A

Apache Security Vulnerabilities (CVE)

Explore vulnerabilities and security advisories affecting Apache products.

124 known CVE vulnerabilities tracked

Critical
16
High
52
Medium
52
Low
4
None
0

Vulnerabilities By Year

1
2009
1
2018
1
2019
1
2020
3
2021
4
2022
3
2025
110
2026

Products Affected

Airflow 19 Ofbiz 17 Tomcat 13 Http Server 12 Thrift 11 Log4J 8 Activemq 4 Wicket 4 Shiro 4 Openmeetings 3 Cloudstack 3 Neethi 3 Storm 3 Mina 2 Syncope 2 Nifi 2 Directory Ldap Api 1 Solr 1 Mina Sshd 1 Apache-Airflow-Providers-Edge3 1 Chainsaw 1 Echarts 1 Apache-Airflow-Providers-Google 1 Apache-Airflow-Providers-Fab 1 Pony Mail 1 Poi 1 Commons Configuration 1 Atlas 1 Xalan-Java 1 Fory 1

All Apache CVEs

Recent Highest Score Oldest
CVE-2026-34032
5.3 medium

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Http Server May 4, 2026
CVE-2026-33857
5.3 medium

Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Http Server May 4, 2026
CVE-2026-34059
7.5 high

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Http Server May 4, 2026
CVE-2026-24072
8.8 high

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Http Server May 4, 2026
CVE-2026-42779
9.8 critical

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the clas

Mina May 1, 2026
CVE-2026-42778
9.8 critical

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a s

Mina May 1, 2026
CVE-2026-42404
6.5 medium

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses.

Neethi May 1, 2026
CVE-2026-42403
7.5 high

Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, le

Neethi May 1, 2026
CVE-2026-42402
7.5 high

Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the

Neethi May 1, 2026
CVE-2026-41016
5.9 medium

Apache Airflow's SMTP provider `SmtpHook` called Python's `smtplib.SMTP.starttls()` without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS

Airflow Apr 30, 2026
CVE-2026-41873
9.8 critical

** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development u

Pony Mail Apr 28, 2026
CVE-2026-41636
7.5 high

Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Thrift Apr 28, 2026
CVE-2026-41607
6.5 medium

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Thrift Apr 28, 2026
CVE-2026-41606
5.3 medium

Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Thrift Apr 28, 2026
CVE-2026-41605
7.3 high

Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Thrift Apr 28, 2026
CVE-2026-41604
8.2 high

Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Thrift Apr 28, 2026
CVE-2026-41603
7.4 high

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Thrift Apr 28, 2026
CVE-2026-41602
7.5 high

Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Thrift Apr 28, 2026
CVE-2025-48431
7.5 high

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift serve

Thrift Apr 28, 2026
CVE-2026-41081
6.5 medium

Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication (the default configuration), the TlsTranspo

Storm Apr 27, 2026
CVE-2026-25219
6.5 medium

The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azu

Airflow Apr 15, 2026
CVE-2025-54550
8.1 high

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly tru

Airflow Apr 15, 2026
CVE-2026-35565
5.4 medium

Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in p

Storm Apr 13, 2026
CVE-2026-35337
8.8 high

Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering

Storm Apr 13, 2026