Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2022-47502Apache OpenOffice: Macro URL arbitrary script executionEPSS 1.0%CVE-2024-41151HIGHApache HertzBeat: RCE by notice template injection vulnerabilityEPSS 1.0%CVE-2023-45757Apache bRPC: The builtin service rpcz page has an XSS attack vulnerabilityEPSS 1.0%CVE-2026-41604HIGHApache Thrift: Swift Range crash in skip()EPSS 1.0%CVE-2023-25504MEDIUMApache Superset: Possible SSRF on import datasetsEPSS 0.9%CVE-2022-45786HIGHApache AGE: Python and Golang drivers allow data manipulation and exposure due to SQL injectionEPSS 0.9%CVE-2024-42062HIGHApache CloudStack: User Key Exposure to Domain AdminsEPSS 0.9%CVE-2024-24772MEDIUMApache Superset: Improper Neutralisation of custom SQL on embedded contextEPSS 0.9%CVE-2023-49734HIGHApache Superset: Privilege Escalation VulnerabilityEPSS 0.9%CVE-2024-50305HIGHApache Traffic Server: Valid Host field value can cause crashesEPSS 0.9%CVE-2025-30177MEDIUMApache Camel: Camel-Undertow Message Header Injection via Improper FilteringEPSS 0.9%CVE-2025-50151HIGHApache Jena: Configuration files uploaded by administrative users are not check properlyEPSS 0.9%CVE-2024-38479HIGHApache Traffic Server: Cache key plugin is vulnerable to cache poisoning attackEPSS 0.9%CVE-2023-49198HIGHApache SeaTunnel Web: Arbitrary file read vulnerabilityEPSS 0.9%CVE-2023-34189Apache InLong: General user can delete and update processEPSS 0.9%CVE-2026-40473HIGHApache Camel Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDPEPSS 0.9%CVE-2024-48019MEDIUMApache Doris: allows admin users to read arbitrary files through the REST APIEPSS 0.9%CVE-2024-51504CRITICALApache ZooKeeper: Authentication bypass with IP-based authentication in Admin ServerEPSS 0.9%CVE-2024-42447CRITICALApache Airflow Providers FAB: FAB provider 1.2.1 and 1.2.0 did not let user to logout for AirflowEPSS 0.9%CVE-2024-45033HIGHApache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cliEPSS 0.9%