Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2025-68280MEDIUMApache SIS: XML External Entity (XXE) vulnerabilityEPSS 0.6%CVE-2026-33557CRITICALApache Kafka: Missing JWT token validation in OAUTHBEARER authenticationEPSS 0.6%CVE-2024-41909MEDIUMApache MINA SSHD: integrity check bypassEPSS 0.6%CVE-2022-33682MEDIUMDisabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attackEPSS 0.6%CVE-2026-49361HIGHApache Fluss Netty Frame Decoder Memory Exhaustion VulnerabilityEPSS 0.6%CVE-2023-37579HIGHApache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/Source CredentialsEPSS 0.6%CVE-2023-30428HIGHApache Pulsar Broker: Incorrect Authorization Validation for Rest ProducerEPSS 0.6%CVE-2025-54550HIGHApache Airflow: RCE by race condition in example_xcom dagEPSS 0.6%CVE-2024-39928HIGHApache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerabilityEPSS 0.6%CVE-2026-45505HIGHApache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper BypassEPSS 0.6%CVE-2024-48944MEDIUMApache Kylin: SSRF vulnerability in the diagnosis apiEPSS 0.6%CVE-2025-27531CRITICALApache InLong: An arbitrary file read vulnerability for JDBCEPSS 0.6%CVE-2025-27528CRITICALApache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File ReadEPSS 0.6%CVE-2026-48207CRITICALApache Fory: PyFory ReduceSerializer Incomplete Policy EnforcementEPSS 0.6%CVE-2026-31378MEDIUMApache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code ExecutionEPSS 0.6%CVE-2026-46745MEDIUMApache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/tokenEPSS 0.6%CVE-2025-66200MEDIUMApache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfoEPSS 0.6%CVE-2025-30675MEDIUMApache CloudStack: Unauthorised template/ISO list access to the domain/resource adminsEPSS 0.6%CVE-2022-43719HIGHApache Superset: Cross Site Request Forgery (CSRF) on accept, request access APIEPSS 0.6%CVE-2024-54016MEDIUMcompression bomb attack in Apache Seata ServerEPSS 0.6%