Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2025-53689HIGHApache Jackrabbit: XXE vulnerability in jackrabbit-spi-commonsEPSS 0.5%CVE-2025-26796MEDIUMApache Oozie: XSS in Oozie Web ConsoleEPSS 0.5%CVE-2026-35565MEDIUMApache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UIEPSS 0.5%CVE-2025-64402MEDIUMApache OpenOffice: Remote documents loaded without prompt via OLE objectsEPSS 0.5%CVE-2026-40563HIGHApache Atlas: Script injection allows access to unintended dataEPSS 0.5%CVE-2026-34483HIGHApache Tomcat: Incomplete escaping of JSON access logsEPSS 0.5%CVE-2026-48913HIGHApache HTTP Server: mod_http2 memory corruption when file handles exhaustedEPSS 0.5%CVE-2024-43115HIGHApache DolphinScheduler: Alert Script AttackEPSS 0.5%CVE-2026-50645HIGHApache CXF: No restriction on attachment headers per messageEPSS 0.5%CVE-2023-41267Apache HDFS Provider error message suggested installation of incorrect pip packageEPSS 0.5%CVE-2026-31910HIGHApache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File AccessEPSS 0.5%CVE-2026-40963LOWApache Airflow: DAG authorization bypass on /ui/structure/structure_dataEPSS 0.5%CVE-2026-41084HIGHApache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutationEPSS 0.5%CVE-2025-47436MEDIUMApache ORC: Potential Heap Buffer Overflow during C++ LZO DecompressionEPSS 0.5%CVE-2025-48459MEDIUMApache IoTDB: Deserialization of untrusted DataEPSS 0.5%CVE-2026-40542HIGHApache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verificationEPSS 0.5%CVE-2026-41919CRITICALApache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Elements in DN ConstructionEPSS 0.5%CVE-2026-24880HIGHApache Tomcat: Request smuggling via invalid chunk extensionEPSS 0.5%CVE-2026-41409CRITICALApache MINA: CWE-502 Deserialization of Untrusted DataEPSS 0.5%CVE-2026-30912HIGHApache Airflow: Exposing stack trace in case of constraint errorEPSS 0.4%