Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2023-36387MEDIUMApache Superset: Improper API permission for low privilege usersEPSS 0.8%CVE-2023-25753Server-Side Request Forgery in Apache ShenYuEPSS 0.8%CVE-2026-34478MEDIUMApache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibilityEPSS 0.8%CVE-2023-49657CRITICALApache Superset: Stored XSS in Dashboard Title and Chart TitleEPSS 0.8%CVE-2026-23795MEDIUMApache Syncope: Console XXE on Keymaster parametersEPSS 0.8%CVE-2024-38311MEDIUMApache Traffic Server: Request smuggling via pipelining after a chunked message bodyEPSS 0.8%CVE-2025-64401HIGHApache OpenOffice: Remote documents loaded without prompt via IFrameEPSS 0.8%CVE-2023-42502MEDIUMApache Superset: Open Redirect VulnerabilityEPSS 0.8%CVE-2025-67895CRITICALApache Airflow Providers Edge3: Edge3 Worker RPC RCE on Airflow 2EPSS 0.8%CVE-2026-25917HIGHApache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5)EPSS 0.8%CVE-2016-6806Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin rEPSS 0.8%CVE-2024-45384MEDIUMApache Druid: Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle AttackEPSS 0.8%CVE-2022-37400Apache OpenOffice Static Initialization Vector Allows to Recover Passwords for Web Connections Without Knowing the Master PasswordEPSS 0.8%CVE-2025-30067HIGHApache Kylin: The remote code execution via jdbc urlEPSS 0.8%CVE-2023-44312MEDIUMApache ServiceComb Service-Center: attacker can query all environment variables of the service-center serverEPSS 0.8%CVE-2023-27987CRITICALApache Linkis gateway module token authentication bypassEPSS 0.8%CVE-2023-39264MEDIUMApache Superset: Stack traces enabled by defaultEPSS 0.8%CVE-2025-29868MEDIUMApache Answer: Using externally referenced images can leak user privacy.EPSS 0.8%CVE-2026-25087HIGHApache Arrow: Potential use-after-free when reading IPC file with pre-bufferingEPSS 0.8%CVE-2023-36388MEDIUMApache Superset: Improper API permission for low privilege users allows for SSRFEPSS 0.8%