Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2024-41178HIGHApache Arrow Rust Object Store: AWS WebIdentityToken exposure in log filesEPSS 0.7%CVE-2024-25090MEDIUMApache Roller: Insufficient input validation for some user profile and bookmark fields when Roller in untested-users modeEPSS 0.7%CVE-2025-26864HIGHApache IoTDB: Exposure of Sensitive Information in IoTDB OpenID AuthenticationEPSS 0.7%CVE-2025-26795HIGHApache IoTDB JDBC driver: Exposure of Sensitive Information in IoTDB JDBC driverEPSS 0.7%CVE-2024-45461MEDIUMApache CloudStack Quota plugin: Access checks not enforced in QuotaEPSS 0.7%CVE-2023-49250HIGHApache DolphinScheduler: Insecure TLS TrustManager used in HttpUtilEPSS 0.7%CVE-2022-33684HIGHApache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate ValidationEPSS 0.7%CVE-2024-38503LOWApache Syncope: HTML tags can be injected into Console or Enduser text fieldsEPSS 0.7%CVE-2024-36448HIGHApache IoTDB Workbench: SSRF Vulnerability (EOL)EPSS 0.7%CVE-2024-28148MEDIUMApache Superset: Incorrect datasource authorization on explore REST API EPSS 0.7%CVE-2024-56180CRITICALApache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code executionEPSS 0.7%CVE-2025-53477HIGHApache Mynewt NimBLE: NULL Pointer Dereference in NimBLE host HCI layerEPSS 0.7%CVE-2024-22371LOWApache Camel issue on ExchangeCreatedEventEPSS 0.7%CVE-2026-49818MEDIUMApache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS object namesEPSS 0.7%CVE-2025-69219HIGHApache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperatorEPSS 0.7%CVE-2022-23181Local privilege escalation with FileStoreEPSS 0.7%CVE-2026-42027CRITICALApache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoaderEPSS 0.7%CVE-2024-38379MEDIUMApache Allura: Stored authenticated XSSEPSS 0.7%CVE-2025-22829LOWApache CloudStack: Unauthorised access to dedicated resources in Quota pluginEPSS 0.7%CVE-2024-47248MEDIUMApache NimBLE: Buffer overflow in NimBLE MESH Bluetooth stackEPSS 0.7%