Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2022-43721MEDIUMApache Superset: Open Redirect VulnerabilityEPSS 1.0%CVE-2025-24860MEDIUMApache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regionsEPSS 1.0%CVE-2023-38522HIGHApache Traffic Server: Incomplete field name check allows request smugglingEPSS 1.0%CVE-2023-32200HIGHApache Jena: Exposure of execution in script engine expressions.EPSS 1.0%CVE-2018-11781Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.EPSS 1.0%CVE-2023-25195HIGHApache Fineract: SSRF template type vulnerability in certain authenticated usersEPSS 1.0%CVE-2026-41044HIGHApache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by JolokiaEPSS 1.0%CVE-2023-35887MEDIUMApache MINA SSHD: Information disclosure bugs with RootedFilesystemEPSS 1.0%CVE-2024-42222MEDIUMApache CloudStack: Unauthorised Network List AccessEPSS 1.0%CVE-2025-27696MEDIUMApache Superset: Incorrect authorization leading to resource ownership takeoverEPSS 1.0%CVE-2023-50944MEDIUMApache Airflow: Bypass permission verification to read code of other dagsEPSS 1.0%CVE-2024-35161CRITICALApache Traffic Server: Incomplete check for chunked trailer section allows request smugglingEPSS 1.0%CVE-2025-23048CRITICALApache HTTP Server: mod_ssl access control bypass with session resumptionEPSS 1.0%CVE-2024-27315MEDIUMApache Superset: Improper error handling on alertsEPSS 1.0%CVE-2023-46227HIGHApache inlong has an Arbitrary File Read VulnerabilityEPSS 1.0%CVE-2026-41605HIGHApache Thrift: Swift Compact Protocol integer overflowEPSS 1.0%CVE-2026-41607MEDIUMApache Thrift: C++ JSON OOB readEPSS 1.0%CVE-2024-29217MEDIUMApache Answer: XSS vulnerability when changing personal websiteEPSS 1.0%CVE-2024-36263HIGHApache Submarine Server Core: SQL injectionEPSS 1.0%CVE-2024-27438CRITICALApache Doris: Downloading arbitrary remote jar files resulting in remote command executionEPSS 1.0%