Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2022-31764HIGHApache ShardingSphere ElasticJob-UI allows RCE via event trace data source JDBCEPSS 0.6%CVE-2026-43869HIGHApache Thrift: TSSLTransportFactory.java hostname verificationEPSS 0.6%CVE-2025-49763HIGHApache Traffic Server: Remote DoS via memory exhaustion in ESI PluginEPSS 0.6%CVE-2016-5001This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HEPSS 0.6%CVE-2026-50628CRITICALApache CXF: OAuth2: Inverted IP Binding Check Defeats Security ControlEPSS 0.6%CVE-2026-29168HIGHApache HTTP Server: mod_md unrestricted OCSP responseEPSS 0.6%CVE-2024-44088MEDIUMApache Geode: Reflected XSSEPSS 0.6%CVE-2025-55674MEDIUMApache Superset: Improper SQL authorisation, parse not checking for specific engine functionsEPSS 0.6%CVE-2026-42440HIGHApache OpenNLP: OOM DoS via Unbounded Array Allocation in AbstractModelReaderEPSS 0.6%CVE-2024-45537MEDIUMApache Druid: Users can provide MySQL JDBC properties not on allow listEPSS 0.6%CVE-2024-29733LOWApache Airflow FTP Provider: FTP_TLS instance with unverified SSL contextEPSS 0.6%CVE-2026-50203CRITICALApache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local file write outside the destination directory via malicious server-supplied directory-entry namesEPSS 0.6%CVE-2025-47869CRITICALApache NuttX RTOS: examples/xmlrpc: Fix calls buffers size.EPSS 0.6%CVE-2025-54057MEDIUMApache SkyWalking: Stored XSS vulnerabilityEPSS 0.6%CVE-2025-47868CRITICALApache NuttX RTOS: tools/bdf-converter.: tools/bdf-converter: Fix loop termination condition.EPSS 0.6%CVE-2026-40961HIGHApache Airflow: Open Redirect Bypass VulnerabilityEPSS 0.6%CVE-2025-48795MEDIUMApache CXF: Denial of Service and sensitive data exposure in logsEPSS 0.6%CVE-2025-26865LOWApache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCEEPSS 0.6%CVE-2025-25247MEDIUMApache Felix Webconsole: XSS in services consoleEPSS 0.6%CVE-2024-23590CRITICALApache Kylin: Session fixation in web interfaceEPSS 0.6%