Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-30778HIGHApache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.EPSS 0.5%CVE-2026-29207MEDIUMApache OFBiz: Low-Privilege SSTI Leading to RCE in the Content ComponentEPSS 0.5%CVE-2025-27427LOWApache ActiveMQ Artemis: Address routing-type can be updated by user without the createAddress permissionEPSS 0.5%CVE-2026-42535CRITICALApache HTTP Server: mod_dav_fs protected directory accessEPSS 0.5%CVE-2024-45478MEDIUMApache Ranger: Stored XSS in Edit Service page - Add logic to validate user inputEPSS 0.5%CVE-2025-62233MEDIUMApache DolphinScheduler: Deserialization of untrusted data in RPCEPSS 0.5%CVE-2026-33558MEDIUMApache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log OutputEPSS 0.5%CVE-2026-34479MEDIUMApache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden charactersEPSS 0.5%CVE-2026-32588MEDIUMApache Cassandra: Authenticated DoS via ALTER ROLE Password HashingEPSS 0.5%CVE-2024-56736MEDIUMApache HertzBeat: Server-Side Request Forgery (SSRF) in Api Config OssEPSS 0.5%CVE-2025-66171MEDIUMApache CloudStack: Any user can create a new VM from backups they should not have access toEPSS 0.5%CVE-2024-46910HIGHApache Atlas: An authenticated user can perform XSS and potentially impersonate another userEPSS 0.5%CVE-2026-44825HIGHApache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure usersEPSS 0.5%CVE-2026-48827HIGHApache MINA SSHD: Path traversal in org.apache.sshd:sshd-gitEPSS 0.5%CVE-2025-48977HIGHApache Ignite: REST HTTP arbitrary file read vulnerabilityEPSS 0.5%CVE-2026-25854MEDIUMApache Tomcat: Occasionally open redirectEPSS 0.5%CVE-2026-43951MEDIUMApache HTTP Server: OOB Read in `merge_response_headers` can cause crashEPSS 0.5%CVE-2025-24853HIGHApache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processingEPSS 0.5%CVE-2026-53917HIGHApache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker: Unbounded memory allocation in OpenWire property unmarshallingEPSS 0.5%CVE-2026-49432HIGHApache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: STOMP negative content-length enables denial of serviceEPSS 0.5%