Vulnerabilities in Apache Software Foundation

1,899 results
Vexday analysis

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2024-35164MEDIUMApache Guacamole: Improper input validation of console codesEPSS 0.4%CVE-2026-56091HIGHApache Shiro: Authentication bypass in Guice-Web integrationEPSS 0.4%CVE-2026-31986CRITICALApache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template InjectionEPSS 0.4%CVE-2026-32690LOWApache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1EPSS 0.4%CVE-2023-41180Apache NiFi MiNiFi C++: Incorrect Certificate Validation in InvokeHTTP for MiNiFi C++EPSS 0.4%CVE-2026-33227MEDIUMApache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ: Improper Limitation of a Pathname to a Restricted Classpath DirectoryEPSS 0.4%CVE-2026-33005MEDIUMApache OpenMeetings: Insufficient checks in FileWebServiceEPSS 0.4%CVE-2026-50627CRITICALApache CXF: OAuth2: Missing JWT Audience and Issuer Validation in Access Token ValidatorEPSS 0.4%CVE-2025-55753HIGHApache HTTP Server: mod_md (ACME), unintended retry intervalsEPSS 0.4%CVE-2026-31388MEDIUMApache OFBiz: Cross-Tenant Data Exposure via Program Export FeatureEPSS 0.4%CVE-2025-62228MEDIUMApache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC: SQL injection via maliciously crafted identifiersEPSS 0.4%CVE-2026-42526MEDIUMApache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backendsEPSS 0.4%CVE-2026-53404HIGHApache Tomcat: Bad ornext processing in RewriteValveEPSS 0.4%CVE-2025-46647MEDIUMApache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connectEPSS 0.4%CVE-2026-43827MEDIUMApache Shiro: Session fixation: new session is not created after login by defaultEPSS 0.4%CVE-2026-54428HIGHApache HttpComponents Core: HPackDecoder Unlimited Header List Size Before SETTINGS ACKEPSS 0.4%CVE-2026-43826MEDIUMApache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URLEPSS 0.4%CVE-2026-41018MEDIUMApache Airflow Providers Elasticsearch: Elasticsearch task-log handler leaks credentials embedded in the host URLEPSS 0.4%CVE-2026-45192MEDIUMApache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API ResponseEPSS 0.4%CVE-2026-54399HIGHApache HttpComponents Core: Unbounded HTTP Header/Line Length in Default ConfigurationEPSS 0.4%