Vulnerabilidades em Apache Software Foundation

1.899 resultados
Análise Vexday

O portfólio da Apache Software Foundation acumula 1.872 CVEs catalogadas, das quais 215 são de severidade crítica e 83 contam com prova de conceito pública — fatores que ampliam a superfície de risco operacional para equipes de segurança. A taxa de exploração ativa é especialmente preocupante: 28 vulnerabilidades constam no catálogo KEV da CISA, representando uma proporção 3,3 vezes acima da média geral do catálogo, o que indica atenção consistente de agentes maliciosos ao ecossistema Apache. A falha mais comum é CWE-20 (validação inadequada de entrada), padrão estrutural que tende a se manifestar em múltiplos produtos e versões, exigindo revisão ampla e não pontual. Destaque para CVE-2021-40438, a vulnerabilidade de maior risco ativo no momento, com EPSS máximo de 1,0 — probabilidade de exploração na prática praticamente certa —, o que a torna prioridade imediata de remediação para qualquer organização que opere componentes Apache afetados.

CVE-2026-40048HIGHApache Camel PQC: Unsafe Deserialization from FileBasedKeyLifecycleManagerEPSS 0.3%CVE-2026-44618MEDIUMApache CXF: XXE vulnerability in WS-Transfer functionalityEPSS 0.3%CVE-2026-32967MEDIUMApache DolphinScheduler: The `/v2` experimental interface lacks permission checksEPSS 0.3%CVE-2025-58337MEDIUMApache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP ServerEPSS 0.3%CVE-2026-42358MEDIUMApache Airflow: Variable masker depth-limit bypass returns cleartext nested secretsEPSS 0.3%CVE-2026-46605MEDIUMApache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removalEPSS 0.3%CVE-2026-42360MEDIUMApache Airflow: Rendered template truncation bypasses nested sensitive-key maskingEPSS 0.3%CVE-2025-58137HIGHApache Fineract: IDOR via self-service APIEPSS 0.3%CVE-2023-49582MEDIUMApache Portable Runtime (APR): Unexpected lax shared memory permissionsEPSS 0.3%CVE-2025-53470LOWApache Mynewt NimBLE: Out-of-Bounds Write Vulnerability in NimBLE HCI H4 driverEPSS 0.3%CVE-2025-59060MEDIUMApache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClientEPSS 0.3%CVE-2026-49270MEDIUMApache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)EPSS 0.3%CVE-2026-40948MEDIUMApache Airflow Providers Keycloak: OAuth Login CSRF — Missing State Parameter in Keycloak Auth ManagerEPSS 0.3%CVE-2026-35554HIGHApache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race ConditionEPSS 0.3%CVE-2026-44911LOWApache NiFi: Incorrect Authorization for Configuration Verification RequestsEPSS 0.3%CVE-2024-46544MEDIUMApache Tomcat Connectors: mod_jk: local users can view and modify configurationEPSS 0.3%CVE-2025-47410HIGHApache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target systemEPSS 0.3%CVE-2026-45760HIGHApache Camel K: Camel K Cross-Namespace Build Deputy AttackEPSS 0.3%CVE-2026-34905MEDIUMApache Answer: Unlisted Questions Accessible via Direct API AccessEPSS 0.3%CVE-2026-46751MEDIUMApache Kvrocks: Does not remove the unsafe loadstring function from its Lua sandbox, allowing a user who can run EVAL scripts to load crafted, unvalidated bytecode that crashes the server process, resulting in a remote denial of service.EPSS 0.3%