Apache Software Foundation 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk memory corruption、vendor risk sql injection、vendor risk csrf, and バッファオーバーフロー があり、vendor surface http services の利用場面で vendor impact memory corruption、アプリケーションクラッシュ, and vendor impact data exposure などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-44913 | Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not cover additional strategies. Apache NiFi installations that do not use the CaptureChangeMySQL Processor are not subject to this vulnerability. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, | [email protected] | 5.2 | 0.39% | 2026-06-22 | 2026-06-23 |
| CVE-2026-44911 | Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to invoke predefined verification methods with alternative settings. Apache NiFi installations that do not implement different levels of authorization for viewing and modifying component configuration are not subject to this v | [email protected] | 2.3 | 0.26% | 2026-06-22 | 2026-06-23 |
| CVE-2025-66336 | Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated attacker, or an anonymous attacker if authentication is disabled, to bypass SQL security validation and access metadata outside the intended database scope. Affected users are recommended to upgrade to Doris version 0.6.1 or | [email protected] | 8.1 | 0.38% | 2026-06-22 | 2026-06-26 |
| CVE-2025-62198 | An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2.5.0, which fixes the issue. | [email protected] | 5.4 | 0.32% | 2026-06-22 | 2026-06-23 |
| CVE-2026-49872 | Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 5.3 | 0.33% | 2026-06-19 | 2026-06-23 |
| CVE-2026-49871 | Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim takes upstream are then attributed to attackers identity. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 2.1 | 0.26% | 2026-06-19 | 2026-06-23 |
| CVE-2026-49231 | Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 2.3 | 0.36% | 2026-06-19 | 2026-06-23 |
| CVE-2026-49230 | Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 6.3 | 0.23% | 2026-06-19 | 2026-06-23 |
| CVE-2026-48895 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 2.1 | 0.41% | 2026-06-19 | 2026-06-23 |
| CVE-2026-47341 | Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 6.3 | 0.41% | 2026-06-19 | 2026-06-23 |
| CVE-2026-47339 | Incorrect Authorization vulnerability in Apache APISIX. An attacker can capitalise on authz-casdoor plugin under default configuration to authenticate themselves with credentials from a different source. This issue affects Apache APISIX: from 2.14.1 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 5.3 | 0.29% | 2026-06-19 | 2026-06-23 |
| CVE-2026-44915 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 2.1 | 0.40% | 2026-06-19 | 2026-06-23 |
| CVE-2026-44087 | Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 5.3 | 0.17% | 2026-06-19 | 2026-06-23 |
| CVE-2026-44046 | Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 2.3 | 0.31% | 2026-06-19 | 2026-06-23 |
| CVE-2026-39999 | Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue. | [email protected] | 7.0 | 0.41% | 2026-06-19 | 2026-06-23 |
| CVE-2026-39998 | Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. | [email protected] | 5.8 | 0.40% | 2026-06-19 | 2026-06-23 |
| CVE-2026-49268 | A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when | [email protected] | 8.8 | 0.52% | 2026-06-17 | 2026-06-18 |
| CVE-2026-50203 | A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later. | [email protected] | 9.1 | 0.63% | 2026-06-17 | 2026-06-17 |
| CVE-2026-47340 | Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. | [email protected] | 6.5 | 0.43% | 2026-06-17 | 2026-06-17 |
| CVE-2026-42357 | Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. | [email protected] | 6.5 | 0.31% | 2026-06-17 | 2026-06-17 |