Apache Security Vulnerabilities (CVEs)
Track 573 security vulnerabilities affecting Apache products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
CVE-2021-38540 is an authentication bypass vulnerability in Apache Airflow's variable import endpoint. Unauthenticated attackers can add or modify Air...
Sep 9, 2021CVE-2021-36161 is a remote code execution vulnerability in Apache Dubbo where maliciously crafted beans with special toString methods can trigger code...
Sep 9, 2021CVE-2021-36162 is a remote code execution vulnerability in Apache Dubbo that allows attackers with access to the configuration center to poison YAML r...
Sep 7, 2021Apache Dubbo's Hessian protocol implementation has a critical deserialization vulnerability that allows unauthenticated remote code execution. Attacke...
Sep 7, 2021This CVE describes a command injection vulnerability in Apache Zeppelin's Spark interpreter settings that allows authenticated users to execute arbitr...
Sep 2, 2021This vulnerability in Apache NiFi MiNiFi C++ allows remote attackers to execute arbitrary commands with the same privileges as the application binary....
Aug 24, 2021CVE-2021-35940 is an out-of-bounds read vulnerability in Apache Portable Runtime (APR) 1.7.x branch that allows reading memory beyond allocated array ...
Aug 23, 2021This CVE describes a Regular Expression Denial of Service (ReDoS) vulnerability in Apache Roller where user-controlled inputs (Referer header, request...
Aug 18, 2021This vulnerability allows attackers to upload malicious files to Apache OFBiz servers, which can lead to remote code execution. It affects Apache OFBi...
Aug 18, 2021CVE-2021-33193 is an HTTP/2 request smuggling vulnerability in Apache HTTP Server's mod_proxy module. Attackers can send specially crafted HTTP/2 requ...
Aug 16, 2021CVE-2021-37578 is a Java deserialization vulnerability in Apache jUDDI's RMI implementation that allows remote code execution. Attackers can send mali...
Jul 29, 2021Apache Directory Studio versions 2.0.0.v20210213-M16 and earlier fail to apply StartTLS encryption when using SASL authentication mechanisms (DIGEST-M...
Jul 26, 2021CVE-2021-28131 is an authentication bypass vulnerability in Apache Impala where session secrets are exposed in logs, allowing authenticated users to h...
Jul 22, 2021CVE-2021-35515 is a denial-of-service vulnerability in Apache Commons Compress's 7Z archive handling. When processing a specially crafted 7Z file, the...
Jul 13, 2021CVE-2021-35517 is a denial-of-service vulnerability in Apache Commons Compress where specially crafted TAR archives can trigger excessive memory alloc...
Jul 13, 2021CVE-2021-32566 is an improper input validation vulnerability in Apache Traffic Server's HTTP/2 implementation that allows attackers to cause a denial-...
Jun 30, 2021A stack-based buffer overflow vulnerability in Apache Traffic Server's cachekey plugin allows remote attackers to execute arbitrary code or cause deni...
Jun 30, 2021Apache Traffic Server incorrectly handles URL fragments, allowing attackers to poison the cache by manipulating fragment identifiers. This affects Apa...
Jun 29, 2021CVE-2021-26461 is an integer overflow vulnerability in Apache NuttX memory allocation functions that allows attackers to trigger arbitrary memory allo...
Jun 21, 2021A denial-of-service vulnerability in Apache CXF's JsonMapObjectReaderWriter allows attackers to send specially crafted JSON payloads to web services, ...
Jun 16, 2021CVE-2020-9493 is a critical deserialization vulnerability in Apache Chainsaw that allows remote attackers to execute arbitrary code by sending special...
Jun 16, 2021CVE-2020-13950 is a NULL pointer dereference vulnerability in Apache HTTP Server's mod_proxy_http module that allows remote attackers to cause a denia...
Jun 10, 2021CVE-2021-26690 is a NULL pointer dereference vulnerability in Apache HTTP Server's mod_session module that can be triggered by a specially crafted Coo...
Jun 10, 2021CVE-2021-26691 is a critical heap overflow vulnerability in Apache HTTP Server that allows remote attackers to execute arbitrary code or cause denial ...
Jun 10, 2021CVE-2021-25641 is a critical deserialization vulnerability in Apache Dubbo that allows remote unauthenticated attackers to force servers to use insecu...
