Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2024-53679HIGHApache VCL: XSS vulnerability in User Lookup impacting user privilegesEPSS 0.5%CVE-2026-45205MEDIUMApache Commons Configuration: StackOverflowError for YAML input with cyclesEPSS 0.5%CVE-2025-24404HIGHApache HertzBeat (incubating): RCE by parse http sitemap xml responseEPSS 0.5%CVE-2026-44631CRITICALApache HTTP Server: Heap Underflow in `ap_regname` via Signed Char OverflowEPSS 0.5%CVE-2026-31909HIGHApache OFBiz: Unauthenticated Shipment Label Image DisclosureEPSS 0.5%CVE-2025-66170MEDIUMApache CloudStack: Any user can list backups that they should not have access toEPSS 0.5%CVE-2026-34032MEDIUMApache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)EPSS 0.5%CVE-2026-49875MEDIUMApache CXF: XML External Entity (XXE) Injection in W3CMultiSchemaFactory and EndpointReferenceUtilsEPSS 0.5%CVE-2021-28656MEDIUMApache Zeppelin: CSRF vulnerability in the Credentials pageEPSS 0.5%CVE-2025-55675MEDIUMApache Superset: Incorrect datasource authorization on REST APIEPSS 0.5%CVE-2026-33582MEDIUMApache Answer: Uploading specially crafted TIFF files causes an Out-of-Memory errorEPSS 0.5%CVE-2025-62402MEDIUMApache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in APIEPSS 0.5%CVE-2026-29226HIGHApache OFBiz: Low-Privilege SSRF in Content ComponentEPSS 0.5%CVE-2026-32642LOWApache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permissionEPSS 0.5%CVE-2026-50629MEDIUMApache CXF: OAuth2: Log Injection via Unsanitized Client IdentifierEPSS 0.5%CVE-2026-41636HIGHApache Thrift: Node.js skip() recursionEPSS 0.5%CVE-2026-34500MEDIUMApache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabledEPSS 0.5%CVE-2025-26467HIGHApache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only)EPSS 0.5%CVE-2026-47065CRITICALApache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232EPSS 0.5%CVE-2026-43513HIGHApache Tomcat: LockOutRealm treats user names as case-sensitiveEPSS 0.5%