Vulnerabilities in Apache Software Foundation
1,872 resultsCVE-2022-40127HIGHApache Airflow <2.4.0 has an RCE in a bash exampleEPSS 85.7%CVE-2022-27166—XSS vulnerability on XHRHtml2Markup.jsp in JSPWiki 2.11.2EPSS 85.3%CVE-2022-28730—Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jspEPSS 85.3%CVE-2021-31805—Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.EPSS 85.1%CVE-2022-24697CRITICALApache Kylin prior to 4.0.2 allows command injection when the configuration overwrites function overwrites system parametersEPSS 84.8%CVE-2021-38294—Shell Command Injection Vulnerability in Nimbus Thrift ServerEPSS 84.5%CVE-2023-50386HIGHApache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSetsEPSS 83.8%CVE-2023-25690CRITICALApache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxyEPSS 83.8%CVE-2023-39265LOWApache Superset: Possible Unauthorized Registration of SQLite Database ConnectionsEPSS 83.7%CVE-2021-44224—Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlierEPSS 82.3%CVE-2022-45402MEDIUMApache Airflow: Open redirect during loginEPSS 81.8%CVE-2021-4104HIGHDeserialization of untrusted data in JMSAppender in Apache Log4j 1.2EPSS 81.1%CVE-2021-30128—Unsafe deserialization in Apache OFBizEPSS 81.1%CVE-2021-36749—Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)EPSS 81.0%CVE-2021-38540—Apache Airflow: Variable Import endpoint missed authentication checkEPSS 80.9%CVE-2023-50164—Apache Struts: File upload component had a directory traversal vulnerabilityEPSS 80.8%CVE-2025-27636MEDIUMApache Camel: Camel Message Header Injection via Improper FilteringEPSS 79.8%CVE-2025-66516HIGHApache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affectedEPSS 79.8%CVE-2016-8740—The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrictEPSS 79.1%CVE-2022-23944—Apache ShenYu 2.4.1 Improper access controlEPSS 79.0%