Apache Security Vulnerabilities (CVEs)
Track 563 security vulnerabilities affecting Apache products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This vulnerability in Apache Answer allows external image providers to obtain the IP addresses of users who view their images. It affects all Apache A...
Apr 1, 2025This CVE describes a code injection vulnerability in Apache Kylin where attackers with admin access can modify JDBC connection configurations to execu...
Mar 27, 2025This is a stored cross-site scripting (XSS) vulnerability in Apache VCL's User Lookup form that allows authenticated users with sufficient privileges ...
Mar 25, 2025This SQL injection vulnerability in Apache VCL allows authenticated users to manipulate form data when requesting block allocations, potentially modif...
Mar 25, 2025Apache Commons VFS versions before 2.10.0 can leak FTP passwords in error messages when file operations fail. This occurs because the FtpFileObject cl...
Mar 23, 2025This CVE describes a path traversal vulnerability in Apache Commons VFS where encoded '..' sequences (%2E%2E) bypass the NameScope.DESCENDENT validati...
Mar 23, 2025Apache Seata (incubating) has a vulnerability where improper handling of highly compressed data can lead to data amplification attacks. This affects a...
Mar 20, 2025This is a cross-site scripting (XSS) vulnerability in Apache Felix HTTP Webconsole Plugin that allows attackers to inject malicious scripts into web p...
Mar 12, 2025This vulnerability in Apache Tomcat allows path traversal attacks via internal dot handling in filenames, potentially leading to remote code execution...
Mar 10, 2025Apache Traffic Server versions 10.0.0 through 10.0.3 contain an improper access control vulnerability (CWE-284) that could allow unauthorized access t...
Mar 6, 2025Apache Traffic Server has an improper input validation vulnerability that could allow attackers to cause denial of service or potentially execute arbi...
Mar 6, 2025This vulnerability allows CSV formula injection in Apache Ranger's export feature, enabling attackers to execute arbitrary commands or exfiltrate data...
Mar 3, 2025This vulnerability allows attackers to achieve remote code execution on Apache EventMesh servers by sending malicious messages that trigger unsafe des...
Feb 14, 2025This vulnerability allows remote code execution on Apache Ignite servers by bypassing class serialization filters. Attackers can craft malicious messa...
Feb 14, 2025An authenticated user in Apache Atlas can inject malicious scripts (XSS) that execute in other users' browsers, potentially allowing impersonation of ...
Feb 13, 2025This SQL injection vulnerability in Apache Fineract allows authenticated attackers to inject malicious SQL queries through REST API endpoints like off...
Feb 12, 2025This CVE describes a cross-site scripting (XSS) vulnerability in Apache Felix Webconsole that allows attackers to inject malicious scripts into web pa...
Feb 10, 2025A Cross-Protocol Scripting vulnerability in Apache Kvrocks allows HTTP requests to be interpreted as valid RESP (Redis Serialization Protocol) command...
Feb 7, 2025This vulnerability allows authenticated attackers to execute arbitrary code on Apache ShardingSphere ElasticJob-UI servers by exploiting a flaw in H2 ...
Feb 6, 2025Apache James server versions below 3.7.6 and 3.8.2 have a vulnerability in their JMAP HTML-to-text conversion implementation that allows attackers to ...
Feb 6, 2025Apache James email servers are vulnerable to denial of service attacks where attackers can abuse IMAP literals to cause unbounded memory allocation an...
Feb 6, 2025This path traversal vulnerability in Apache Doris allows authenticated application administrators to read arbitrary files from the server filesystem. ...
Feb 4, 2025This vulnerability allows a local attacker to perform a man-in-the-middle attack on Apache Cassandra's RMI registry, capturing JMX interface credentia...
Feb 4, 2025This vulnerability allows users with MODIFY permission on all keyspaces in Apache Cassandra to escalate privileges to superuser by performing unsafe a...
Feb 4, 2025This vulnerability allows attackers to guess continuation identifiers in Apache Cocoon due to insufficiently random seed values, potentially accessing...
