Vulnerabilities in Apache Software Foundation

1,872 results

CVE-2018-8032—Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.EPSS 10.6%CVE-2021-40690—Bypass of the secureValidation propertyEPSS 10.4%CVE-2018-8039—It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.EPSS 10.4%CVE-2016-5018—In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application EPSS 10.3%CVE-2017-12626HIGHApache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, EPSS 10.2%CVE-2022-47501HIGHApache OFBiz: Arbitrary file reading vulnerabilityEPSS 10.2%CVE-2017-7675—The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented dirEPSS 10.1%CVE-2018-1283—In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the defaEPSS 10.1%CVE-2018-1297—When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to geEPSS 10.1%CVE-2025-55754CRITICALApache Tomcat: console manipulation via escape sequences in log messagesEPSS 9.9%CVE-2021-30640—Auth weakness in JNDIRealmEPSS 9.9%CVE-2026-49975HIGHApache HTTP Server: mod_http2 denial of serviceEPSS 9.8%CVE-2018-8041—Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.EPSS 9.8%CVE-2020-17531—Deserialization flaw in EOL Tapestry 4.EPSS 9.7%CVE-2018-11761—In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expanEPSS 9.6%CVE-2019-0201—An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permisEPSS 9.6%CVE-2017-9789—When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has beenEPSS 9.5%CVE-2017-9804—In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidaEPSS 9.5%CVE-2018-1311—The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has EPSS 9.5%CVE-2021-26920—Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intendedEPSS 9.5%

← previouspage 14 / 94next →