Apache Security Vulnerabilities (CVEs)

The CVE-2025-59792 vulnerability in Apache Kvrocks allows attackers to obtain plaintext credentials through the MONITOR command. This affects all Apac...

CVE-2025-59790 is an improper privilege management vulnerability in Apache Kvrocks that could allow authenticated users to escalate privileges beyond ...

This CVE describes a cross-site scripting (XSS) vulnerability in Apache SkyWalking where malicious script tags can be injected into web pages. It affe...

Apache CloudStack contains a code injection vulnerability in six administrative APIs that allows authenticated administrators to execute arbitrary Jav...

This CVE describes an information disclosure vulnerability in Apache CloudStack where authorized users could occasionally access data beyond their int...

This SQL injection vulnerability in Apache Hive Metastore Server allows authorized users to execute arbitrary SQL commands when calling Thrift APIs to...

Apache Syncope versions before 3.0.15 and 4.0.3 use a hard-coded AES encryption key for password storage when configured to encrypt passwords in the d...

Apache OpenOffice versions through 4.1.15 have an authorization vulnerability where specially crafted documents can automatically load external links ...

This vulnerability allows attackers to upload malicious files to Apache OFBiz servers, potentially leading to remote code execution or server compromi...

This CVE describes a reflected cross-site scripting (XSS) vulnerability in Apache OFBiz that allows attackers to inject malicious scripts into web pag...

Apache OpenOffice versions through 4.1.15 have a missing authorization vulnerability where documents containing OLE objects with external links can au...

Apache OpenOffice Calc has a missing authorization vulnerability that allows attackers to craft documents with external data source links that load wi...

Apache OpenOffice versions through 4.1.15 have a missing authorization vulnerability that allows attackers to craft documents that automatically load ...

Apache OpenOffice versions through 4.1.15 have a missing authorization vulnerability where specially crafted Calc spreadsheets containing DDE links ca...

An out-of-bounds write vulnerability in Apache OpenOffice allows attackers to craft malicious documents that could crash the program or corrupt memory...

Apache OpenOffice versions through 4.1.15 contain a missing authorization vulnerability where documents with floating frames linked to external files ...

This vulnerability allows attackers with valid read-only accounts to bypass access controls in Doris MCP Server, enabling unauthorized modifications t...

This vulnerability in Apache APISIX exposes basic authentication credentials (usernames and passwords) in plaintext within error logs when log levels ...

This CVE describes an OS command injection vulnerability in Apache Airflow's example_dag_decorator where unvalidated parameters could allow UI users t...

This vulnerability allows authenticated API users to execute arbitrary Dag code in the context of the api-server when deployed in environments where D...

This vulnerability allows authenticated users with CREATE privilege but no UPDATE privilege for Pools, Connections, and Variables to modify existing r...

A path traversal vulnerability in Apache Tomcat allows attackers to bypass security constraints protecting sensitive directories like /WEB-INF/ and /M...

Apache Geode's Management and Monitoring REST API is vulnerable to Cross-Site Request Forgery (CSRF) attacks via GET requests. An attacker who obtains...

This CVE describes an Inefficient Regular Expression Complexity (ReDoS) vulnerability in Apache Traffic Control's Traffic Router management interface....

Apache Spark versions before 3.4.4, 3.5.2, and 4.0.0 use an insecure default cipher (AES/CTR/NoPadding) for RPC encryption when spark.network.crypto.e...

Apache Flink CDC 3.4.0 contains a SQL injection vulnerability that allows authenticated database users to execute arbitrary SQL commands by crafting m...

This vulnerability in Apache Kylin allows unauthorized external parties to access sensitive files or directories if administrative access controls are...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin that allows attackers to make unauthorized requests from the ser...

This CVE describes an authentication bypass vulnerability in Apache Kylin that allows attackers to access protected functionality without proper crede...

Apache Airflow 3.0.3 has a security flaw where users with READ permissions can view sensitive connection information through both API and UI interface...

This vulnerability allows authorized ZooKeeper clients to execute snapshot and restore commands without proper permission checks. It affects Apache Zo...

This vulnerability in Apache IoTDB is an uncontrolled resource consumption issue (CWE-400) that could allow attackers to cause denial of service. It a...

This CVE describes a denial-of-service vulnerability in Apache Fory caused by insecure deserialization of untrusted data. Remote attackers can send sp...

This vulnerability allows authenticated attackers to execute arbitrary code on Apache HertzBeat servers by injecting malicious XML into HTTP sitemap r...

An authenticated user in Apache DolphinScheduler can exploit improper input validation in alert script functionality to execute arbitrary shell comman...

This CVE describes a privilege escalation vulnerability in Apache Cassandra where a user with MODIFY permission on all keyspaces can gain superuser pr...

This vulnerability in Apache Log4cxx's JSONLayout allows attackers to inject non-printable characters into log messages, which aren't properly escaped...

This CVE describes an SQL injection vulnerability in Apache StreamPark's SpringBoot distribution package that allows authenticated attackers to execut...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the eventmesh-runtime module's WebhookUtil.java component. Attackers can expl...

This vulnerability in Apache Commons OGNL allows attackers to bypass security restrictions and potentially execute arbitrary code by exploiting incomp...

This vulnerability allows guest users in Apache Superset to access database schema information through the /chart/data endpoint. The API response impr...

This vulnerability allows attackers to bypass Apache Superset's DISALLOWED_SQL_FUNCTIONS security feature using a special inline block technique. User...

Apache Superset has an improper access control vulnerability where authenticated users can enumerate protected datasources they shouldn't access. By m...

This CVE describes a session fixation vulnerability in Apache Tomcat's rewrite valve that allows attackers to hijack user sessions. Attackers can fixa...