Vulnerabilities in Apache Software Foundation

1,899 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-40542HIGHApache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verificationEPSS 0.5%CVE-2026-41919CRITICALApache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Elements in DN ConstructionEPSS 0.5%CVE-2026-24880HIGHApache Tomcat: Request smuggling via invalid chunk extensionEPSS 0.5%CVE-2026-41409CRITICALApache MINA: CWE-502 Deserialization of Untrusted DataEPSS 0.5%CVE-2026-30912HIGHApache Airflow: Exposing stack trace in case of constraint errorEPSS 0.4%CVE-2025-31698HIGHApache Traffic Server: Client IP address from PROXY protocol is not used for ACLEPSS 0.4%CVE-2026-25700HIGHApache Answer: AdminToken not invalidated after admin deactivationEPSS 0.4%CVE-2025-65998HIGHApache Syncope: Default AES key used for internal password encryptionEPSS 0.4%CVE-2025-54941MEDIUMApache Airflow: Command injection in "example_dag_decorator"EPSS 0.4%CVE-2025-54947MEDIUMApache StreamPark: Use hard-coded key vulnerabilityEPSS 0.4%CVE-2025-24854MEDIUMApache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Image pluginEPSS 0.4%CVE-2026-34487HIGHApache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer tokenEPSS 0.4%CVE-2026-23902HIGHApache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution.EPSS 0.4%CVE-2026-41873CRITICALPony Mail: Admin account takeover via request smugglingEPSS 0.4%CVE-2024-25710HIGHApache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP fileEPSS 0.4%CVE-2026-28563MEDIUMApache Airflow: DAG authorization bypassEPSS 0.4%CVE-2026-31906MEDIUMApache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog ParametersEPSS 0.4%CVE-2025-23408HIGHApache Fineract: weak password policyEPSS 0.4%CVE-2025-66236HIGHApache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UIEPSS 0.4%CVE-2021-36151Local Credentials Disclosure VulnerabilityEPSS 0.4%