Vulnerabilities in Apache Software Foundation

1,899 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-42782HIGHApache Syncope: Post-auth RCE via Groovy staticEPSS 0.7%CVE-2026-45360HIGHApache Airflow: Arbitrary import in custom deadline-reference deserializationEPSS 0.7%CVE-2024-45477MEDIUMApache NiFi: Improper Neutralization of Input in Parameter DescriptionEPSS 0.6%CVE-2026-50632HIGHApache CXF: JNDI Injection Vulnerability in JMSConfigFactoryEPSS 0.6%CVE-2026-44417HIGHApache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)EPSS 0.6%CVE-2026-41635CRITICALApache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCEEPSS 0.6%CVE-2023-52290HIGHApache StreamPark (incubating): Unchecked SQL query fields trigger SQL injection vulnerabilityEPSS 0.6%CVE-2022-31764HIGHApache ShardingSphere ElasticJob-UI allows RCE via event trace data source JDBCEPSS 0.6%CVE-2026-24281MEDIUMApache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManagerEPSS 0.6%CVE-2026-43869HIGHApache Thrift: TSSLTransportFactory.java hostname verificationEPSS 0.6%CVE-2025-49763HIGHApache Traffic Server: Remote DoS via memory exhaustion in ESI PluginEPSS 0.6%CVE-2016-5001This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HEPSS 0.6%CVE-2026-50628CRITICALApache CXF: OAuth2: Inverted IP Binding Check Defeats Security ControlEPSS 0.6%CVE-2025-55674MEDIUMApache Superset: Improper SQL authorisation, parse not checking for specific engine functionsEPSS 0.6%CVE-2024-44088MEDIUMApache Geode: Reflected XSSEPSS 0.6%CVE-2026-29168HIGHApache HTTP Server: mod_md unrestricted OCSP responseEPSS 0.6%CVE-2026-42440HIGHApache OpenNLP: OOM DoS via Unbounded Array Allocation in AbstractModelReaderEPSS 0.6%CVE-2024-29733LOWApache Airflow FTP Provider: FTP_TLS instance with unverified SSL contextEPSS 0.6%CVE-2026-50203CRITICALApache Airflow SFTP provider: Path traversal in SFTPHook.retrieve_directory allows local file write outside the destination directory via malicious server-supplied directory-entry namesEPSS 0.6%CVE-2024-45537MEDIUMApache Druid: Users can provide MySQL JDBC properties not on allow listEPSS 0.6%