Jan 27, 2025This CVE describes a relative path traversal vulnerability (zipslip) in Apache Solr's configset upload API on Windows systems. Attackers can upload ma...
Jan 27, 2025A stored cross-site scripting (XSS) vulnerability exists in the Edit Service Page of Apache Ranger's web interface. This allows attackers to inject ma...
Jan 21, 2025This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the Edit Service Page of Apache Ranger UI. Attackers can exploit this to make...
Jan 21, 2025An XML External Entity (XXE) vulnerability in Apache Ambari/Oozie allows attackers to inject malicious XML entities due to insecure parsing with Docum...
Jan 21, 2025This CVE describes a code injection vulnerability in Apache Ambari's Alert Definition feature where authenticated users can inject arbitrary shell com...
Jan 21, 2025This vulnerability in Apache Linkis allows authenticated attackers to read arbitrary files from the server by injecting malicious MySQL JDBC parameter...
Jan 14, 2025Apache CloudStack versions from 4.16.0 have an access validation flaw that allows authenticated users with knowledge of resource UUIDs to read or add ...
Jan 13, 2025This vulnerability allows users to maintain active sessions even after their passwords have been changed via CLI, potentially enabling unauthorized ac...
Jan 8, 2025Apache OpenMeetings versions 2.1.0 through 7.x have insecure default clustering configurations that allow deserialization of untrusted data via OpenJP...
Jan 8, 2025This vulnerability allows authenticated users with permission to create Process Groups in Apache NiFi to bypass authorization checks for Parameter Con...
Dec 28, 2024This vulnerability in Apache MINA allows attackers to send malicious serialized data that can lead to remote code execution through insecure Java dese...
Dec 25, 2024This vulnerability allows attackers to bypass authentication in Apache HugeGraph-Server by manipulating data assumed to be immutable. It affects all u...
Dec 24, 2024An SQL injection vulnerability in Apache Traffic Control's Traffic Ops component allows authenticated users with specific privileged roles (admin, fed...
Dec 23, 2024Apache Hive and Spark expose correct cookie signatures during signature mismatch errors, potentially allowing attackers to forge valid signed cookies....
Dec 23, 2024A Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat allows attackers to bypass security checks and write malicious file...
Dec 20, 2024A Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Apache Tomcat's JSP compilation allows attackers to achieve Remote Code Execution...
Dec 17, 2024This vulnerability in Apache Struts allows attackers to manipulate file upload parameters to perform path traversal attacks, potentially leading to re...
Dec 11, 2024This SQL injection vulnerability in Apache Superset allows attackers to bypass SQL authorization by exploiting unvalidated PostgreSQL functions. Attac...
Dec 9, 2024Apache Superset has an improper authorization vulnerability when FAB_ADD_SECURITY_API is enabled (disabled by default). This allows lower-privilege us...
Dec 9, 2024This vulnerability in Apache Hive Metastore allows authenticated users to achieve remote code execution by exploiting unsafe deserialization in partit...
Dec 5, 2024This vulnerability in Apache Ozone's S3 Gateway allows any authenticated Kerberos user to revoke and regenerate S3 secrets of any other user, potentia...
Dec 3, 2024This vulnerability allows arbitrary code execution through deserialization of untrusted data in Apache Arrow R package's IPC and Parquet readers. It a...
Nov 28, 2024This CVE describes an out-of-bounds read vulnerability in Apache NimBLE's Bluetooth stack. It allows reading beyond allocated memory boundaries when p...
Nov 26, 2024Apache NimBLE versions through 1.7.0 have an improper array index validation vulnerability in HCI event handling that could allow memory corruption an...
Nov 26, 2024Apache NiFi versions 1.16.0-1.28.0 and 2.0.0-M1-2.0.0-M4 have debug logging that can expose sensitive parameter values when enabled. Authorized admini...
Nov 21, 2024Why Monitor Apache Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 563+ known vulnerabilities affecting Apache products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Apache packages in under 60 seconds. No agents required - completely agentless scanning that works across Apache deployments.
Free vulnerability database: Access detailed information about every Apache CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Apache CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
