_URL>     # For example: <MS_URL>/client/api   api-key = <SERVICE_USER_API_KEY>   secret-key = <SERVICE_USER_SECRET_KEY>   project-id = <PROJECT_ID> Delete the existing secret using kubectl and Kubernetes cluster config:    ./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret Create a new secret using kubectl and Kubernetes cluster config:     ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config Remove the temporary file:     rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.

Information Disclosure

The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0

CVE-2025-22829 4.3 - Medium - June 10, 2025

The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations. Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.

Improper Privilege Management

A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client

CVE-2025-27817 - June 10, 2025

A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls") to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly.

A possible security vulnerability has been identified in Apache Kafka

CVE-2025-27818 - June 10, 2025

A possible security vulnerability has been identified in Apache Kafka. This requires access to a alterConfig to the cluster resource, or Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka clusters since Apache Kafka 2.0.0 (Kafka Connect 2.3.0). When configuring the broker via config file or AlterConfig command, or connector via the Kafka Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.LdapLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector client override policy that permits them. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" are disabled in Apache Kafka Connect 3.9.1/4.0.0. We advise the Kafka users to validate connector configurations and only allow trusted LDAP configurations. Also examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally, in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.

Marshaling, Unmarshaling

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API

CVE-2025-27819 - June 10, 2025

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0

Marshaling, Unmarshaling

Kafbat UI is a web user interface for managing Apache Kafka clusters

CVE-2025-49127 - June 06, 2025

Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue.

Marshaling, Unmarshaling

Deserialization of Untrusted Data vulnerability in Apache InLong

CVE-2025-27531 - June 06, 2025

Deserialization of Untrusted Data vulnerability in Apache InLong.  This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue.

Marshaling, Unmarshaling

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied

CVE-2025-46548 - June 03, 2025

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.

authentification

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields

CVE-2025-48912 6.5 - Medium - May 30, 2025

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data. This issue affects Apache Superset: before 4.1.2. Users are recommended to upgrade to version 4.1.2, which fixes the issue.

SQL Injection

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints

CVE-2025-46701 - May 29, 2025

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

Improper Handling of Case Sensitivity

Improper Access Control vulnerability in Apache Commons

CVE-2025-48734 - May 28, 2025

Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enums class loader via the declaredClass property available on all Java enum objects. Accessing the enums declaredClass allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the declaredClass property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

Authorization

Deserialization of Untrusted Data vulnerability in Apache InLong

CVE-2025-27528 - May 28, 2025

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747

Deserialization of Untrusted Data vulnerability in Apache InLong

CVE-2025-27526 - May 28, 2025

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability which can lead to JDBC Vulnerability URLEncdoe and backspace bypass. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/11747

Deserialization of Untrusted Data vulnerability in Apache InLong

CVE-2025-27522 - May 28, 2025

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11732

Marshaling, Unmarshaling

Improper Restriction of Operations within the Bounds of a Memory Buffer and Stack-based Buffer Overflow vulnerabilities were discovered in Apache NuttX RTOS Bluetooth Stack (HCI and UART components)

CVE-2025-35003 - May 26, 2025

Improper Restriction of Operations within the Bounds of a Memory Buffer and Stack-based Buffer Overflow vulnerabilities were discovered in Apache NuttX RTOS Bluetooth Stack (HCI and UART components) that may result in system crash, denial of service, or arbitrary code execution, after receiving maliciously crafted packets. NuttX's Bluetooth HCI/UART stack users are advised to upgrade to version 12.9.0, which fixes the identified implementation issues. This issue affects Apache NuttX: from 7.25 before 12.9.0.

Exposure of Sensitive Information to an Unauthorized Actor

CVE-2025-26795 - May 14, 2025

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.

Insertion of Sensitive Information into Log File

Exposure of Sensitive Information to an Unauthorized Actor

CVE-2025-26864 - May 14, 2025

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.

Information Disclosure

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB

CVE-2024-24780 - May 14, 2025

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue.

Improper Authorization vulnerability in Apache Superset

CVE-2025-27696 - May 13, 2025

Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue.

AuthZ

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ

CVE-2025-27533 - May 07, 2025

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected. Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. Existing users may implement mutual TLS to mitigate the risk on affected brokers.

Stack Exhaustion

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code

CVE-2025-46762 9.8 - Critical - May 06, 2025

Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.

External Control of File Name or Path

A flaw was found in the mod_auth_openidc module for Apache httpd

CVE-2025-3891 7.5 - High - April 29, 2025

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.

Uncaught Exception

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat

CVE-2025-31651 9.8 - Critical - April 28, 2025

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Output Sanitization

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.