Apache HTTP Server

Apache HTTP Server mod_http DoS via Excessive Memory Allocation (2.4.17-2.4.67)
CVE-2026-49975 7.5 - High - June 08, 2026

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.

Stack Exhaustion

Apache HTTP Server 2.4.55-2.4.67 Mod_http2 Use-After-Free Exhausted Handles
CVE-2026-48913 7.3 - High - June 08, 2026

Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.

Dangling pointer

Heap Overflow in mod_xml2enc of Apache HTTP Svr 2.4.02.4.672.4.68
CVE-2026-42536 7.5 - High - June 08, 2026

Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Heap-based Buffer Overflow

Apache HTTP Server 2.4.0-2.4.67 OCSP Outbound Buffer Over-read
CVE-2026-44185 7.3 - High - June 08, 2026

Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Buffer Over-read

Apache HTTP Server 2.4.67 mod_proxy_html Buffer Overflow CVE-2026-34355
CVE-2026-34355 7.5 - High - June 08, 2026

A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.

Heap-based Buffer Overflow

Apache HTTP Server 2.4.0-2.4.67 Buffer Underwrite via Regex
CVE-2026-44631 9.8 - Critical - June 08, 2026

Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

buffer underrun

Apache HTTP Server 2.4.67 Improper Privilege Mng in .htaccess (Fixed 2.4.68)
CVE-2026-44119 5.5 - Medium - June 08, 2026

Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Improper Privilege Management

Apache HTTP Server <= 2.4.67: OOB Read in mod_headers/mod_mime
CVE-2026-43951 6.5 - Medium - June 08, 2026

Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.

Out-of-bounds Read

Apache 2.4.68 - Path Handling Vulnerability in mod_dav_fs (CVE-2026-42535)
CVE-2026-42535 9.1 - Critical - June 08, 2026

A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue.

Exposure of Resource to Wrong Sphere

Apache HTTP Server 2.4.0-2.4.67 Heap Buffer Overflow via ProxyPassReverseCookie
CVE-2026-34356 7.5 - High - June 08, 2026

Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Heap-based Buffer Overflow

Apache HTTP 2.4.x mod_proxy_ftp Infinite Loop (before 2.4.68)
CVE-2026-44186 7.3 - High - June 08, 2026

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server. This issue affects undefined: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Infinite Loop

Apache HTTP Server 2.4.67 XSS in mod_proxy_ftp Dir List Generation
CVE-2026-29170 6.1 - Medium - June 08, 2026

A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue.

XSS

Apache HTTP 2.4.02.4.67 Use-After-Free mod_ldap (per-dir) fixed in 2.4.68
CVE-2026-29167 9.8 - Critical - June 08, 2026

Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Dangling pointer

Apache HTTP Server 2.4.66 mod_proxy_ajp Heap Buffer Overflow (CVE-2026-28780)
CVE-2026-28780 9.8 - Critical - May 05, 2026

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Heap-based Buffer Overflow

Apache HTTP Server 2.4.30-2.4.66 mod_md OCSP Resource Exhaustion Vulnerability
CVE-2026-29168 7.3 - High - May 05, 2026

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Allocation of Resources Without Limits or Throttling

Apache HTTP Server 2.4.66 mod_dav_lock Null PTR Crash
CVE-2026-29169 7.5 - High - May 04, 2026

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.

NULL Pointer Dereference

Apache HTTP Server 2.4.66 Double Free via HTTP/2 (possible RCE)
CVE-2026-23918 8.8 - High - May 04, 2026

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Double-free

Timing Att. Mod Auth Digest Bypass in Apache HTTP Server 2.4.66
CVE-2026-33006 4.8 - Medium - May 04, 2026

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Observable Timing Discrepancy

Apache HTTP Server 2.4.66: mod_authn_socache NULL deref crash (before 2.4.67)
CVE-2026-33007 5.3 - Medium - May 04, 2026

A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

NULL Pointer Dereference

Apache HTTP Server 2.4.66 Response Splitting via Modules
CVE-2026-33523 6.5 - Medium - May 04, 2026

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

DEPRECATED (Duplicate): HTTP response splitting

Apache HTTP Server 2.4.66: OOB Read in mod_proxy_ajp (fixed 2.4.67)
CVE-2026-33857 5.3 - Medium - May 04, 2026

Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Out-of-bounds Read

Apache HTTP Server <=2.4.66 Null-Termination OOB Read
CVE-2026-34032 5.3 - Medium - May 04, 2026

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Improper Null Termination

Apache HTTP Server 2.4.66 Buffer Over-Read Vulnerability
CVE-2026-34059 7.5 - High - May 04, 2026

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Buffer Over-read

CVE-2026-24072: Apache HTTPD 2.4.66-2.4.67 Priv Escalation via .htaccess
CVE-2026-24072 8.8 - High - May 04, 2026

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Improper Privilege Management

Apache HTTP Server <2.4.66: SSI Exec Cmd Shell Injection via mod_cgid
CVE-2025-58098 8.3 - High - December 05, 2025

Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Insertion of Sensitive Information Into Sent Data

Apache HTTP Server 2.4.765 AllowOverride FileInfo Bypass
CVE-2025-66200 5.4 - Medium - December 05, 2025

mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Authentication Bypass Using an Alternate Path or Channel

Apache HTTP Server 2.4.02.4.65 ENV Var XSS via config, fixed in 2.4.66
CVE-2025-65082 6.5 - Medium - December 05, 2025

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.

