Vulnerabilities in Apache Software Foundation

1,898 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-50627CRITICALApache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token ValidatorEPSS 0.4%CVE-2026-33005MEDIUMApache OpenMeetings: Insufficient checks in FileWebServiceEPSS 0.4%CVE-2026-31388MEDIUMApache OFBiz: Cross-Tenant Data Exposure via Program Export FeatureEPSS 0.4%CVE-2025-62228MEDIUMApache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC: SQL injection via maliciously crafted identifiersEPSS 0.4%CVE-2026-42526MEDIUMApache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backendsEPSS 0.4%CVE-2026-43827MEDIUMApache Shiro: Session fixation: new session is not created after login by defaultEPSS 0.4%CVE-2025-46647MEDIUMApache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connectEPSS 0.4%CVE-2026-54399HIGHApache HttpComponents Core: Unbounded HTTP Header/Line Length in Default ConfigurationEPSS 0.4%CVE-2026-54428HIGHApache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACKEPSS 0.4%CVE-2026-45192MEDIUMApache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API ResponseEPSS 0.4%CVE-2026-41018MEDIUMApache Airflow Providers Elasticsearch: Elasticsearch task-log handler leaks credentials embedded in the host URLEPSS 0.4%CVE-2026-43826MEDIUMApache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URLEPSS 0.4%CVE-2026-30911HIGHApache Airflow: Execution API HITL Endpoints Missing Per-Task AuthorizationEPSS 0.4%CVE-2026-48895LOWApache APISIX: Cas-auth Host header influence on CAS service URLEPSS 0.4%CVE-2026-47342HIGHApache OFBiz: Privilege Escalation via updateOrRemove Authorization BypassEPSS 0.4%CVE-2025-66388MEDIUMApache Airflow: Secrets in rendered templates not redacted properly and exposed in the UIEPSS 0.4%CVE-2026-25699MEDIUMApache Answer: Authorization Bypass in Timeline APIEPSS 0.4%CVE-2026-25688MEDIUMApache Answer: XSS in AI Answer RenderingEPSS 0.4%CVE-2026-26929MEDIUMApache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks MetadataEPSS 0.4%CVE-2026-50630MEDIUMApache CXF: OAuth2: HTTP Response Splitting via WWW-Authenticate Realm InjectionEPSS 0.4%