Vulnerabilities in Apache Software Foundation
1,872 resultsCVE-2022-22721—core: Possible buffer overflow with very large or unlimited LimitXMLRequestBodyEPSS 41.9%CVE-2024-45387CRITICALApache Traffic Control: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_commentsEPSS 41.8%CVE-2024-38476CRITICALApache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirectEPSS 41.6%CVE-2021-37580—Apache ShenYu Admin bypass JWT authenticationEPSS 40.1%CVE-2016-6816—The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HEPSS 39.6%CVE-2017-7679—In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious CoEPSS 39.3%CVE-2025-30065CRITICALApache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet file metadataEPSS 38.8%CVE-2020-17525—Remote unauthenticated denial-of-service in Subversion mod_authz_svnEPSS 37.5%CVE-2021-39275—ap_escape_quotes buffer overflowEPSS 36.3%CVE-2024-39573HIGHApache HTTP Server: mod_rewrite proxy handler substitutionEPSS 35.4%CVE-2022-33980—Apache Commons Configuration insecure interpolation defaultsEPSS 34.8%CVE-2020-11981—An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis,EPSS 34.0%CVE-2020-1947—In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputsEPSS 33.9%CVE-2023-37941MEDIUMApache Superset: Metadata db write access can lead to remote code executionEPSS 29.2%CVE-2020-9480—In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) vEPSS 29.2%CVE-2022-22720—HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlierEPSS 28.2%CVE-2025-60021CRITICALApache bRPC: Remote command injection vulnerability in heap builtin serviceEPSS 26.2%CVE-2024-38473HIGHApache HTTP Server proxy encoding problemEPSS 25.9%CVE-2018-8033—In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP servEPSS 25.7%CVE-2022-32532—Authentication Bypass VulnerabilityEPSS 25.4%