Apache Security Vulnerabilities (CVEs)
Track 569 security vulnerabilities affecting Apache products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This vulnerability in Apache Aurora allows unauthenticated attackers to exploit an information disclosure endpoint as a padding oracle to forge valid ...
Feb 27, 2024This SMTP smuggling vulnerability in Apache James allows attackers to manipulate email line delimiters to forge SMTP envelopes, potentially bypassing ...
Feb 27, 2024This vulnerability allows a cluster operator with existing access to inject malicious code into Apache Ambari requests, potentially gaining root privi...
Feb 27, 2024Apache James email servers prior to versions 3.7.5 and 3.8.0 have a pre-authentication deserialization vulnerability in their JMX endpoint. Attackers ...
Feb 27, 2024This vulnerability allows remote code execution in Hertzbeat monitoring systems through AviatorScript injection. Attackers can execute arbitrary stati...
Feb 22, 2024This vulnerability in Hertzbeat allows remote code execution via JNDI injection in the JMX connector implementation. Attackers can exploit the /api/mo...
Feb 22, 2024This vulnerability allows authenticated users to upload large image files that consume excessive server memory, potentially causing denial of service....
Feb 22, 2024This vulnerability in Apache Airflow's MongoDB hook allows SSL/TLS certificate validation to be disabled by default when SSL is enabled, enabling man-...
Feb 20, 2024CVE-2023-51770 is an arbitrary file read vulnerability in Apache DolphinScheduler that allows attackers to read sensitive files from the server filesy...
Feb 20, 2024This vulnerability allows remote attackers to execute arbitrary code on Apache DolphinScheduler servers due to improper input validation (CWE-94). It ...
Feb 20, 2024Apache Solr leaks sensitive system properties like 'basicauth' and 'aws.secretKey' through the /admin/info/properties endpoint because the redaction l...
Feb 9, 2024This vulnerability in Apache Solr allows attackers to steal ZooKeeper credentials and ACLs by tricking Solr into sending them to a malicious server. A...
Feb 9, 2024This vulnerability allows attackers to forge SASL Role Tokens that pass signature verification due to timing discrepancies in Apache Pulsar's authenti...
Feb 7, 2024This Server-Side Request Forgery (SSRF) vulnerability in Apache ServiceComb Service-Center allows attackers to send specially crafted requests that tr...
Jan 31, 2024Apache Kylin versions 2.0.0 to 4.0.3 expose server credentials through an unencrypted web interface that displays the kylin.properties file contents. ...
Jan 29, 2024This stored cross-site scripting (XSS) vulnerability in Apache Superset allows authenticated attackers with create/update permissions to inject malici...
Jan 23, 2024CVE-2023-46226 is a critical remote code execution vulnerability in Apache IoTDB that allows attackers to execute arbitrary code on affected systems. ...
Jan 15, 2024This vulnerability in Apache Axis 1 allows authenticated users with admin service access to perform Server-Side Request Forgery (SSRF) attacks due to ...
Jan 6, 2024This CVE describes a code injection vulnerability in Apache InLong that allows attackers to execute arbitrary code remotely. It affects Apache InLong ...
Jan 3, 2024This vulnerability allows authenticated users in Apache DolphinScheduler to execute arbitrary JavaScript code on the server without sandbox restrictio...
Dec 30, 2023Apache OpenOffice documents can contain malicious links that execute internal macros with arbitrary arguments without user approval. This allows arbit...
Dec 29, 2023CVE-2023-51467 is an authentication bypass vulnerability in Apache OFBiz that allows attackers to circumvent authentication mechanisms and remotely ex...
Dec 26, 2023This vulnerability in Apache OFBiz allows unauthenticated attackers to read arbitrary file properties via unauthorized URI calls, potentially exposing...
Dec 26, 2023Hertzbeat versions before 1.4.1 have Spring Boot permission misconfigurations that allow unauthenticated access to three interfaces. This vulnerabilit...
Dec 22, 2023This CVE describes a deserialization vulnerability in Apache IoTDB that allows attackers to execute arbitrary code by sending malicious serialized dat...
