Vulnerabilities in Apache Software Foundation

1,894 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2021-41832Content Manipulation with Certificate Validation AttackEPSS 1.3%CVE-2023-25196Apache Fineract: SQL injection vulnerability EPSS 1.3%CVE-2024-45784HIGHApache Airflow: Sensitive configuration values are not masked in the logs by defaultEPSS 1.3%CVE-2023-49733Apache Cocoon's StreamGenerator is vulnerable to XXE injectionEPSS 1.3%CVE-2024-23538CRITICALApache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries.EPSS 1.3%CVE-2023-31062CRITICALApache InLong: Privilege escalation vulnerability for InLongEPSS 1.3%CVE-2022-37023Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11EPSS 1.3%CVE-2025-58782MEDIUMApache Jackrabbit Core, Apache Jackrabbit JCR Commons: JNDI injection risk with JndiRepositoryFactoryEPSS 1.3%CVE-2017-7681Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and EPSS 1.3%CVE-2025-64405HIGHApache OpenOffice: Remote documents loaded without prompt via DDE functionEPSS 1.3%CVE-2025-27553HIGHApache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENTEPSS 1.3%CVE-2022-36124HIGHMemory overconsumption in Avro Rust SDKEPSS 1.3%CVE-2026-25747HIGHApache Camel LevelDB: Deserialization of Untrusted Data in Camel LevelDBEPSS 1.3%CVE-2024-32007HIGHApache CXF Denial of Service vulnerability in JOSEEPSS 1.3%CVE-2023-35798Airflow Apache ODBC and MSSQL Providers Arbitrary File Read VulnerabilityEPSS 1.3%CVE-2023-28326CRITICALApache OpenMeetings: allows user impersonationEPSS 1.3%CVE-2025-61734HIGHApache Kylin: improper restriction of file readEPSS 1.3%CVE-2023-41081HIGHApache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped requestEPSS 1.3%CVE-2024-31864CRITICALApache Zeppelin: Remote code execution by adding malicious JDBC connection stringEPSS 1.3%CVE-2020-11983An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBACEPSS 1.3%