Vulnerabilities in Apache Software Foundation

1,899 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-32990MEDIUMApache Tomcat: Fix for CVE-2025-66614 is incompleteEPSS 0.3%CVE-2025-58337MEDIUMApache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP ServerEPSS 0.3%CVE-2026-57914MEDIUMApache Kerby: StackOverflow on parsing deeply nested ASN1 structuresEPSS 0.3%CVE-2025-58457MEDIUMApache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore CommandsEPSS 0.3%CVE-2026-50631HIGHApache CXF: OAuth2: TOCTOU Race Condition in Refresh Token ProcessingEPSS 0.3%CVE-2026-41566CRITICALApache Kvrocks: Improper permission for the APPLYBATCH commandEPSS 0.3%CVE-2026-41115MEDIUMApache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE APIEPSS 0.3%CVE-2026-41081MEDIUMApache Storm Client: Anonymous principal assigned on TLS client certificate verification failureEPSS 0.3%CVE-2026-55276CRITICALApache Tomcat: Logged effective web.xml is incompleteEPSS 0.3%CVE-2026-47339MEDIUMApache APISIX: authz-casdoor incorrect session sharingEPSS 0.3%CVE-2026-53434CRITICALApache Tomcat: Invalid CRL configuration doesn't trigger failure for FFM ConnectorEPSS 0.3%CVE-2024-29120MEDIUMApache StreamPark: Information leakage vulnerabilityEPSS 0.3%CVE-2026-50634MEDIUMApache CXF: WS JSON request filter trusts metadata from an unvalidated first signature entryEPSS 0.3%CVE-2024-29869MEDIUMApache Hive: Credentials file created with non restrictive permissionsEPSS 0.3%CVE-2026-43828MEDIUMApache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by defaultEPSS 0.3%CVE-2022-45787MEDIUMApache James MIME4J: Temporary File Information Disclosure in MIME4J TempFileStorageProviderEPSS 0.3%CVE-2026-54665MEDIUMApache NiFi: Missing Validation for Proxy Host HeadersEPSS 0.3%CVE-2026-41016MEDIUMApache Airflow Providers SMTP: No certificate validation on SMTP STARTTLS connections in SMTP providerEPSS 0.3%CVE-2026-41017MEDIUMApache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxyEPSS 0.3%CVE-2026-49486HIGHApache Airflow FTP provider: FTP Provider does not protect FTPS data channel (missing PROT_P)EPSS 0.3%