Jun 1, 2021CVE-2021-30179 is a critical remote code execution vulnerability in Apache Dubbo that allows attackers to execute arbitrary Java code by exploiting in...
Jun 1, 2021Apache Dubbo prior to versions 2.6.9 and 2.7.9 contains a remote code execution vulnerability in its Script routing feature. Attackers can exploit thi...
Jun 1, 2021This vulnerability in Apache Pulsar allows attackers to bypass JWT token authentication by using tokens with the 'none' algorithm, which are not prope...
May 26, 2021This vulnerability in Apache Wicket allows attackers to trigger arbitrary DNS lookups from the server by manipulating the X-Forwarded-For header. This...
May 25, 2021Apache Unomi versions before 1.5.5 are vulnerable to CRLF log injection due to improper escaping in log statements. This allows attackers to inject ma...
May 4, 2021CVE-2021-29200 is an unsafe deserialization vulnerability in Apache OFBiz that allows unauthenticated remote code execution. Attackers can exploit thi...
Apr 27, 2021Apache OFBiz versions before 17.12.07 contain an unsafe deserialization vulnerability that allows remote attackers to execute arbitrary code on affect...
Apr 27, 2021This vulnerability allows unauthenticated access to S3 buckets and keys in Apache Ozone clusters through simple HTTP requests or curl commands. It aff...
Apr 27, 2021Apache Maven follows repository references defined in dependency POM files, allowing malicious actors to redirect builds to compromised repositories. ...
Apr 23, 2021CVE-2021-27850 is a critical unauthenticated remote code execution vulnerability in Apache Tapestry that allows attackers to bypass previous security ...
Apr 15, 2021CVE-2021-27905 is a Server-Side Request Forgery (SSRF) vulnerability in Apache Solr's ReplicationHandler that allows attackers to make arbitrary HTTP ...
Apr 13, 2021This vulnerability in Apache Solr's ConfigurableInternodeAuthHadoopPlugin causes distributed requests to be forwarded using server credentials instead...
Apr 13, 2021CVE-2021-26919 is a remote code execution vulnerability in Apache Druid's JDBC integration with MySQL. Attackers can exploit certain MySQL JDBC driver...
Mar 30, 2021CVE-2020-1946 is a critical vulnerability in Apache SpamAssassin that allows malicious rule configuration files to execute arbitrary system commands w...
Mar 25, 2021CVE-2021-21341 is a denial-of-service vulnerability in XStream library where specially crafted XML input can cause 100% CPU consumption on target syst...
Mar 23, 2021Apache OFBiz versions before 17.12.06 contain an unsafe deserialization vulnerability in the SOAP component. Unauthenticated attackers can exploit thi...
Mar 22, 2021This vulnerability in Subversion's mod_authz_svn module causes a server crash when using in-repository authz rules with AuthzSVNReposRelativeAccessFil...
Mar 17, 2021This directory traversal vulnerability in Apache Ambari allows malicious users to construct file names that escape intended directories, enabling unau...
Mar 17, 2021This vulnerability in Apache Tomcat allows HTTP/2 cleartext (h2c) connections to leak request data between users. When processing h2c requests, Tomcat...
Mar 1, 2021Apache XmlGraphics Commons versions 2.4 and earlier contain a server-side request forgery (SSRF) vulnerability in the XMPParser component. Attackers c...
Feb 24, 2021Apache MyFaces Core uses cryptographically weak CSRF tokens in default configurations, allowing attackers to potentially predict future token values a...
Feb 19, 2021CVE-2021-21315 is a command injection vulnerability in the systeminformation npm package that allows attackers to execute arbitrary commands on affect...
Feb 16, 2021This vulnerability in Apache Thrift allows malicious RPC clients to send specially crafted short messages that trigger excessive memory allocation, po...
Feb 12, 2021This vulnerability in Apache Cassandra allows unencrypted internode connections even when TLS is configured, enabling attackers to bypass mutual TLS r...
Feb 3, 2021CVE-2020-17523 is an authentication bypass vulnerability in Apache Shiro when used with Spring. Attackers can craft HTTP requests to bypass authentica...
Feb 3, 2021Why Monitor Apache Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 573+ known vulnerabilities affecting Apache products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Apache packages in under 60 seconds. No agents required - completely agentless scanning that works across Apache deployments.
Free vulnerability database: Access detailed information about every Apache CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Apache CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
