Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-49328MEDIUMApache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRFEPSS 0.5%CVE-2026-25199CRITICALApache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance AccessEPSS 0.5%CVE-2025-47713HIGHApache CloudStack: Domain Admin can reset Admin password in Root DomainEPSS 0.5%CVE-2025-47849HIGHApache CloudStack: Insecure access of user's API/Secret Keys in the same domainEPSS 0.5%CVE-2026-40023MEDIUMApache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden charactersEPSS 0.5%CVE-2025-61735HIGHApache Kylin: Server-Side Request ForgeryEPSS 0.5%CVE-2026-24734HIGHApache Tomcat Native, Apache Tomcat: OCSP revocation bypassEPSS 0.5%CVE-2024-45693HIGHApache CloudStack: Request origin validation bypass makes account takeover possibleEPSS 0.5%CVE-2026-42404MEDIUMApache Neethi: Unrestricted HTTP Redirect Following in Policy ReferencesEPSS 0.5%CVE-2026-35086MEDIUMApache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email servicesEPSS 0.5%CVE-2024-43166CRITICALIncorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users arEPSS 0.5%CVE-2026-50750HIGHApache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire DoS following fix for CVE-2026-49270EPSS 0.5%CVE-2026-24733MEDIUMApache Tomcat: Security constraint bypass with HTTP/0.9EPSS 0.5%CVE-2026-49268HIGHApache Shiro: LDAP DN Injection in DefaultLdapRealmEPSS 0.5%CVE-2026-22022HIGHApache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPluginEPSS 0.5%CVE-2026-40564MEDIUMApache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes OperatorEPSS 0.5%CVE-2023-42503Apache Commons Compress: Denial of service via CPU consumption for malformed TAR fileEPSS 0.5%CVE-2026-49298HIGHApache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line ArgumentsEPSS 0.5%CVE-2025-60012MEDIUMApache Livy: Restrict file accessEPSS 0.5%CVE-2026-31380MEDIUMApache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization BypassEPSS 0.5%