Dec 21, 2023This vulnerability in Apache Guacamole allows integer overflow when processing malicious VNC server data, potentially leading to memory corruption and...
Dec 19, 2023This vulnerability allows authenticated Gamma users in Apache Superset to gain unauthorized write permissions to charts they create on dashboards. The...
Dec 19, 2023This vulnerability in Apache StreamPark allows authenticated users with system-level permissions to execute arbitrary commands through Maven compilati...
Dec 15, 2023This CVE describes a deserialization vulnerability in Apache Dubbo that allows remote code execution when processing malicious packages. Attackers can...
Dec 15, 2023This vulnerability in Apache Struts allows attackers to manipulate file upload parameters to perform path traversal attacks, potentially leading to re...
Dec 7, 2023This vulnerability allows unauthenticated remote attackers to execute arbitrary code on Apache OFBiz servers by exploiting a deprecated XML-RPC compon...
Dec 5, 2023This vulnerability in Apache Tiles allows attackers to perform path traversal attacks when user-controlled data is passed to the DefaultLocaleResolver...
Nov 30, 2023This CVE describes an XXE (XML External Entity) vulnerability in Apache Cocoon that allows attackers to read arbitrary files from the server or perfor...
Nov 30, 2023This SQL injection vulnerability in Apache Cocoon allows attackers to execute arbitrary SQL commands on affected systems. It affects Apache Cocoon ver...
Nov 30, 2023This vulnerability allows authenticated users on Jolokia endpoints in Apache ActiveMQ to execute arbitrary code through JMX MBean operations. Attacker...
Nov 28, 2023This DOM-based cross-site scripting vulnerability in Apache NiFi's JoltTransformJSON Processor allows authenticated users with configuration privilege...
Nov 27, 2023Apache DolphinScheduler versions before 3.2.1 expose sensitive information to unauthorized actors through improper log handling. This vulnerability al...
Nov 27, 2023CVE-2023-37924 is an SQL injection vulnerability in Apache Submarine's login functionality that allows attackers to bypass authentication and gain una...
Nov 22, 2023CVE-2022-46337 is an LDAP authentication bypass vulnerability in Apache Derby database systems. Attackers can use specially crafted usernames to bypas...
Nov 20, 2023This vulnerability allows local users to escalate privileges to root by exploiting relative library resolution in Apache Hadoop's container-executor b...
Nov 16, 2023This vulnerability allows arbitrary code execution when PyArrow processes untrusted Arrow IPC, Feather, or Parquet files. Applications that read these...
Nov 9, 2023This vulnerability in Apache UIMA Java SDK allows arbitrary code execution through deserialization of untrusted data. Attackers can exploit it by send...
Nov 8, 2023Apache Airflow and its Celery provider versions 1.10.0-2.6.3 and 3.3.0-3.4.0 log sensitive information in clear text when using rediss, amqp, or rpc p...
Oct 28, 2023CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire protocol marshaller. It allows remote attackers wi...
Oct 27, 2023An out-of-bounds read vulnerability in the mod_macro module of Apache HTTP Server allows attackers to read memory beyond allocated buffers. This affec...
Oct 23, 2023This vulnerability allows attackers to bypass security controls in Apache InLong by using tab characters to exploit a deserialization flaw. It affects...
Oct 19, 2023Apache Traffic Server versions 8.0.0-8.1.8 and 9.0.0-9.2.2 expose sensitive information to unauthorized actors. This CWE-200 vulnerability allows atta...
Oct 17, 2023This CVE describes a log injection vulnerability in Apache InLong that allows attackers to inject malicious content into log files. This affects Apach...
Oct 16, 2023CVE-2023-43668 is an authorization bypass vulnerability in Apache InLong that allows attackers to manipulate user-controlled parameters to bypass secu...
Oct 16, 2023This CVE describes an authorization bypass vulnerability in Apache ZooKeeper when SASL Quorum Peer authentication is enabled. An attacker can join the...
Oct 11, 2023Why Monitor Apache Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 569+ known vulnerabilities affecting Apache products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Apache packages in under 60 seconds. No agents required - completely agentless scanning that works across Apache deployments.
Free vulnerability database: Access detailed information about every Apache CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Apache CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
