Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2025-65998HIGHApache Syncope: Default AES key used for internal password encryptionEPSS 0.4%CVE-2026-25700HIGHApache Answer: AdminToken not invalidated after admin deactivationEPSS 0.4%CVE-2025-31698HIGHApache Traffic Server: Client IP address from PROXY protocol is not used for ACLEPSS 0.4%CVE-2025-54941MEDIUMApache Airflow: Command injection in "example_dag_decorator"EPSS 0.4%CVE-2025-54947MEDIUMApache StreamPark: Use hard-coded key vulnerabilityEPSS 0.4%CVE-2025-24854MEDIUMApache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Image pluginEPSS 0.4%CVE-2026-34487HIGHApache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer tokenEPSS 0.4%CVE-2026-23902HIGHApache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.EPSS 0.4%CVE-2026-41873CRITICALPony Mail: Admin account takeover via request smugglingEPSS 0.4%CVE-2024-25710HIGHApache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP fileEPSS 0.4%CVE-2025-23408HIGHApache Fineract: weak password policyEPSS 0.4%CVE-2026-28563MEDIUMApache Airflow: DAG authorization bypassEPSS 0.4%CVE-2026-31906MEDIUMApache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog ParametersEPSS 0.4%CVE-2025-66236HIGHApache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UIEPSS 0.4%CVE-2026-41280MEDIUMApache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projectsEPSS 0.4%CVE-2021-36151Local Credentials Disclosure VulnerabilityEPSS 0.4%CVE-2026-23982HIGHApache Superset: Improper Authorization in Dataset Creation Allows Access Control BypassEPSS 0.4%CVE-2026-33523MEDIUMApache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status lineEPSS 0.4%CVE-2026-46718MEDIUMApache Calcite: A user-controled model can load arbitrary classes, leading to code executionEPSS 0.4%CVE-2026-42797MEDIUMApache Syncope: JexlContextBuilder Information DisclosureEPSS 0.4%