Apache Security Vulnerabilities (CVEs)
Track 553 security vulnerabilities affecting Apache products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
Apache ActiveMQ has an integer overflow vulnerability in MQTT packet handling that allows malformed packets to cause unexpected broker behavior. This ...
Mar 4, 2026Authenticated users in Apache Superset can exploit a disabled-by-default tagging feature to retrieve sensitive user data including password hashes and...
Feb 24, 2026This SQL injection vulnerability in Apache Superset allows authenticated users with read access to execute arbitrary SQL commands through the sqlExpre...
Feb 24, 2026This vulnerability allows DAG authors with existing permissions to manipulate Airflow's database to execute arbitrary code in the web-server context w...
Feb 24, 2026The CVE-2026-23552 vulnerability allows attackers to bypass tenant isolation in Apache Camel Keycloak component by using JWT tokens from unauthorized ...
Feb 23, 2026This vulnerability in Apache Airflow allows authenticated users with DAG view permissions to potentially see sensitive information like secrets when a...
Feb 21, 2026This vulnerability allows remote code execution when Apache Avro Java SDK processes untrusted Avro schemas. Attackers can inject malicious code that g...
Feb 13, 2026This XPath injection vulnerability in Apache HertzBeat allows attackers to manipulate XPath queries by injecting malicious data, potentially accessing...
Feb 10, 2026This authentication bypass vulnerability in Apache Druid allows attackers to gain unauthorized access by exploiting LDAP anonymous bind configurations...
Feb 10, 2026This CVE describes an observable timing discrepancy vulnerability in Apache Shiro authentication. Attackers can use timing differences to distinguish ...
Feb 10, 2026This CVE describes an information disclosure vulnerability in Apache Airflow where authenticated users with access to specific DAGs can view import er...
Feb 9, 2026Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw where authenticated users with custom permissions limited to task access can...
Feb 9, 2026This CVE describes an authentication bypass vulnerability in Apache Shiro where attackers can access protected static files by changing the case of fi...
Feb 9, 2026An unauthenticated API endpoint in Apache Answer exposes full revision history for deleted content, allowing unauthorized users to retrieve sensitive ...
Feb 4, 2026This reflected XSS vulnerability in Apache Syncope's Enduser Login page allows attackers to steal user credentials by tricking legitimate users into c...
Feb 3, 2026This CVE describes an XXE vulnerability in Apache Syncope Console that allows administrators with Keymaster parameter privileges to inject malicious X...
Feb 3, 2026Apache Karaf Decanter's log socket collector has a deserialization vulnerability on port 4560 without authentication. Attackers can bypass allowed cla...
Jan 26, 2026This CVE describes an out-of-bounds write vulnerability in Apache Hadoop HDFS native client that could allow attackers to execute arbitrary code or ca...
Jan 26, 2026Apache Solr deployments using RuleBasedAuthorizationPlugin with specific configurations are vulnerable to unauthorized API access. Attackers can bypas...
Jan 21, 2026This vulnerability in Apache Solr allows attackers to bypass path restrictions and read unauthorized files from the filesystem when creating new cores...
Jan 21, 2026This vulnerability in Apache Airflow exposes sensitive values like passwords and API keys in cleartext in the Rendered Templates UI when template fiel...
Jan 16, 2026Apache Airflow versions before 3.1.6 expose proxy credentials in logs when connections contain proxy URLs with embedded authentication. This allows at...
Jan 16, 2026This CVE describes a remote command injection vulnerability in Apache bRPC's heap profiler service. Attackers can execute arbitrary commands by inject...
Jan 16, 2026This CVE describes a Cypher Injection vulnerability in Apache Camel's camel-neo4j component, allowing attackers to execute arbitrary Cypher queries ag...
Jan 14, 2026This CVE describes a Missing XML Validation vulnerability in Apache Struts that allows attackers to inject malicious XML content. It affects Apache St...
Jan 11, 2026This vulnerability in Apache NimBLE allows an attacker to downgrade encrypted Bluetooth Low Energy connections to unencrypted state after a Pause Encr...
