Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2024-41169HIGHApache Zeppelin: raft directory listing and file readEPSS 0.6%CVE-2022-33681MEDIUMImproper Hostname Verification in Java Client and Proxy can expose authentication data via MITMEPSS 0.6%CVE-2024-53678MEDIUMApache VCL: SQL injection vulnerability in New Block Allocation formEPSS 0.6%CVE-2026-44186HIGHApache HTTP Server: Loop in `proxy_ftp_handler` in mod_proxy_ftpEPSS 0.6%CVE-2025-48392HIGHApache IoTDB: DoS VulnerabilityEPSS 0.6%CVE-2024-41177MEDIUMApache Zeppelin: XSS in the Helium moduleEPSS 0.6%CVE-2025-54656MEDIUMApache Struts Extras: Improper Output Neutralization for LogsEPSS 0.6%CVE-2025-53606CRITICALApache Seata (incubating): Deserialization of untrusted Data in Apache Seata ServerEPSS 0.6%CVE-2026-41043MEDIUMApache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queuesEPSS 0.6%CVE-2024-48988HIGHApache StreamPark: SQL injection vulnerabilityEPSS 0.6%CVE-2024-45106HIGHApache Ozone: Improper authentication when generating S3 secretsEPSS 0.6%CVE-2026-33006MEDIUMApache HTTP Server: mod_auth_digest timing attackEPSS 0.6%CVE-2026-34481MEDIUMApache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayoutEPSS 0.6%CVE-2026-25219MEDIUMApache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view accessEPSS 0.6%CVE-2022-33683MEDIUMDisabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack EPSS 0.6%CVE-2026-42359HIGHApache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validatorEPSS 0.5%CVE-2026-46586HIGHApache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code ExecutionEPSS 0.5%CVE-2026-42498HIGHApache Tomcat: WebSocket authentication header exposureEPSS 0.5%CVE-2026-42588HIGHApache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnectorEPSS 0.5%CVE-2021-28129DEB packaging for Apache OpenOffice 4.1.8 installed with a non-root userid and groupidEPSS 0.5%