Improper Neutralization of Escape, Meta, or Control Sequences

Apache HTTP Server SSRF NTLM Leak via AllowEncodedSlashes, Fixed 2.4.66
CVE-2025-59775 7.5 - High - December 05, 2025

Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.

SSRF

Apache HTTPd 2.4.30-2.4.65 Integer Overflow in ACME Renewal Zero Backoff Timer
CVE-2025-55753 7.5 - High - December 05, 2025

An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Integer Overflow or Wraparound

Apache HTTP Server DoS via crafted HTTP requests
CVE-2025-64388 - October 31, 2025

Denial of service of the web server through specific requests to this protocol

Resource Exhaustion

Apache HTTP 2.4.64: RewriteCond expr always true bug
CVE-2025-54090 6.3 - Medium - July 23, 2025

A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.

Incorrect Check of Function Return Value

Apache HTTP Server Memory Leak before 2.4.64 (CVE-2025-53020)
CVE-2025-53020 7.5 - High - July 10, 2025

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.

Memory Leak

Apache HTTP Server 2.4.63 & earlier mod_ssl: HTTP Desync via TLS Upgrade
CVE-2025-49812 7.4 - High - July 10, 2025

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

authentification

Apache HTTP Server 2.4.x: mod_proxy_http2 assertion triggers DoS via proxy
CVE-2025-49630 7.5 - High - July 10, 2025

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

assertion failure

Apache Httpd 2.4.35-2.4.63 mod_ssl TLS1.3 SR Access Ctrl Bypass
CVE-2025-23048 9.1 - Critical - July 10, 2025

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Authorization

Apache HTTP Server 2.4.63 mod_ssl log injection via unsanitized SSL var
CVE-2024-47252 7.5 - High - July 10, 2025

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

Improper Neutralization of Escape, Meta, or Control Sequences

Apache HTTP Server SSRF via mod_rewrite/expressions (2.4.0-2.4.63)
CVE-2024-43394 7.5 - High - July 10, 2025

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note:  The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.

SSRF

Apache HTTP Server 2.4.x SSRF via mod_proxy+mod_headers (before 2.4.64)
CVE-2024-43204 7.5 - High - July 10, 2025

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.  Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.

SSRF

Apache HTTP Server 2.4.64+ fixes HTTP response splitting in core
CVE-2024-42516 7.5 - High - July 10, 2025

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.

Improper Input Validation

Apache HTTPD Insecure Config: Directory Listing via Unnecessary Modules
CVE-2025-27452 - July 03, 2025

The configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules activated that are not required for the operation of the FNADE4 web application. The functionality of the some modules pose a risk to the webserver which enable dircetory listing.

Apache mod_auth_openidc POST Crash via OIDCPreservePost
CVE-2025-3891 7.5 - High - April 29, 2025

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.

Uncaught Exception

Apache HTTP Server mod_proxy_cluster <Directory> misconfig allows MCMP hijack
CVE-2024-10306 5.4 - Medium - April 23, 2025

A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.

AuthZ

D-Link DAP-2310 ATP Binary Buffer Overflow 1.16RC028
CVE-2024-45623 - September 02, 2024

D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary that handles PHP HTTP GET requests for the Apache HTTP Server (httpd). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Apache HTTPD 2.4.61 Local Disclosure via Legacy ContentType Config
CVE-2024-40725 5.3 - Medium - July 18, 2024

A partial fix for  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.

Exposure of Resource to Wrong Sphere

SSRF via mod_rewrite in Apache HTTP Server on Windows (pre-2.4.62)
CVE-2024-40898 7.5 - High - July 18, 2024

SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue. 

SSRF

Apache HTTP Server 2.4.60 regression enables local source disclosure via AddType
CVE-2024-39884 - July 04, 2024

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

Apache HTTP Server 2.4.59 NPE in mod_proxy Crash (Upgrade to 2.4.60)
CVE-2024-38477 7.5 - High - July 01, 2024

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

NULL Pointer Dereference

Null Pointer deref on WebSocket over HTTP/2 upgrade in Jetty
CVE-2024-36387 - July 01, 2024

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

NULL Pointer Dereference

Apache HTTP Server 2.4.59 Info Disclosure/SSRF via Malicious Response Headers
CVE-2024-38476 9.8 - Critical - July 01, 2024

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Inclusion of Functionality from Untrusted Control Sphere

Apache HTTP Server mod_rewrite SSRF before 2.4.60 via mod_proxy
CVE-2024-39573 7.5 - High - July 01, 2024

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Improper Input Validation