Apache Security Vulnerabilities (CVEs)
Track 569 security vulnerabilities affecting Apache products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This vulnerability in Apache RocketMQ allows authenticated users or IP whitelisted actors to obtain administrator credentials through specific interfa...
Jul 22, 2024CVE-2024-41107 is an authentication bypass vulnerability in Apache CloudStack's SAML authentication feature. When SAML authentication is enabled, atta...
Jul 19, 2024This memory leak vulnerability in Apache CXF HTTP client conduit prevents proper garbage collection of HTTPClient instances, causing continuous memory...
Jul 19, 2024This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Apache CXF's WADL service description. It allows attackers to make unauthoriz...
Jul 19, 2024This CVE describes a template injection vulnerability in Apache software versions before 2.1.4 that allows authenticated users to execute arbitrary co...
Jul 18, 2024This vulnerability in Apache HTTP Server on Windows allows attackers to perform Server-Side Request Forgery (SSRF) attacks when mod_rewrite is configu...
Jul 18, 2024This vulnerability in Streampark versions before 2.1.4 allows authenticated users to access other users' sensitive information, including administrato...
Jul 17, 2024Authenticated users in Apache StreamPipes can upload dangerous file types like executables, potentially leading to remote code execution. This affects...
Jul 17, 2024This vulnerability in Apache StreamPark allows authenticated users with system-level permissions to execute arbitrary commands through improper input ...
Jul 17, 2024This vulnerability allows authenticated DAG authors in Apache Airflow to craft malicious doc_md parameters that can execute arbitrary code in the sche...
Jul 17, 2024This SQL injection vulnerability in Apache Superset allows attackers to bypass SQL authorization by exploiting improperly sanitized PostgreSQL functio...
Jul 16, 2024This SQL injection vulnerability in Apache StreamPark allows authenticated attackers to manipulate database queries through unvalidated sort parameter...
Jul 16, 2024Apache Linkis versions up to 1.4.0 have a vulnerability where attackers with authorized accounts can configure malicious MySQL JDBC parameters to trig...
Jul 15, 2024This vulnerability allows authenticated attackers to execute arbitrary code on Apache Linkis servers by exploiting Java deserialization when adding My...
Jul 15, 2024This critical vulnerability in Apache CloudStack allows unauthenticated attackers to execute arbitrary commands on hypervisors and management servers ...
Jul 5, 2024This vulnerability in Apache Tomcat allows attackers to cause uncontrolled resource consumption through HTTP/2 connections. By sending excessive HTTP ...
Jul 3, 2024This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server's mod_rewrite module. Attackers can exploit unsafe Rewrite...
Jul 1, 2024This vulnerability in Apache HTTP Server's mod_proxy module allows attackers to send specially crafted requests with incorrect URL encoding to backend...
Jul 1, 2024A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to bypass security restrictions and execute scripts ...
Jul 1, 2024Apache HTTP Server 2.4.59 and earlier contain a vulnerability where malicious response headers from backend applications can lead to information discl...
Jul 1, 2024This vulnerability allows authenticated attackers in Apache Superset to create MariaDB connections with local_infile enabled, potentially reading arbi...
Jun 20, 2024This CVE describes an incorrect authorization vulnerability in Apache Submarine Server Core that allows unauthorized access to sensitive functionality...
Jun 12, 2024This CVE describes an SQL injection vulnerability in Apache Submarine Server Core that allows attackers to execute arbitrary SQL commands. All version...
Jun 12, 2024This CVE describes an improper authentication vulnerability in Apache Submarine Commons Utils where a default hardcoded secret is used if users don't ...
Jun 12, 2024This CVE describes a DNS rebinding vulnerability in Apache Allura's import functionality. Attackers can trick project administrators into importing ma...
Jun 10, 2024This path traversal vulnerability in Apache OFBiz allows attackers to access files outside the intended directory. It affects all Apache OFBiz install...
