Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2017-7666Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.EPSS 0.8%CVE-2024-37358HIGHApache James: denial of service through the use of IMAP literalsEPSS 0.8%CVE-2025-65995MEDIUMApache Airflow: Disclosure of secrets to UI via kwargsEPSS 0.8%CVE-2025-27018MEDIUMApache Airflow MySQL Provider: SQL injection in MySQL provider core functionEPSS 0.8%CVE-2023-39196MEDIUMApache Ozone: Missing mutual TLS authentication in one of the service internal Ozone Storage Container Manager endpointsEPSS 0.8%CVE-2021-33900StartTLS and SASL confidentiality protection bypassEPSS 0.8%CVE-2025-26866HIGHApache HugeGraph-Server: RAFT and deserialization vulnerabilityEPSS 0.8%CVE-2024-45791HIGHApache HertzBeat: Exposure sensitive token via http GET method with query stringEPSS 0.8%CVE-2024-53947LOWApache Superset: Improper SQL authorisation, parse not checking for specific postgres functionsEPSS 0.8%CVE-2024-56202MEDIUMApache Traffic Server: Expect header field can unreasonably retain resourceEPSS 0.8%CVE-2024-29070CRITICALApache StreamPark: session not invalidated after logoutEPSS 0.8%CVE-2022-44729Apache XML Graphics Batik: Information disclosure vulnerabilityEPSS 0.8%CVE-2024-29007HIGHApache CloudStack: When downloading templates or ISOs, the management server and SSVM follow HTTP redirects with potentially dangerous consequencesEPSS 0.8%CVE-2024-47197HIGHMaven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentialsEPSS 0.8%CVE-2026-50633HIGHApache CXF: JNDI Injection vulnerability in DispatchMDBMessageListenerImplEPSS 0.8%CVE-2026-41284HIGHApache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handlingEPSS 0.8%CVE-2025-66168MEDIUMApache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validatedEPSS 0.8%CVE-2024-56128MEDIUMApache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryptionEPSS 0.8%CVE-2025-30474MEDIUMApache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error messageEPSS 0.8%CVE-2025-30473HIGHApache Airflow Common SQL Provider: Remote Code Execution via Sql InjectionEPSS 0.8%