Apache Security Vulnerabilities (CVEs)
Track 573 security vulnerabilities affecting Apache products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This vulnerability allows attackers to elevate their privileges in any Apache OpenMeetings room, potentially gaining administrative control. It affect...
Mar 28, 2023This SQL injection vulnerability in Apache Fineract allows authorized users to manipulate SQL queries, potentially altering or adding data in certain ...
Mar 28, 2023This vulnerability allows authenticated users of Apache InLong to execute arbitrary code through deserialization of untrusted data. It affects Apache ...
Mar 27, 2023Apache Tomcat fails to set the 'secure' attribute on session cookies when using RemoteIpFilter with X-Forwarded-Proto headers from reverse proxies. Th...
Mar 22, 2023CVE-2023-26513 is an excessive iteration vulnerability in Apache Sling Resource Merger that allows attackers to cause denial of service through resour...
Mar 20, 2023This CVE describes an HTTP request smuggling vulnerability in Apache HTTP Server when mod_proxy is configured with certain RewriteRule or ProxyPassMat...
Mar 7, 2023This CVE describes an improper input validation vulnerability in Apache Airflow's Google Provider that could allow attackers to inject malicious param...
Feb 24, 2023This CVE-2023-25693 is an improper input validation vulnerability in Apache Airflow's Sqoop Provider that allows attackers to execute arbitrary code b...
Feb 24, 2023This vulnerability in Apache Airflow AWS Provider versions before 7.2.1 allows error messages to leak sensitive information. Attackers can exploit thi...
Feb 24, 2023Apache Commons FileUpload before version 1.5 has a denial-of-service vulnerability where attackers can overwhelm systems by sending unlimited file upl...
Feb 20, 2023An LDAP injection vulnerability in Apache Kerby's LdapIdentityBackend allows attackers to manipulate LDAP queries through user-controlled input. This ...
Feb 20, 2023Apache ShenYu Admin allows low-privilege administrators to create users with higher privileges than their own due to improper privilege management. Th...
Feb 15, 2023This critical vulnerability in Apache Sling JCR Base allows remote code execution through JNDI/RMI injection when running on older JDK versions. Attac...
Feb 14, 2023This vulnerability allows XML External Entity (XXE) attacks in Apache NiFi's ExtractCCDAAttributes Processor. Attackers can exploit this to read arbit...
Feb 10, 2023This vulnerability allows authenticated attackers to execute arbitrary code on Apache Kafka Connect servers by exploiting JNDI injection through SASL ...
Feb 7, 2023This CVE describes an out-of-bounds read vulnerability in Apache InLong that could allow attackers to read sensitive information from memory. It affec...
Feb 1, 2023This vulnerability in Apache Calcite Avatica JDBC driver allows attackers with JDBC connection parameter privileges to execute arbitrary code by loadi...
Jul 28, 2022CVE-2022-24294 is a regular expression denial-of-service (ReDoS) vulnerability in Apache MXNet that allows attackers to cause excessive CPU consumptio...
Jul 24, 2022Apache CloudStack versions 4.5.0 and later contain an XML external entity (XXE) injection vulnerability in the SAML 2.0 authentication plugin. This vu...
Jul 18, 2022A denial-of-service vulnerability in Apache SkyWalking NodeJS Agent versions before 0.5.1 causes NodeJS services with this agent installed to become u...
Jul 18, 2022This vulnerability in Apache Hive allows unauthorized users to manipulate existing User-Defined Functions (UDFs) without proper authorization checks. ...
Jul 16, 2022Apache Tapestry versions up to 5.8.1 contain a Regular Expression Denial of Service (ReDoS) vulnerability in the ContentType class. Attackers could ca...
Jul 13, 2022CVE-2022-26477 is a resource exhaustion vulnerability in Apache SystemDS where an attacker can manipulate serialization data to cause CPU exhaustion t...
Jun 27, 2022This CVE allows a user who can escalate to the yarn user account in Apache Hadoop to execute arbitrary commands as the root user, leading to complete ...
Jun 15, 2022Apache Flume versions 1.4.0 through 1.9.0 are vulnerable to remote code execution when using JMS Source with JNDI LDAP data source URI. Attackers cont...
