Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-40022HIGHApache Camel Platform HTTP Main: Authentication Bypass on Non-Root Context Paths in camel main runtimeEPSS 0.6%CVE-2026-33454CRITICALApache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant)EPSS 0.6%CVE-2025-48912HIGHApache Superset: Improper authorization bypass on row level security via SQL InjectionEPSS 0.6%CVE-2024-25141CRITICALApache Airflow Mongo Provider: Certificate validation isn't respected even if SSL is enabled for apache-airflow-providers-mongoEPSS 0.6%CVE-2026-24735HIGHApache Answer: Revision API Improper Access Control leads to Information DisclosureEPSS 0.6%CVE-2024-29008MEDIUMApache CloudStack: The extraconfig feature can be abused to load hypervisor resources on a VM instanceEPSS 0.6%CVE-2026-24281MEDIUMApache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManagerEPSS 0.6%CVE-2025-55672MEDIUMApache Superset: Stored XSS on charts metadataEPSS 0.6%CVE-2024-45479CRITICALApache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhostEPSS 0.6%CVE-2024-24778MEDIUMApache StreamPipes: Resources Permission EscalationEPSS 0.6%CVE-2025-66169MEDIUMApache Camel Neo4j: Cypher injection vulnerability in Camel-Neo4j componentEPSS 0.6%CVE-2024-48962HIGHApache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)EPSS 0.6%CVE-2025-26413HIGHApache Kvrocks: The server was crashed by the negative offsetEPSS 0.6%CVE-2024-45031MEDIUMApache Syncope: Stored XSS in Console and EnduserEPSS 0.6%CVE-2025-30677MEDIUMApache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar's Apache Kafka ConnectorsEPSS 0.6%CVE-2026-23969MEDIUMApache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function FilteringEPSS 0.6%CVE-2026-42536HIGHApache HTTP Server: mod_xml2enc heap overflowEPSS 0.6%CVE-2018-11760When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the SparkEPSS 0.6%CVE-2024-45720HIGHApache Subversion: Command line argument injection on Windows platformsEPSS 0.6%CVE-2024-53868HIGHApache Traffic Server: Malformed chunked message body allows request smugglingEPSS 0.6%