Vulnerabilidades en Apache Software Foundation

1899 resultados
Análisis Vexday

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2025-66675HIGHApache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixedEPSS 0.5%CVE-2025-30001HIGHApache StreamPark: Authenticated users can trigger remote command executionEPSS 0.5%CVE-2018-1334In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connectEPSS 0.5%CVE-2026-29170MEDIUMApache HTTP Server: mod_proxy_ftp XSSEPSS 0.5%CVE-2026-23980MEDIUMApache Superset: Improper Neutralization of Special Elements used in a SQL CommandEPSS 0.5%CVE-2026-49328MEDIUMApache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRFEPSS 0.5%CVE-2026-25199CRITICALApache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance AccessEPSS 0.5%CVE-2025-47713HIGHApache CloudStack: Domain Admin can reset Admin password in Root DomainEPSS 0.5%CVE-2025-61735HIGHApache Kylin: Server-Side Request ForgeryEPSS 0.5%CVE-2026-40023MEDIUMApache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden charactersEPSS 0.5%CVE-2025-47849HIGHApache CloudStack: Insecure access of user's API/Secret Keys in the same domainEPSS 0.5%CVE-2026-24734HIGHApache Tomcat Native, Apache Tomcat: OCSP revocation bypassEPSS 0.5%CVE-2026-42404MEDIUMApache Neethi: Unrestricted HTTP Redirect Following in Policy ReferencesEPSS 0.5%CVE-2024-45693HIGHApache CloudStack: Request origin validation bypass makes account takeover possibleEPSS 0.5%CVE-2026-35086MEDIUMApache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email servicesEPSS 0.5%CVE-2024-43166CRITICALIncorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users arEPSS 0.5%CVE-2026-49268HIGHApache Shiro: LDAP DN Injection in DefaultLdapRealmEPSS 0.5%CVE-2026-24733MEDIUMApache Tomcat: Security constraint bypass with HTTP/0.9EPSS 0.5%CVE-2026-22022HIGHApache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPluginEPSS 0.5%CVE-2026-40564MEDIUMApache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes OperatorEPSS 0.5%