Vulnerabilities in Apache Software Foundation

1,894 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2023-24977HIGHApache InLong: Jdbc Connection causes arbitrary file reading in InLongEPSS 1.2%CVE-2023-25141HIGHJNDI injection into Apache sling-org-apache-sling-jcr-baseEPSS 1.2%CVE-2023-30575MEDIUMApache Guacamole: Incorrect calculation of Guacamole protocol element lengthsEPSS 1.2%CVE-2023-36543Apache Airflow: ReDoS via dags functionEPSS 1.2%CVE-2024-51569HIGHApache NimBLE: Lack of input sanitization leading to out-of-bound reads in Number of Completed Packets HCI event handlerEPSS 1.2%CVE-2023-37415HIGHApache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_userEPSS 1.2%CVE-2025-49630HIGHApache HTTP Server: mod_proxy_http2 denial of serviceEPSS 1.1%CVE-2024-41890MEDIUMApache Answer: The link to reset the user's password will remain valid after sending a new linkEPSS 1.1%CVE-2023-29055HIGHApache Kylin: Insufficiently protected credentials in config fileEPSS 1.1%CVE-2023-25621MEDIUMApache Sling does not allow to handle i18n content in a secure wayEPSS 1.1%CVE-2026-24308MEDIUMApache ZooKeeper: Sensitive information disclosure in client configuration handlingEPSS 1.1%CVE-2024-23114CRITICALApache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepositoryEPSS 1.1%CVE-2026-41606MEDIUMApache Thrift: c_glib dispatch stack overflowEPSS 1.1%CVE-2022-24947Apache JSPWiki CSRF Account TakeoverEPSS 1.1%CVE-2023-42504MEDIUMApache Superset: Lack of rate limiting allows for possible denial of serviceEPSS 1.1%CVE-2025-61795MEDIUMApache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoSEPSS 1.1%CVE-2023-34150MEDIUMApache Any23: Possible excessive allocation of resources reading input.EPSS 1.1%CVE-2025-24814MEDIUMApache Solr: Core-creation with "trusted" configset can use arbitrary untrusted filesEPSS 1.1%CVE-2017-7662Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has a Client Registration Service, which is a simple web application thatEPSS 1.1%CVE-2026-43515CRITICALApache Tomcat: Security constraints not correctly appliedEPSS 1.1%