Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2025-54090MEDIUMApache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64EPSS 0.7%CVE-2026-34355HIGHApache HTTP Server: mod_proxy_html buffer overflowEPSS 0.7%CVE-2026-34538MEDIUMApache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure)EPSS 0.7%CVE-2026-29220MEDIUMApache OFBiz: Low-Privilege LFI in Content ComponentEPSS 0.7%CVE-2026-34356HIGHApache HTTP Server: ProxyPassReverseCookieMap buffer overflowEPSS 0.7%CVE-2024-27439MEDIUMApache Wicket: Possible bypass of CSRF protectionEPSS 0.7%CVE-2026-44930MEDIUMApache CXF: LDAP Injection vulnerability in XKMS LDAP RepositoryEPSS 0.7%CVE-2024-42516HIGHApache HTTP Server: HTTP response splittingEPSS 0.7%CVE-2025-61623MEDIUMApache OFBiz: Reflected Cross-site ScriptingEPSS 0.7%CVE-2026-28779HIGHApache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applicationsEPSS 0.7%CVE-2025-58136HIGHApache Traffic Server: A simple legitimate POST request causes a crashEPSS 0.7%CVE-2025-61581HIGHApache Traffic Control: ReDoS issue in Traffic Router configurationEPSS 0.7%CVE-2025-27526MEDIUMApache InLong: JDBC Vulnerability For URLEncode and backspace bypassEPSS 0.7%CVE-2025-27522MEDIUMApache InLong: JDBC Vulnerability during verification processingEPSS 0.7%CVE-2024-47252HIGHApache HTTP Server: mod_ssl error log variable escapingEPSS 0.7%CVE-2025-57735CRITICALApache Airflow: Airflow Logout Not Invalidating JWTEPSS 0.7%CVE-2026-27172HIGHApache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV storeEPSS 0.7%CVE-2026-43868MEDIUMApache Thrift: Rust implementation vulnerable to CVE-2020-13949 patternEPSS 0.7%CVE-2026-40861MEDIUMApache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandlerEPSS 0.7%CVE-2024-47250MEDIUMApache NimBLE: Lack of input validation in HCI advertising report could lead to potential out-of-bound accessEPSS 0.7%