This page lists publicly disclosed CVE vulnerabilities affecting apache camel (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2020-11994 | Server-Side Template Injection and arbitrary file disclosure on Camel templating components | [email protected] | 7.5 | 4.49% | 2020-07-08 | 2026-06-16 |
| CVE-2020-11973 | Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0. | [email protected] | 9.8 | 6.59% | 2020-05-14 | 2026-06-16 |
| CVE-2020-11972 | Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade to 3.2.0. | [email protected] | 9.8 | 5.51% | 2020-05-14 | 2026-06-16 |
| CVE-2020-11971 | Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0. | [email protected] | 7.5 | 14.33% | 2020-05-14 | 2026-06-16 |
| CVE-2020-5529 | HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application. | [email protected] | 8.1 | 4.72% | 2020-02-11 | 2026-06-16 |
| CVE-2019-0188 | Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed. | [email protected] | 7.5 | 8.46% | 2019-05-28 | 2026-06-16 |
| CVE-2019-0194 | Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected. | [email protected] | 7.5 | 8.48% | 2019-04-30 | 2026-06-16 |
| CVE-2018-8041 | Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal. | [email protected] | 5.3 | 9.85% | 2018-09-17 | 2026-06-16 |
| CVE-2018-8027 | Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor. | [email protected] | 9.8 | 5.52% | 2018-07-31 | 2026-06-16 |
| CVE-2017-12634 | The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | [email protected] | 9.8 | 7.19% | 2017-11-15 | 2026-06-16 |
| CVE-2017-12633 | The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | [email protected] | 9.8 | 7.13% | 2017-11-15 | 2026-06-16 |
| CVE-2016-8749 | Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | [email protected] | 9.8 | 10.60% | 2017-03-28 | 2026-06-16 |
| CVE-2017-5643 | Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. | [email protected] | 7.4 | 4.89% | 2017-03-16 | 2026-06-16 |
| CVE-2017-3159 | Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | [email protected] | 9.8 | 6.29% | 2017-03-07 | 2026-06-16 |
| CVE-2015-5348 | Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. | [email protected] | 8.1 | 6.39% | 2016-04-15 | 2026-06-16 |
| CVE-2015-5344 | The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. | [email protected] | 9.8 | 7.12% | 2016-02-03 | 2026-06-16 |
| CVE-2015-0264 | Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query. | [email protected] | 5.0 | 7.09% | 2015-06-03 | 2026-06-16 |
| CVE-2015-0263 | XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource. | [email protected] | 5.0 | 7.53% | 2015-06-03 | 2026-06-16 |
| CVE-2014-0003 | The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message. | [email protected] | 7.5 | 7.35% | 2014-03-21 | 2026-06-16 |
| CVE-2014-0002 | The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | [email protected] | 7.5 | 32.54% | 2014-03-21 | 2026-06-16 |