Exposure of Apache HTTP Server
Web servers536
exposure score
1,583,700
sites use
5
exploited
16
critical
CVEs
169 resultsCVE-2022-23943—mod_sed: Read/write beyond boundsEPSS 50.4%CVE-2020-13950—mod_proxy_http NULL pointer dereferenceEPSS 49.1%CVE-2016-0736—In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possiblyEPSS 49.0%CVE-2021-33193—Request splitting via HTTP/2 method injection and mod_proxyEPSS 46.2%CVE-2026-23918HIGHApache HTTP Server: http2: double free and possible RCE on early resetEPSS 42.8%CVE-2026-21962CRITICALVulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic ServeEPSS 42.7%CVE-2022-22721—core: Possible buffer overflow with very large or unlimited LimitXMLRequestBodyEPSS 41.9%CVE-2024-38476CRITICALApache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirectEPSS 41.6%CVE-2017-7679—In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious CoEPSS 39.3%CVE-2021-39275—ap_escape_quotes buffer overflowEPSS 36.3%CVE-2024-39573HIGHApache HTTP Server: mod_rewrite proxy handler substitutionEPSS 35.4%CVE-2022-22720—HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlierEPSS 28.2%CVE-2024-38473HIGHApache HTTP Server proxy encoding problemEPSS 25.9%CVE-2021-41524—null pointer dereference in h2 fuzzingEPSS 25.0%CVE-2016-2161—In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continueEPSS 21.0%CVE-2017-3167—In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentEPSS 20.2%CVE-2018-17199—In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes sessEPSS 20.0%CVE-2017-3169—In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_prEPSS 20.0%CVE-2016-4975—mod_userdir CRLF injectionEPSS 19.8%CVE-2018-17189—In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that reEPSS 19.4%
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →