Apache Security Vulnerabilities (CVEs)
Track 573 security vulnerabilities affecting Apache products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This vulnerability allows unprivileged users to perform port scanning on internal networks via Apache Traffic Control Traffic Ops. Attackers can send ...
Feb 6, 2022This vulnerability in Apache ActiveMQ Artemis allows attackers to cause a denial-of-service (DoS) condition by consuming excessive memory resources. S...
Feb 4, 2022Apache Gobblin versions <=0.15.0 trust all certificates for LDAP connections in Gobblin-as-a-Service, disabling TLS certificate validation. This allow...
Feb 4, 2022This CVE describes a time-of-check-time-of-use (TOCTOU) vulnerability in Apache Tomcat that allows local attackers to escalate privileges. The vulnera...
Jan 27, 2022Apache Karaf's JMX implementation is vulnerable to Java deserialization attacks, allowing remote code execution on affected systems. This affects Apac...
Jan 26, 2022Apache ShenYu versions 2.4.0 and 2.4.1 have an authentication bypass vulnerability in the /plugin API endpoint. This allows unauthenticated attackers ...
Jan 25, 2022CVE-2021-45029 is a critical vulnerability in Apache ShenYu that allows attackers to inject malicious Groovy or SpEL code, leading to remote code exec...
Jan 25, 2022CVE-2022-23305 is an SQL injection vulnerability in Log4j 1.2.x's JDBCAppender that allows attackers to execute arbitrary SQL queries by injecting mal...
Jan 18, 2022This vulnerability in Apache Guacamole allows attackers to impersonate other users when SAML authentication is enabled. It affects Apache Guacamole 1....
Jan 11, 2022A deserialization vulnerability in Apache Dubbo's Hessian-lite serialization protocol allows remote attackers to execute arbitrary code by sending spe...
Jan 10, 2022This vulnerability in Apache Avro's .NET SDK allows attackers to cause denial-of-service by forcing excessive resource allocation. It affects .NET app...
Jan 6, 2022This vulnerability in Apache Kylin allows remote attackers to execute arbitrary code by exploiting unsafe reflection through Class.forName() with user...
Jan 6, 2022Apache Kylin 4.0.0 contains a command injection vulnerability in DiagnosisService where improper validation of project names allows attackers to execu...
Jan 6, 2022Apache Kylin's PasswordPlaceholderConfigurer uses hardcoded encryption keys and initialization vectors, making encrypted passwords easily decryptable ...
Jan 6, 2022This vulnerability allows unauthenticated attackers to manipulate Apache Kylin's streaming cube management and replica sets via unprotected REST API e...
Jan 6, 2022Apache Geode versions up to 1.12.4 and 1.13.4 fail to properly redact sensitive information in log files when passwords or security properties begin w...
Jan 4, 2022CVE-2021-40525 is a path traversal vulnerability in Apache James ManagedSieve implementation that allows attackers to read and write arbitrary files o...
Jan 4, 2022This vulnerability allows attackers to bypass authentication in Apache APISIX Dashboard by directly accessing APIs through the gin framework interface...
Dec 27, 2021This vulnerability in Apache Solr's DataImportHandler allows attackers to make SMB network calls from the Solr host to other systems by providing Wind...
Dec 23, 2021This vulnerability in Apache HTTP Server allows attackers to crash the server via NULL pointer dereference or perform Server-Side Request Forgery (SSR...
Dec 20, 2021This vulnerability in Apache PLC4X's C implementation (PLC4C) allows unsigned integer underflow in the TCP transport layer. Attackers could exploit th...
Dec 19, 2021CVE-2021-45046 is an incomplete fix for the Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j 2.15.0 that allows attackers to execute arbitrary...
Dec 14, 2021Apache Sling Commons Messaging Mail versions before 2.0 lack server identity verification for SMTPS connections by default, allowing man-in-the-middle...
Dec 14, 2021CVE-2021-4104 is a deserialization vulnerability in Log4j 1.2's JMSAppender that allows remote code execution when attackers can modify Log4j configur...
Dec 14, 2021CVE-2021-44228 (Log4Shell) is a critical remote code execution vulnerability in Apache Log4j2 that allows attackers to execute arbitrary code by explo...
