Microsoft Http Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Microsoft Http Server.
Recent Microsoft Http Server Security Advisories
| Advisory | Title | Published |
|---|---|---|
| CVE-2026-34355 | CVE-2026-34355 Apache HTTP Server: mod_proxy_html buffer overflow | June 11, 2026 |
| CVE-2026-44185 | CVE-2026-44185 Apache HTTP Server: Stack Buffer Over-Read in mod_ssl OCSP `send_request` | June 11, 2026 |
| CVE-2026-34356 | CVE-2026-34356 Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow | June 11, 2026 |
| CVE-2026-44186 | CVE-2026-44186 Apache HTTP Server: Loop in `proxy_ftp_handler` in mod_proxy_ftp | June 11, 2026 |
| CVE-2026-42535 | CVE-2026-42535 Apache HTTP Server: mod_dav_fs protected directory access | June 11, 2026 |
| CVE-2026-44631 | CVE-2026-44631 Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow | June 11, 2026 |
| CVE-2026-29167 | CVE-2026-29167 Apache HTTP Server: mod_ldap per-dir use-after-free | June 11, 2026 |
| CVE-2026-43951 | CVE-2026-43951 Apache HTTP Server: OOB Read in `merge_response_headers` can cause crash | June 11, 2026 |
| CVE-2026-42536 | CVE-2026-42536 Apache HTTP Server: mod_xml2enc heap overflow | June 11, 2026 |
| CVE-2026-29170 | CVE-2026-29170 Apache HTTP Server: mod_proxy_ftp XSS | June 11, 2026 |
By the Year
In 2026 there have been 23 vulnerabilities in Microsoft Http Server with an average score of 7.2 out of ten. Last year, in 2025 Http Server had 13 security vulnerabilities published. That is, 10 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.14
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 23 | 7.21 |
| 2025 | 13 | 7.35 |
| 2024 | 5 | 6.40 |
It may take a day or so for new Http Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Microsoft Http Server Security Vulnerabilities
Apache HTTP Server mod_http DoS via Excessive Memory Allocation (2.4.17-2.4.67)
CVE-2026-49975
7.5 - High
- June 08, 2026
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
Stack Exhaustion
Apache HTTP Server 2.4.55-2.4.67 Mod_http2 Use-After-Free Exhausted Handles
CVE-2026-48913
7.3 - High
- June 08, 2026
Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.
Dangling pointer
Heap Overflow in mod_xml2enc of Apache HTTP Svr 2.4.02.4.672.4.68
CVE-2026-42536
7.5 - High
- June 08, 2026
Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Heap-based Buffer Overflow
Apache HTTP Server 2.4.0-2.4.67 OCSP Outbound Buffer Over-read
CVE-2026-44185
7.3 - High
- June 08, 2026
Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Buffer Over-read
Apache HTTP Server 2.4.67 mod_proxy_html Buffer Overflow CVE-2026-34355
CVE-2026-34355
7.5 - High
- June 08, 2026
A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
Heap-based Buffer Overflow
Apache HTTP Server 2.4.0-2.4.67 Buffer Underwrite via Regex
CVE-2026-44631
9.8 - Critical
- June 08, 2026
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
buffer underrun
Apache HTTP Server 2.4.67 Improper Privilege Mng in .htaccess (Fixed 2.4.68)
CVE-2026-44119
5.5 - Medium
- June 08, 2026
Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Improper Privilege Management
Apache HTTP Server <= 2.4.67: OOB Read in mod_headers/mod_mime
CVE-2026-43951
6.5 - Medium
- June 08, 2026
Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Out-of-bounds Read
Apache 2.4.68 - Path Handling Vulnerability in mod_dav_fs (CVE-2026-42535)
CVE-2026-42535
9.1 - Critical
- June 08, 2026
A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
Exposure of Resource to Wrong Sphere
Apache HTTP Server 2.4.0-2.4.67 Heap Buffer Overflow via ProxyPassReverseCookie
CVE-2026-34356
7.5 - High
- June 08, 2026
Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Heap-based Buffer Overflow
Apache HTTP 2.4.x mod_proxy_ftp Infinite Loop (before 2.4.68)
CVE-2026-44186
7.3 - High
- June 08, 2026
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server. This issue affects undefined: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Infinite Loop
Apache HTTP Server 2.4.67 XSS in mod_proxy_ftp Dir List Generation
CVE-2026-29170
6.1 - Medium
- June 08, 2026
A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
XSS
Apache HTTP 2.4.02.4.67 Use-After-Free mod_ldap (per-dir) fixed in 2.4.68
CVE-2026-29167
9.8 - Critical
- June 08, 2026
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Dangling pointer
Apache HTTP Server 2.4.30-2.4.66 mod_md OCSP Resource Exhaustion Vulnerability
CVE-2026-29168
7.3 - High
- May 05, 2026
Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Allocation of Resources Without Limits or Throttling
Apache HTTP Server 2.4.66 mod_dav_lock Null PTR Crash
CVE-2026-29169
7.5 - High
- May 04, 2026
A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.