Jun 4, 2024CVE-2024-32077 is a cross-site scripting (XSS) vulnerability in Apache Airflow 2.9.0 that allows authenticated attackers to inject malicious scripts i...
May 14, 2024This path traversal vulnerability in Apache OFBiz allows attackers to access files outside the intended directory by manipulating file paths. It affec...
May 8, 2024This CVE describes a deserialization vulnerability in Apache InLong that allows attackers to bypass security controls using malicious parameters. Atta...
May 8, 2024This CVE describes a code injection vulnerability in Apache Hive's JDBC driver that allows arbitrary code execution on client systems. Attackers can e...
May 3, 2024This CVE describes an HTTP request smuggling vulnerability in Apache APISIX when using the forward-auth plugin. Attackers can exploit inconsistent HTT...
May 2, 2024Apache ActiveMQ 6.x has a default configuration vulnerability that leaves the API web context unsecured, allowing unauthenticated access to Jolokia JM...
May 2, 2024This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on Apache HugeGraph-Server instances. It affects all Apache H...
Apr 22, 2024During Apache Kafka migration from ZooKeeper to KRaft mode, ACL enforcement can fail when removing an ACL from a resource with multiple ACLs, causing ...
Apr 12, 2024This CVE-2024-31864 is a code injection vulnerability in Apache Zeppelin that allows attackers to execute arbitrary code when connecting to MySQL data...
Apr 9, 2024This vulnerability in Apache Zeppelin allows attackers to execute arbitrary shell scripts or malicious code by manipulating configuration variables li...
Apr 9, 2024CVE-2023-38709 is an input validation vulnerability in Apache HTTP Server that allows malicious backend applications or content generators to split HT...
Apr 4, 2024This vulnerability in nghttp2's HTTP/2 implementation allows memory exhaustion attacks when clients send excessive headers. Attackers can cause denial...
Apr 4, 2024This vulnerability allows attackers to spoof their IP address using the x-forwarded-for HTTP header, potentially bypassing authentication in CloudStac...
Apr 4, 2024This vulnerability in Apache Doris allows authenticated users with JDBC catalog creation privileges to upload and execute arbitrary Java code via mali...
Mar 21, 2024This CVE describes an out-of-bounds write vulnerability in Apache Commons Configuration that could allow attackers to write data beyond allocated memo...
Mar 21, 2024This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Apache CXF's Aegis DataBinding component. It allows attackers to make unautho...
Mar 15, 2024This vulnerability in Apache Airflow allows authenticated users with limited permissions to access sensitive resources like variables and connections ...
Mar 14, 2024This vulnerability in Apache Tomcat allows denial-of-service attacks via HTTP/2 requests. Attackers can send specially crafted HTTP/2 requests that ex...
Mar 13, 2024Apache Pulsar Proxy has an improper authentication vulnerability that allows unauthenticated access to the /proxy-stats endpoint. This exposes connect...
Mar 12, 2024This CVE describes a directory traversal vulnerability in Apache Pulsar Functions Worker where authenticated users can upload malicious JAR/NAR files ...
Mar 12, 2024This CVE describes a deserialization vulnerability in Apache InLong that allows attackers to read arbitrary files from the server. The vulnerability a...
Mar 6, 2024This vulnerability in Apache Archiva allows unauthenticated attackers to modify user account data, potentially leading to account takeover. It affects...
Mar 1, 2024CVE-2024-25065 is a path traversal vulnerability in Apache OFBiz that allows attackers to bypass authentication mechanisms by manipulating file paths....
Feb 29, 2024This CVE describes a use-after-free vulnerability in Apache Xerces C++ XML parser versions 3.0.0 through 3.2.4. When processing external DTDs, the par...
Feb 29, 2024Why Monitor Apache Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 569+ known vulnerabilities affecting Apache products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Apache packages in under 60 seconds. No agents required - completely agentless scanning that works across Apache deployments.
Free vulnerability database: Access detailed information about every Apache CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Apache CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
