Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2023-41916MEDIUMApache Linkis DataSource: DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file readingEPSS 0.7%CVE-2024-34457MEDIUMApache StreamPark IDOR VulnerabilityEPSS 0.7%CVE-2024-24779MEDIUMApache Superset: Improper data authorization when creating a new datasetEPSS 0.7%CVE-2026-25077HIGHApache CloudStack: Unauthenticated Command Injection in Direct Download TemplatesEPSS 0.7%CVE-2024-22281HIGHApache Helix Front (UI): Helix front hard-coded secret in the express-sessionEPSS 0.7%CVE-2023-27523MEDIUMApache Superset: Improper data permission validation on Jinja templated queriesEPSS 0.7%CVE-2026-47430CRITICALCordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViewsEPSS 0.7%CVE-2024-40761MEDIUMApache Answer: Avatar URL leaked user email addressesEPSS 0.7%CVE-2025-25069MEDIUMApache Kvrocks: Cross-Protocol Scripting VulnerabilityEPSS 0.7%CVE-2024-55532CRITICALApache Ranger: Improper Neutralization of Formula Elements in a CSV FileEPSS 0.7%CVE-2023-31007NONEApache Pulsar: Broker does not always disconnect client when authentication data expiresEPSS 0.7%CVE-2023-48396CRITICALApache SeaTunnel Web: Authentication bypassEPSS 0.7%CVE-2024-45217HIGHApache Solr: ConfigSets created during a backup restore command are trusted implicitlyEPSS 0.7%CVE-2025-23195HIGHApache Ambari: XML External Entity (XXE) Vulnerability in Ambari/OozieEPSS 0.7%CVE-2026-24343HIGHApache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath ExpressionsEPSS 0.7%CVE-2026-29145CRITICALApache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabledEPSS 0.7%CVE-2018-17195The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTEPSS 0.7%CVE-2026-33929MEDIUMApache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example CodeEPSS 0.7%CVE-2026-42402HIGHApache Neethi: Policy Normalization Unbounded Resource Allocation DoSEPSS 0.7%CVE-2026-40858HIGHApache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation RepositoryEPSS 0.7%