Vulnerabilities in Apache Software Foundation

1,894 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2023-50378MEDIUMApache Ambari: Various XSS problemsEPSS 1.2%CVE-2025-54813MEDIUMApache Log4cxx: Improper escaping with JSONLayoutEPSS 1.2%CVE-2023-50943HIGHApache Airflow: Potential pickle deserialization vulnerability in XComsEPSS 1.2%CVE-2025-35003CRITICALApache NuttX RTOS: NuttX Bluetooth Stack HCI and UART DoS/RCE Vulnerabilities.EPSS 1.2%CVE-2023-28754HIGHShardingSphere-Agent: Deserialization vulnerability in ShardingSphere AgentEPSS 1.2%CVE-2023-27604HIGHApache Airflow Sqoop Provider: Airflow Sqoop Provider RCE VulnerabilityEPSS 1.2%CVE-2023-28936MEDIUMApache OpenMeetings: insufficient check of invitation hashEPSS 1.2%CVE-2023-46215HIGHApache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backendEPSS 1.2%CVE-2023-48796Apache dolphinscheduler sensitive information disclosureEPSS 1.2%CVE-2024-50378MEDIUMApache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cliEPSS 1.2%CVE-2025-54472HIGHApache bRPC: Redis Parser Remote Denial of ServiceEPSS 1.2%CVE-2022-42467MEDIUMh2 webconsole (available only in prototype mode) should nevertheless be disabled by default.EPSS 1.2%CVE-2024-41172MEDIUMApache CXF: Unrestricted memory consumption in CXF HTTP clientsEPSS 1.2%CVE-2022-41672Session still functional after user is deactivatedEPSS 1.2%CVE-2013-4317In Apache CloudStack 4.1.0 and 4.1.1, when calling the CloudStack API call listProjectAccounts as a regular, non-administrative user, the usEPSS 1.2%CVE-2018-17184A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector namesEPSS 1.2%CVE-2022-41703MEDIUMApache Superset: SQL injection vulnerability in adhoc clausesEPSS 1.2%CVE-2022-46363HIGHApache CXF directory listing / code exfiltrationEPSS 1.2%CVE-2023-35088CRITICALApache InLong: SQL injection in audit endpointEPSS 1.2%CVE-2022-40308HIGHApache Archiva prior to 2.2.9 may allow the anonymous user to read arbitrary filesEPSS 1.2%