Apache Security Vulnerabilities (CVEs)

This CVE describes an Improper Resource Shutdown or Release vulnerability in Apache Tomcat that enables a 'made you reset' attack. Attackers can explo...

This CVE describes a missing origin validation vulnerability in Apache Zeppelin's WebSocket implementation. Attackers can bypass same-origin policy re...

Apache Zeppelin versions before 0.12.0 have an incomplete blacklist that fails to properly sanitize user input, allowing attackers to inject malicious...

This vulnerability allows attackers to bypass JDBC URL validation in Apache Zeppelin by using URL-encoded input, potentially enabling unauthorized dat...

CVE-2025-24853 is a cross-site scripting (XSS) vulnerability in Apache JSPWiki that allows attackers to inject malicious JavaScript via wiki markup sy...

A bug in Apache HTTP Server 2.4.64 causes all RewriteCond expression tests to evaluate as true, potentially allowing attackers to bypass URL rewrite r...

This vulnerability allows administrators in Apache Jena Fuseki to create database files outside the designated files area, potentially enabling path t...

This vulnerability allows an attacker to cause a denial-of-service (DoS) condition in Apache Tomcat by exploiting an HTTP/2 protocol flaw. An uncooper...

A race condition vulnerability in Apache Tomcat's APR/Native connector when handling HTTP/2 connection closures can lead to crashes or denial of servi...

An integer overflow vulnerability in Apache Tomcat's multipart upload handling allows attackers to bypass configured size limits, potentially causing ...

This vulnerability allows untrusted clients to trigger a denial of service attack against Apache HTTP Server by causing an assertion failure in the mo...

This vulnerability in Apache HTTP Server involves improper memory management where memory is released later than intended after its effective lifetime...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows that allows attackers to leak NTLM hashes to ma...

This HTTP response splitting vulnerability in Apache HTTP Server allows attackers to manipulate Content-Type headers to split HTTP responses, potentia...

This vulnerability allows a local attacker to exploit incorrect file permissions in Apache APISIX's Java plugin runner to elevate privileges. It affec...

This vulnerability in Apache Guacamole allows authenticated attackers with access to text-based connections (like SSH) to execute arbitrary code on th...

Unauthorized attackers can exploit Apache SeaTunnel's REST API to read arbitrary files and perform deserialization attacks by submitting malicious job...

Apache Traffic Server versions 9.0.0-9.2.10 and 10.0.0-10.0.6 have an ACL bypass vulnerability when using PROXY protocol. The access control lists in ...

This CVE describes an allocation of resources without limits or throttling vulnerability in Apache Tomcat. Attackers can exploit this to cause denial ...

This CVE describes an authentication bypass vulnerability in Apache Tomcat where PreResources or PostResources mounted at non-root paths can be access...

This vulnerability allows malicious Domain Admins or Resource Admins in Apache CloudStack to bypass domain isolation by exploiting flawed access contr...

A privilege escalation vulnerability in Apache CloudStack allows malicious Domain Admin users in the ROOT domain to reset passwords of Admin role acco...

This vulnerability in Apache CloudStack allows project members with access to CKS-based Kubernetes clusters to steal the API and secret keys of the cl...

This CVE describes a Java deserialization vulnerability in Apache Kafka Connect that allows authenticated operators with configuration privileges to e...

This vulnerability allows attackers to bypass Basic Authentication in Pekko Management when configured via Java DSL, potentially exposing management A...

This vulnerability in Apache Tomcat's CGI servlet allows attackers to bypass security constraints by exploiting improper case sensitivity handling in ...

This CVE describes a deserialization vulnerability in Apache InLong that allows attackers to bypass security controls through JDBC URL encoding and ba...

Apache IoTDB's OpenIdAuthorizer component logs sensitive authentication information, potentially exposing credentials or tokens to unauthorized actors...

This vulnerability allows authenticated users with read-only permissions in Apache Superset to take ownership of dashboards, charts, or datasets. This...

This vulnerability in Apache ActiveMQ allows attackers to cause denial of service by sending specially crafted OpenWire commands that trigger excessiv...

This vulnerability in Apache Parquet's parquet-avro module allows attackers to execute arbitrary code by exploiting schema parsing when reading malici...

An improper input validation vulnerability in Apache Kvrocks allows attackers to crash the server by sending a negative offset value to the SETRANGE c...

Apache Roller versions up to 6.1.4 have a session management vulnerability where active user sessions remain valid after password changes. This allows...

Apache ActiveMQ Artemis versions 1.5.1 through 2.39.0 log sensitive broker configuration properties when debug logging is enabled. This exposes creden...

This vulnerability allows attackers to create malicious OOXML files (like Excel, Word, or PowerPoint documents) with duplicate zip entries that can ca...

This SQL injection vulnerability in Apache Airflow Common SQL Provider allows authenticated UI users to inject arbitrary SQL commands via the partitio...

Apache Traffic Server is vulnerable to HTTP request smuggling when processing malformed chunked messages. This allows attackers to bypass security con...