Vulnerabilities in Apache Software Foundation

1,896 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2025-66524HIGHApache NiFi: Deserialization of Untrusted Data in GetAsanaObject ProcessorEPSS 0.4%CVE-2025-62232HIGHApache APISIX: basic-auth logs plaintext credentials at info levelEPSS 0.4%CVE-2020-35451Oozie local privilege escalationEPSS 0.4%CVE-2026-47340MEDIUMApache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.EPSS 0.4%CVE-2025-69233MEDIUMApache CloudStack: Domain/account resources limits not honoredEPSS 0.4%CVE-2025-64406MEDIUMApache OpenOffice: Possible memory corruption during CSV importEPSS 0.4%CVE-2023-43666Apache InLong: General user Unauthorized access User ManagementEPSS 0.4%CVE-2026-42811CRITICALApache Polaris: could broaden vended GCS credentials through unescaped identifier content in access-boundary CEL conditionsEPSS 0.4%CVE-2026-47341MEDIUMApache APISIX: Session replay issue in hmac-authEPSS 0.4%CVE-2024-46911MEDIUMApache Roller: Weakness in CSRF protection allows privilege escalationEPSS 0.4%CVE-2025-65114HIGHApache Traffic Server: Malformed chunked message body allows request smugglingEPSS 0.4%CVE-2026-32228HIGHApache Airflow: Users with asset materialization permisssions could trigger Dags they had no access toEPSS 0.4%CVE-2026-42810CRITICALApache Polaris: could broaden vended S3 credentials through wildcard-bearing namespace or table namesEPSS 0.4%CVE-2026-49157HIGHApache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by defaultEPSS 0.4%CVE-2024-35164MEDIUMApache Guacamole: Improper input validation of console codesEPSS 0.4%CVE-2026-56091HIGHApache Shiro: Authentication bypass in Guice-Web integrationEPSS 0.4%CVE-2026-32690LOWApache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1EPSS 0.4%CVE-2026-31986CRITICALApache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template InjectionEPSS 0.4%CVE-2023-41180Apache NiFi MiNiFi C++: Incorrect Certificate Validation in InvokeHTTP for MiNiFi C++EPSS 0.4%CVE-2026-33227MEDIUMApache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ: Improper Limitation of a Pathname to a Restricted Classpath DirectoryEPSS 0.4%