Vulnerabilidades en Apache Software Foundation

1899 resultados
Análisis Vexday

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-25087HIGHApache Arrow: Potential use-after-free when reading IPC file with pre-bufferingEPSS 0.8%CVE-2023-36388MEDIUMApache Superset: Improper API permission for low privilege users allows for SSRFEPSS 0.8%CVE-2024-53947LOWApache Superset: Improper SQL authorisation, parse not checking for specific postgres functionsEPSS 0.8%CVE-2026-34355HIGHApache HTTP Server: mod_proxy_html buffer overflowEPSS 0.8%CVE-2017-7666Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.EPSS 0.8%CVE-2024-37358HIGHApache James: denial of service through the use of IMAP literalsEPSS 0.8%CVE-2025-65995MEDIUMApache Airflow: Disclosure of secrets to UI via kwargsEPSS 0.8%CVE-2025-27018MEDIUMApache Airflow MySQL Provider: SQL injection in MySQL provider core functionEPSS 0.8%CVE-2026-50734HIGHApache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All: Pre-authentication OpenWire memory-allocation DoS during wire format negotiationEPSS 0.8%CVE-2026-53916HIGHApache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: Unbounded header buffer in STOMP NIO codecEPSS 0.8%CVE-2026-53917HIGHApache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker: Unbounded memory allocation in OpenWire property unmarshallingEPSS 0.8%CVE-2023-39196MEDIUMApache Ozone: Missing mutual TLS authentication in one of the service internal Ozone Storage Container Manager endpointsEPSS 0.8%CVE-2021-33900StartTLS and SASL confidentiality protection bypassEPSS 0.8%CVE-2025-26866HIGHApache HugeGraph-Server: RAFT and deserialization vulnerabilityEPSS 0.8%CVE-2024-45791HIGHApache HertzBeat: Exposure sensitive token via http GET method with query stringEPSS 0.8%CVE-2024-56202MEDIUMApache Traffic Server: Expect header field can unreasonably retain resourceEPSS 0.8%CVE-2024-29070CRITICALApache StreamPark: session not invalidated after logoutEPSS 0.8%CVE-2024-53948MEDIUMApache Superset: Error verbosity exposes metadata in analytics databasesEPSS 0.8%CVE-2022-44729Apache XML Graphics Batik: Information disclosure vulnerabilityEPSS 0.8%CVE-2024-29007HIGHApache CloudStack: When downloading templates or ISOs, the management server and SSVM follow HTTP redirects with potentially dangerous consequencesEPSS 0.8%