Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2021-40331HIGHPermissions problem in the Apache Ranger Hive PluginEPSS 0.9%CVE-2023-37581Apache Roller: Roller's weblog category, weblog settings and file-upload features did not properly sanitize input could be exploited to perform Reflected Cross Site Scripting (XSS) even on a Roller site configured for untrusted users.EPSS 0.9%CVE-2017-15719In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG ediEPSS 0.9%CVE-2026-25747HIGHApache Camel LevelDB: Deserialization of Untrusted Data in Camel LevelDBEPSS 0.9%CVE-2025-54831MEDIUMApache Airflow: Connection sensitive details exposed to users with READ permissionsEPSS 0.9%CVE-2026-42779CRITICALApache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE (take 2)EPSS 0.9%CVE-2017-17835In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for a remote command injection on a default install of Airflow.EPSS 0.9%CVE-2023-50740MEDIUMApache Linkis DataSource: DataSource module Oracle SQL Database Password LoggedEPSS 0.9%CVE-2024-26308MEDIUMApache Commons Compress: OutOfMemoryError unpacking broken Pack200 fileEPSS 0.9%CVE-2023-41314Apache Doris: Missing API authentication allowed DoSEPSS 0.9%CVE-2026-39304HIGHApache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOMEPSS 0.9%CVE-2024-26578MEDIUMApache Answer: Repeated submission at registration created duplicate users with the same nameEPSS 0.9%CVE-2025-66518HIGHApache Kyuubi: Unauthorized directory access due to missing path normalizationEPSS 0.9%CVE-2023-49619LOWApache Answer: Repeated submissions using scripts resulted in an abnormal number of collections for questions.EPSS 0.9%CVE-2023-43826HIGHApache Guacamole: Integer overflow in handling of VNC image buffersEPSS 0.9%CVE-2024-23321HIGHApache RocketMQ: Unauthorized Exposure of Sensitive DataEPSS 0.9%CVE-2024-39884MEDIUMApache HTTP Server: source code disclosure with handlers configured via AddTypeEPSS 0.9%CVE-2026-23907MEDIUMApache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example CodeEPSS 0.9%CVE-2022-46651Apache Airflow: Security vulnerability on AirFlow ConnectionsEPSS 0.9%CVE-2024-52279HIGHApache Zeppelin: Arbitrary file read by adding malicious JDBC connection stringEPSS 0.9%