Dec 10, 2021CVE-2021-44140 is a critical vulnerability in Apache JSPWiki that allows remote attackers to delete arbitrary files on the server by sending a special...
Nov 24, 2021CVE-2021-43557 is a URI normalization bypass vulnerability in Apache APISIX's uri-block plugin that allows attackers to bypass block lists by using sp...
Nov 22, 2021Apache Ozone versions before 1.2.0 expose internal RPC endpoints that allow attackers to download raw data from Datanode and Ozone Manager components,...
Nov 19, 2021This vulnerability allows any client to make unauthorized container-related DataNode requests to Apache Ozone, bypassing authentication mechanisms. It...
Nov 19, 2021This vulnerability allows authenticated users with valid Ozone S3 credentials to impersonate any other user by creating specific OM requests. It affec...
Nov 19, 2021This vulnerability allows attackers to bypass authentication in Apache ShenYu Admin by exploiting incorrect JWT implementation. It affects Apache Shen...
Nov 16, 2021CVE-2021-43350 is an LDAP injection vulnerability in Apache Traffic Control Traffic Ops that allows unauthenticated attackers to manipulate LDAP filte...
Nov 11, 2021CVE-2021-26558 is a deserialization vulnerability in Apache ShardingSphere-UI that allows attackers to inject malicious external resources through unt...
Nov 11, 2021This CVE describes an improper input validation vulnerability in Apache Traffic Server's header parsing that allows attackers to smuggle HTTP requests...
Nov 3, 2021An improper input validation vulnerability in Apache Traffic Server's socket connection handling allows attackers to send malicious requests that caus...
Nov 3, 2021This CVE describes a classic buffer overflow vulnerability in Apache Traffic Server's stats-over-http plugin that allows attackers to overwrite memory...
Nov 3, 2021CVE-2021-37147 is an improper input validation vulnerability in Apache Traffic Server's header parsing that allows HTTP request smuggling. Attackers c...
Nov 3, 2021CVE-2021-27644 is a SQL injection vulnerability in Apache DolphinScheduler's data source center that allows authorized users to execute arbitrary SQL ...
Nov 1, 2021This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on Apache Storm Nimbus servers by sending specially crafted T...
Oct 25, 2021This vulnerability allows authenticated attackers to perform SQL injection attacks in Apache Superset when template processing is enabled. It affects ...
Oct 18, 2021This is a privilege escalation vulnerability in Apache CouchDB where a malicious user with document creation permissions can attach HTML files contain...
Oct 14, 2021CVE-2021-41832 is a signature validation bypass vulnerability in Apache OpenOffice that allows attackers to manipulate documents to appear as if they ...
Oct 11, 2021CVE-2021-42013 is a critical path traversal vulnerability in Apache HTTP Server that allows attackers to access files outside configured directories. ...
Oct 7, 2021CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows attackers to access files outside configured directories. If...
Oct 5, 2021CVE-2021-41616 is a critical deserialization vulnerability in Apache DB DdlUtils 1.0 that allows remote code execution by exploiting insecure ObjectIn...
Sep 30, 2021CVE-2021-41303 is an authentication bypass vulnerability in Apache Shiro when used with Spring Boot. A specially crafted HTTP request can allow attack...
Sep 17, 2021CVE-2021-36160 is an out-of-bounds read vulnerability in Apache HTTP Server's mod_proxy_uwsgi module. A specially crafted URI path can cause the serve...
Sep 16, 2021CVE-2021-39275 is a critical buffer overflow vulnerability in Apache HTTP Server's ap_escape_quotes() function that could allow remote code execution ...
Sep 16, 2021This vulnerability in Apache Tomcat allows denial of service attacks when using specific TLS configurations. Attackers can send specially crafted TLS ...
Sep 16, 2021This XXE vulnerability in Any23 allows attackers to read arbitrary files from the server filesystem and potentially access internal systems. It affect...
Sep 11, 2021Why Monitor Apache Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 573+ known vulnerabilities affecting Apache products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Apache packages in under 60 seconds. No agents required - completely agentless scanning that works across Apache deployments.
Free vulnerability database: Access detailed information about every Apache CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Apache CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