Jun 14, 2022CVE-2021-37404 is a critical heap buffer overflow vulnerability in Apache Hadoop's libhdfs native code that allows attackers to cause denial of servic...
Jun 13, 2022This HTTP request smuggling vulnerability in Apache HTTP Server's mod_proxy_ajp module allows attackers to bypass security controls and smuggle malici...
Jun 9, 2022This vulnerability in Apache HTTP Server 2.4.53 and earlier could cause crashes or information disclosure due to a buffer overflow in the ap_strcmp_ma...
Jun 9, 2022CVE-2022-30556 is a buffer overflow vulnerability in Apache HTTP Server's r:wsread() function that can cause memory corruption. It affects Apache HTTP...
Jun 9, 2022This vulnerability in Apache HTTP Server allows attackers to bypass IP-based authentication by manipulating the Connection header to prevent X-Forward...
Jun 9, 2022This vulnerability in Apache Maven's maven-shared-utils allows shell injection attacks when the Commandline class processes double-quoted strings with...
May 23, 2022This vulnerability in Apache ShenYu allows attackers to cause resource exhaustion (denial of service) by injecting malicious regular expressions into ...
May 17, 2022This vulnerability in Apache Jena's RDF/XML parser allows attackers to force the parser to retrieve external DTDs, potentially leading to XML External...
May 5, 2022CVE-2022-23942 is a vulnerability in Apache Doris where hardcoded cryptographic keys and initialization vectors (IVs) were used for encrypting LDAP pa...
Apr 26, 2022CVE-2022-24706 is a critical authentication bypass vulnerability in Apache CouchDB that allows unauthenticated attackers to gain admin privileges on i...
Apr 26, 2022CVE-2022-27479 is a critical SQL injection vulnerability in Apache Superset that allows attackers to execute arbitrary SQL commands through chart data...
Apr 13, 2022This CVE describes a use-after-free vulnerability in Subversion's mod_dav_svn module that can lead to memory corruption. When processing path-based au...
Apr 12, 2022This vulnerability in Apache Struts allows remote code execution when developers use forced OGNL evaluation (%{...} syntax) on untrusted user input. A...
Apr 12, 2022This vulnerability in Apache Hadoop allows attackers to write arbitrary files outside the intended extraction directory on Windows systems during TAR ...
Apr 7, 2022Apache DolphinScheduler's user registration feature contains a Regular Expression Denial of Service (ReDoS) vulnerability that allows attackers to cau...
Mar 30, 2022This vulnerability allows attackers to bypass JSON validation in Apache APISIX by submitting requests with duplicate keys in JSON payloads. The valida...
Mar 28, 2022CVE-2021-44040 is an improper input validation vulnerability in Apache Traffic Server's request line parsing that allows attackers to send invalid req...
Mar 23, 2022Apache CloudStack prior to 4.16.1.0 uses insecure random number generation for project invitation tokens, allowing attackers with knowledge of project...
Mar 15, 2022CVE-2022-22719 is a memory corruption vulnerability in Apache HTTP Server where a specially crafted request body can cause the server to read from ran...
Mar 14, 2022Apache HTTP Server versions 2.4.52 and earlier contain a vulnerability where the server fails to properly close inbound connections when encountering ...
Mar 14, 2022CVE-2022-23943 is a critical heap memory corruption vulnerability in Apache HTTP Server's mod_sed module that allows attackers to write data beyond al...
Mar 14, 2022This vulnerability in Apache Spark allows attackers to recover full encryption keys from RPC connections using a flawed mutual authentication protocol...
Mar 10, 2022This vulnerability allows authenticated users of Apache Airflow's web UI to execute arbitrary operating system commands through improperly sanitized p...
Feb 25, 2022CVE-2022-24112 is a critical authentication bypass vulnerability in Apache APISIX's batch-requests plugin that allows attackers to bypass IP restricti...
Feb 11, 2022This vulnerability allows authenticated attackers with permissions to create user-defined functions in Apache Cassandra to execute arbitrary code on t...
Feb 11, 2022Why Monitor Apache Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 573+ known vulnerabilities affecting Apache products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Apache packages in under 60 seconds. No agents required - completely agentless scanning that works across Apache deployments.
Free vulnerability database: Access detailed information about every Apache CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Apache CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