Jan 10, 2026An out-of-bounds read vulnerability in Apache NimBLE's HCI H4 driver allows a malicious or malfunctioning Bluetooth controller to trigger invalid memo...
Jan 10, 2026A NULL pointer dereference vulnerability in Apache NimBLE's Bluetooth stack occurs when HCI connection completion or command transmission buffers lack...
Jan 10, 2026This vulnerability allows attackers to bypass authentication in Apache NimBLE by sending specially crafted Security Request packets. An attacker can r...
Jan 10, 2026This vulnerability allows attackers to perform Man-in-the-Middle attacks on all REST API communications between Uniffle CLI/client and Coordinator ser...
Jan 7, 2026This vulnerability allows clients accessing Apache Kyuubi Server to bypass the server-side configuration that restricts which local directories can be...
Jan 5, 2026This vulnerability allows remote code execution on Apache NiFi systems through unsafe Java deserialization in the GetAsanaObject Processor. Attackers ...
Dec 19, 2025This vulnerability in Apache Log4j Core allows man-in-the-middle attackers to intercept or redirect encrypted log traffic when TLS hostname verificati...
Dec 18, 2025This vulnerability allows authenticated DAG authors in Apache Airflow 2 to perform remote code execution in the webserver context via an improperly ex...
Dec 17, 2025This vulnerability in Apache Airflow allows authenticated users with UI access to view secret values in rendered templates due to improper redaction. ...
Dec 15, 2025Apache StreamPark versions 2.0.0 through 2.1.6 use user passwords as JWT signing keys, allowing attackers who capture tokens to brute-force passwords ...
Dec 12, 2025Apache StreamPark versions 2.0.0 through 2.1.6 use a hard-coded encryption key, allowing attackers to decrypt sensitive data or forge encrypted inform...
Dec 12, 2025This vulnerability in Apache StreamPark uses weak encryption (AES-ECB mode) and a weak random number generator for encrypting sensitive data like JWT ...
Dec 12, 2025This CVE describes a remote code execution vulnerability in Apache HugeGraph's PD store where a malicious Raft node can exploit insecure Hessian deser...
Dec 12, 2025CVE-2025-58130 is an insufficiently protected credentials vulnerability in Apache Fineract that could allow attackers to access sensitive authenticati...
Dec 12, 2025This CVE describes an authorization bypass vulnerability in Apache Fineract where attackers can manipulate user-controlled keys to access unauthorized...
Dec 12, 2025Apache Fineract versions through 1.10.1 have weak password requirements that allow attackers to set or maintain easily guessable passwords. This affec...
Dec 12, 2025This CVE describes a Denial of Service vulnerability in Apache Struts where specially crafted multipart requests can cause file leaks leading to disk ...
Dec 10, 2025This vulnerability in Apache HTTP Server allows remote code execution when Server Side Includes (SSI) is enabled with mod_cgid. Attackers can inject s...
Dec 5, 2025This SSRF vulnerability in Apache HTTP Server on Windows allows attackers to force the server to make requests to malicious servers, potentially leaki...
Dec 5, 2025This vulnerability allows attackers to manipulate CGI program behavior by injecting malicious environment variables through Apache configuration. It a...
Dec 5, 2025This vulnerability allows users with htaccess file access to bypass mod_userdir+suexec restrictions via the RequestHeader directive, potentially causi...
Dec 5, 2025An integer overflow in Apache HTTP Server's ACME certificate renewal process causes the backoff timer to reset to zero after approximately 30 days of ...
Dec 5, 2025This critical XXE vulnerability in Apache Tika allows attackers to perform XML External Entity injection via crafted XFA files within PDF documents. I...
Dec 4, 2025This vulnerability in Apache Struts allows attackers to cause a denial of service through disk exhaustion by exploiting a file leak in multipart reque...
Dec 1, 2025Why Monitor Apache Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 553+ known vulnerabilities affecting Apache products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Apache packages in under 60 seconds. No agents required - completely agentless scanning that works across Apache deployments.
Free vulnerability database: Access detailed information about every Apache CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Apache CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
