Vulnerabilities in Apache Software Foundation

1,872 results
CVE-2021-41524null pointer dereference in h2 fuzzingEPSS 25.0%CVE-2020-17527Apache Tomcat: Request header mix-up between HTTP/2 streamsEPSS 24.6%CVE-2020-11989Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication EPSS 24.4%CVE-2024-37389MEDIUMApache NiFi: Improper Neutralization of Input in Parameter Context DescriptionEPSS 24.0%CVE-2024-52046CRITICALApache MINA: MINA applications using unbounded deserialization may allow RCEEPSS 23.9%CVE-2020-17526Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on siEPSS 23.3%CVE-2017-15709When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details (such as the OS and kernel vEPSS 23.3%CVE-2025-57738HIGHApache Syncope: Remote Code Execution by delegated administratorsEPSS 23.1%CVE-2024-24549HIGHApache Tomcat: HTTP/2 header handling DoSEPSS 23.1%CVE-2026-45434CRITICALApache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCEEPSS 22.9%CVE-2021-24122Apache Tomcat information disclosureEPSS 22.9%CVE-2020-13936Velocity Sandbox BypassEPSS 22.7%CVE-2021-26919Apache Druid Authenticated users can execute arbitrary code from malicious MySQL database systems.EPSS 22.6%CVE-2025-68493HIGHApache Struts, Apache Struts: XXE vulnerability in outdated XWork componentEPSS 22.5%CVE-2018-8014The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.8EPSS 22.0%CVE-2018-8034HIGHThe host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache TomEPSS 21.3%CVE-2017-5641Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by EPSS 21.3%CVE-2016-2161In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continueEPSS 21.0%CVE-2018-1308This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlEPSS 20.9%CVE-2022-22733Access-Token in ElasticJob UI causes password disclosureEPSS 20.9%