NULL Pointer Dereference
Apache HTTP Server 2.4.66 Double Free via HTTP/2 (possible RCE)
CVE-2026-23918
8.8 - High
- May 04, 2026
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Double-free
Timing Att. Mod Auth Digest Bypass in Apache HTTP Server 2.4.66
CVE-2026-33006
4.8 - Medium
- May 04, 2026
A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
Observable Timing Discrepancy
Apache HTTP Server 2.4.66: mod_authn_socache NULL deref crash (before 2.4.67)
CVE-2026-33007
5.3 - Medium
- May 04, 2026
A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
NULL Pointer Dereference
Apache HTTP Server 2.4.66 Response Splitting via Modules
CVE-2026-33523
6.5 - Medium
- May 04, 2026
HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
DEPRECATED (Duplicate): HTTP response splitting
Apache HTTP Server 2.4.66: OOB Read in mod_proxy_ajp (fixed 2.4.67)
CVE-2026-33857
5.3 - Medium
- May 04, 2026
Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Out-of-bounds Read
Apache HTTP Server <=2.4.66 Null-Termination OOB Read
CVE-2026-34032
5.3 - Medium
- May 04, 2026
Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Improper Null Termination
Apache HTTP Server 2.4.66 Buffer Over-Read Vulnerability
CVE-2026-34059
7.5 - High
- May 04, 2026
Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Buffer Over-read
CVE-2026-24072: Apache HTTPD 2.4.66-2.4.67 Priv Escalation via .htaccess
CVE-2026-24072
8.8 - High
- May 04, 2026
An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
Improper Privilege Management
Apache HTTP Server <2.4.66: SSI Exec Cmd Shell Injection via mod_cgid
CVE-2025-58098
8.3 - High
- December 05, 2025
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
Insertion of Sensitive Information Into Sent Data
Apache HTTP Server 2.4.765 AllowOverride FileInfo Bypass
CVE-2025-66200
5.4 - Medium
- December 05, 2025
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
Authentication Bypass Using an Alternate Path or Channel
Apache HTTP Server 2.4.02.4.65 ENV Var XSS via config, fixed in 2.4.66
CVE-2025-65082
6.5 - Medium
- December 05, 2025
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.
Improper Neutralization of Escape, Meta, or Control Sequences
Apache HTTP Server SSRF NTLM Leak via AllowEncodedSlashes, Fixed 2.4.66
CVE-2025-59775
7.5 - High
- December 05, 2025
Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.
SSRF
Apache HTTPd 2.4.30-2.4.65 Integer Overflow in ACME Renewal Zero Backoff Timer
CVE-2025-55753
7.5 - High
- December 05, 2025
An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
Integer Overflow or Wraparound
Apache HTTP 2.4.64: RewriteCond expr always true bug
CVE-2025-54090
6.3 - Medium
- July 23, 2025
A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.
Incorrect Check of Function Return Value
Apache HTTP Server Memory Leak before 2.4.64 (CVE-2025-53020)
CVE-2025-53020
7.5 - High
- July 10, 2025
Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.
Memory Leak
Apache HTTP Server 2.4.63 mod_ssl log injection via unsanitized SSL var
CVE-2024-47252
7.5 - High
- July 10, 2025
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
Improper Neutralization of Escape, Meta, or Control Sequences
Apache HTTP Server 2.4.x SSRF via mod_proxy+mod_headers (before 2.4.64)
CVE-2024-43204
7.5 - High
- July 10, 2025
SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.
SSRF
Apache HTTP Server 2.4.64+ fixes HTTP response splitting in core
CVE-2024-42516
7.5 - High
- July 10, 2025
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.
Improper Input Validation
Apache HTTP Server 2.4.63 & earlier mod_ssl: HTTP Desync via TLS Upgrade
CVE-2025-49812
7.4 - High
- July 10, 2025
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
authentification
Apache HTTP Server 2.4.x: mod_proxy_http2 assertion triggers DoS via proxy
CVE-2025-49630
7.5 - High
- July 10, 2025
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
assertion failure
Apache Httpd 2.4.35-2.4.63 mod_ssl TLS1.3 SR Access Ctrl Bypass
CVE-2025-23048
9.1 - Critical
- July 10, 2025
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
Authorization
Apache HTTPD 2.4.61 Local Disclosure via Legacy ContentType Config
CVE-2024-40725
5.3 - Medium
- July 18, 2024
A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.
Exposure of Resource to Wrong Sphere
Apache HTTP Server 2.4.60 regression enables local source disclosure via AddType
CVE-2024-39884
- July 04, 2024
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.
Null Pointer deref on WebSocket over HTTP/2 upgrade in Jetty
CVE-2024-36387
- July 01, 2024
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.
NULL Pointer Dereference
Apache 2.4.59 mod_proxy URL Encoding Flaw Auth Bypass
CVE-2024-38473
- July 01, 2024
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Output Sanitization
nghttp2 Memory Exhaustion via HTTP/2 Header Buffer Overflow
CVE-2024-27316
7.5 - High
- April 04, 2024
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
Allocation of Resources Without Limits or Throttling
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Microsoft Http Server or by Microsoft? Click the Watch button to subscribe.
