Vulnerabilities in Apache Software Foundation

1,899 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2025-47868CRITICALApache NuttX RTOS: tools/bdf-converter.: tools/bdf-converter: Fix loop termination condition.EPSS 0.6%CVE-2025-47869CRITICALApache NuttX RTOS: examples/xmlrpc: Fix calls buffers size.EPSS 0.6%CVE-2025-54057MEDIUMApache SkyWalking: Stored XSS vulnerabilityEPSS 0.6%CVE-2026-40961HIGHApache Airflow: Open Redirect Bypass VulnerabilityEPSS 0.6%CVE-2025-48795MEDIUMApache CXF: Denial of Service and sensitive data exposure in logsEPSS 0.6%CVE-2025-26865LOWApache OFBiz: Server-Side Template Injection affecting the ecommerce plugin leading to possible RCEEPSS 0.6%CVE-2024-23590CRITICALApache Kylin: Session fixation in web interfaceEPSS 0.6%CVE-2026-40022HIGHApache Camel Platform HTTP Main: Authentication Bypass on Non-Root Context Paths in camel main runtimeEPSS 0.6%CVE-2025-25247MEDIUMApache Felix Webconsole: XSS in services consoleEPSS 0.6%CVE-2026-33454CRITICALApache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant)EPSS 0.6%CVE-2025-48912HIGHApache Superset: Improper authorization bypass on row level security via SQL InjectionEPSS 0.6%CVE-2024-25141CRITICALApache Airflow Mongo Provider: Certificate validation isn't respected even if SSL is enabled for apache-airflow-providers-mongoEPSS 0.6%CVE-2026-24735HIGHApache Answer: Revision API Improper Access Control leads to Information DisclosureEPSS 0.6%CVE-2024-29008MEDIUMApache CloudStack: The extraconfig feature can be abused to load hypervisor resources on a VM instanceEPSS 0.6%CVE-2025-55672MEDIUMApache Superset: Stored XSS on charts metadataEPSS 0.6%CVE-2024-45479CRITICALApache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhostEPSS 0.6%CVE-2024-24778MEDIUMApache StreamPipes: Resources Permission EscalationEPSS 0.6%CVE-2024-48962HIGHApache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)EPSS 0.6%CVE-2025-66169MEDIUMApache Camel Neo4j: Cypher injection vulnerability in Camel-Neo4j componentEPSS 0.6%CVE-2025-26413HIGHApache Kvrocks: The server was crashed by the negative offsetEPSS 0.6%