Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-53916HIGHApache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: Unbounded header buffer in STOMP NIO codecEPSS 0.5%CVE-2026-50734HIGHApache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire memory-allocation DoS during wire format negotiationEPSS 0.5%CVE-2025-62188HIGHApache DolphinScheduler: Users can access sensitive information through the actuator endpoint.EPSS 0.5%CVE-2026-31908CRITICALApache APISIX: forward auth plugin allows header injectionEPSS 0.5%CVE-2025-53192HIGHApache Commons OGNL: Expression Injection leading to RCEEPSS 0.5%CVE-2026-50076CRITICALApache Fory: Java ReplaceResolverSerializer deserialization checks bypassEPSS 0.5%CVE-2025-55673MEDIUMApache Superset: Metadata exposure in embedded chartsEPSS 0.5%CVE-2025-49812HIGHApache HTTP Server: mod_ssl TLS upgrade attackEPSS 0.5%CVE-2026-31387MEDIUMApache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account ImpersonationEPSS 0.5%CVE-2026-40682CRITICALApache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistorEPSS 0.5%CVE-2026-33007MEDIUMApache HTTP Server: mod_authn_socache crashEPSS 0.5%CVE-2026-45187MEDIUMApache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users to Submit System JobsEPSS 0.5%CVE-2025-66172HIGHApache CloudStack: Any user can attach a volume in their VMs from backups they should not have access toEPSS 0.5%CVE-2025-27867MEDIUMApache Felix HTTP Webconsole Plugin: XSS in HTTP Webconsole PluginEPSS 0.5%CVE-2026-34020HIGHApache OpenMeetings: Login Credentials Passed via GET Query ParametersEPSS 0.5%CVE-2025-66675HIGHApache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixedEPSS 0.5%CVE-2025-30001HIGHApache StreamPark: Authenticated users can trigger remote command executionEPSS 0.5%CVE-2018-1334In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connectEPSS 0.5%CVE-2026-29170MEDIUMApache HTTP Server: mod_proxy_ftp XSSEPSS 0.5%CVE-2026-23980MEDIUMApache Superset: Improper Neutralization of Special Elements used in a SQL CommandEPSS 0.5%