Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2025-27818HIGHApache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configurationEPSS 0.9%CVE-2026-40860CRITICALApache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqpEPSS 0.9%CVE-2017-15703Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and cauEPSS 0.9%CVE-2025-23015HIGHApache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actionsEPSS 0.9%CVE-2023-27526MEDIUMApache Superset: Improper Authorization check on import chartsEPSS 0.9%CVE-2024-29006CRITICALApache CloudStack: x-forwarded-for HTTP header parsed by defaultEPSS 0.9%CVE-2022-38745HIGHApache OpenOffice: Empty entry in Java class pathEPSS 0.9%CVE-2025-27819HIGHApache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configurationEPSS 0.9%CVE-2017-5657Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site openeEPSS 0.9%CVE-2024-26016MEDIUMApache Superset: Improper authorization validation on dashboards and charts importEPSS 0.9%CVE-2023-50380MEDIUMApache Ambari: authenticated users could perform XXE to read arbitrary files on the serverEPSS 0.9%CVE-2025-27821HIGHHDFS native client: Out of bounds write in URI parser of native HDFS clientEPSS 0.9%CVE-2026-40453CRITICALApache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injectionEPSS 0.9%CVE-2023-42501MEDIUMApache Superset: Unnecessary read permissions within the Gamma roleEPSS 0.9%CVE-2026-34480MEDIUMApache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden charactersEPSS 0.9%CVE-2023-30867Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerabilityEPSS 0.9%CVE-2024-31391MEDIUMApache Solr Operator: Solr-Operator liveness and readiness probes may leak basic auth credentialsEPSS 0.8%CVE-2024-39676HIGHApache Pinot: Unauthorized endpoint exposed sensitive informationEPSS 0.8%CVE-2023-49566HIGHApache Linkis DataSource: JDBC Datasource Module with DB2 has JNDI Injection vulnerabilityEPSS 0.8%CVE-2018-1325In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display.EPSS 0.8%