Vulnerabilities in Apache Software Foundation

1,899 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-33006MEDIUMApache HTTP Server: mod_auth_digest timing attackEPSS 0.6%CVE-2024-45106HIGHApache Ozone: Improper authentication when generating S3 secretsEPSS 0.6%CVE-2026-34481MEDIUMApache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayoutEPSS 0.6%CVE-2026-25219MEDIUMApache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view accessEPSS 0.6%CVE-2026-46586HIGHApache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code ExecutionEPSS 0.5%CVE-2026-42359HIGHApache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validatorEPSS 0.5%CVE-2026-42498HIGHApache Tomcat: WebSocket authentication header exposureEPSS 0.5%CVE-2026-42588HIGHApache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnectorEPSS 0.5%CVE-2021-28129DEB packaging for Apache OpenOffice 4.1.8 installed with a non-root userid and groupidEPSS 0.5%CVE-2026-30778HIGHApache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.EPSS 0.5%CVE-2026-29207MEDIUMApache OFBiz: Low-Privilege SSTI Leading to RCE in the Content ComponentEPSS 0.5%CVE-2024-45478MEDIUMApache Ranger: Stored XSS in Edit Service page - Add logic to validate user inputEPSS 0.5%CVE-2026-42535CRITICALApache HTTP Server: mod_dav_fs protected directory accessEPSS 0.5%CVE-2025-62233MEDIUMApache DolphinScheduler: Deserialization of untrusted data in RPCEPSS 0.5%CVE-2026-33558MEDIUMApache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log OutputEPSS 0.5%CVE-2026-34479MEDIUMApache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden charactersEPSS 0.5%CVE-2026-32588MEDIUMApache Cassandra: Authenticated DoS via ALTER ROLE Password HashingEPSS 0.5%CVE-2024-56736MEDIUMApache HertzBeat: Server-Side Request Forgery (SSRF) in Api Config OssEPSS 0.5%CVE-2025-66171MEDIUMApache CloudStack: Any user can create a new VM from backups they should not have access toEPSS 0.5%CVE-2026-44825HIGHApache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure usersEPSS 0.5%