Vulnerabilities in Apache Software Foundation

1,899 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2025-58130CRITICALApache Fineract: Server Key not maskedEPSS 0.4%CVE-2026-42812CRITICALApache Polaris: No protection on `write.metadata.path`EPSS 0.4%CVE-2025-27555MEDIUMApache Airflow: Connection Secrets not masked in UI when Connection are added via Airflow cliEPSS 0.4%CVE-2026-23903MEDIUMApache Shiro: Auth bypass when accessing static files only on case-insensitive filesystemsEPSS 0.4%CVE-2026-23794MEDIUMApache Syncope: Reflected XSS on Enduser LoginEPSS 0.4%CVE-2022-45935MEDIUMApache James server: Temporary File Information DisclosureEPSS 0.4%CVE-2024-39954MEDIUMApache EventMesh Runtime: SSRFEPSS 0.4%CVE-2026-49231LOWApache APISIX: Identity spoofing issue in APISIX opa pluginEPSS 0.4%CVE-2026-25604MEDIUMApache Airflow AWS Auth Manager - Host Header Injection Leading to SAML Authentication BypassEPSS 0.4%CVE-2025-27391MEDIUMApache ActiveMQ Artemis: Passwords leaking from broker properties in the debug logEPSS 0.4%CVE-2026-42509MEDIUMApache Wicket: crafted strings can break out of the JavaScript sequenceEPSS 0.4%CVE-2025-59790MEDIUMApache Kvrocks: RESET command grants admin privilegesEPSS 0.4%CVE-2026-42809CRITICALApache Polaris: staged table creation could vend storage credentials for unvalidated locationsEPSS 0.4%CVE-2026-32794MEDIUMApache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s Token ExchangeEPSS 0.4%CVE-2026-41014MEDIUMApache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpointsEPSS 0.4%CVE-2026-43514LOWApache Tomcat: AJP secret compared in non-constant timeEPSS 0.4%CVE-2026-48589NONEApache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flowEPSS 0.4%CVE-2026-40690MEDIUMApache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized usersEPSS 0.4%CVE-2026-38743MEDIUMApache Airflow: Dags endpoint might provide access to otherwise inaccessible entitiesEPSS 0.4%CVE-2026-46764MEDIUMApache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filterEPSS 0.4%