Vulnerabilidades en Apache Software Foundation

1899 resultados
Análisis Vexday

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2024-47252HIGHApache HTTP Server: mod_ssl error log variable escapingEPSS 0.7%CVE-2026-27172HIGHApache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV storeEPSS 0.7%CVE-2025-57735CRITICALApache Airflow: Airflow Logout Not Invalidating JWTEPSS 0.7%CVE-2026-43868MEDIUMApache Thrift: Rust implementation vulnerable to CVE-2020-13949 patternEPSS 0.7%CVE-2026-40861MEDIUMApache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandlerEPSS 0.7%CVE-2024-47250MEDIUMApache NimBLE: Lack of input validation in HCI advertising report could lead to potential out-of-bound accessEPSS 0.7%CVE-2024-27181HIGHApache Linkis Basic management services: Privilege Escalation Attack vulnerabilityEPSS 0.7%CVE-2026-29167CRITICALApache HTTP Server: mod_ldap per-dir use-after-freeEPSS 0.7%CVE-2026-24713CRITICALApache IoTDB: JEXL Expression Injection VulnerabilityEPSS 0.7%CVE-2024-30471MEDIUMApache StreamPipes: Potential creation of multiple identical accountsEPSS 0.7%CVE-2026-49434HIGHApache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: LdapNetworkConnector instantiates denied transports and a remote-properties brokerEPSS 0.7%CVE-2026-50223HIGHApache OFBiz: DataResource Low-Privileged Authenticated FreeMarker Template Injection Leads to Remote Code ExecutionEPSS 0.7%CVE-2026-42778CRITICALApache MINA: CWE-502 Deserialization of Untrusted Data (take 2)EPSS 0.7%CVE-2026-24656LOWApache Karaf: Decanter log-socket collector has deserialization vulnerabilityEPSS 0.7%CVE-2025-66335MEDIUMApache Doris MCP Server: MCP SQL injectEPSS 0.7%CVE-2025-46548MEDIUMApache Pekko Management, Apache Pekko Management, Apache Pekko Management, Akka Management, Akka Management, Akka Management: management API basic authentication is not effectiveEPSS 0.7%CVE-2026-22444HIGHApache Solr: Insufficient file-access checking in standalone core-creation requestsEPSS 0.7%CVE-2023-26269HIGHApache James server: Privilege escalation through unauthenticated JMXEPSS 0.7%CVE-2026-24072HIGHApache HTTP Server: mod_rewrite elevation of privileges via ap_exprEPSS 0.7%CVE-2026-42782HIGHApache Syncope: Post-auth RCE via Groovy staticEPSS 0.7%