Aggregates CVE and security vulnerability intelligence across all akamai-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk xxe and vendor risk ssrf and related security problems, affecting vendor surface production workloads and vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-66373 | Akamai Ghost on Akamai CDN edge servers before 2025-11-17 has a chunked request body processing error that can result in HTTP request smuggling. When Akamai Ghost receives an invalid chunked body that includes a chunk size different from the actual size of the following chunk data, under certain circumstances, Akamai Ghost erroneously forwards the invalid request and subsequent superfluous bytes to the origin server. An attacker could hide a smuggled request in these superfluous bytes. Whether t | [email protected] | 4.8 | 0.23% | 2025-12-04 | 2026-06-17 |
| CVE-2025-54142 | Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an Akamai proxy server and an origin server, if the origin server violates certain Internet standards. | [email protected] | 4.0 | 0.25% | 2025-08-28 | 2026-06-17 |
| CVE-2025-32094 | An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Under certain circumstances, a client making an HTTP/1.x OPTIONS request with an "Expect: 100-continue" header, and using obsolete line folding, can lead to a discrepancy in how two in-path Akamai servers interpret the request, allowing an attacker to smuggle a second request in the original request body. | [email protected] | 4.0 | 0.52% | 2025-08-07 | 2026-06-17 |
| CVE-2025-52491 | Akamai CloudTest before 60 2025.06.09 (12989) allows SSRF. | [email protected] | 5.8 | 0.30% | 2025-06-30 | 2026-06-17 |
| CVE-2025-49493 | Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection. | [email protected] | 5.8 | 3.40% | 2025-06-30 | 2026-06-17 |
| CVE-2025-24527 | An issue was discovered in Akamai Enterprise Application Access (EAA) before 2025-01-17. If an admin knows another tenant's 128-bit connector GUID, they can execute debug commands on that connector. | [email protected] | 8.0 | 0.32% | 2025-01-29 | 2026-06-17 |
| CVE-2024-45164 | Akamai SIA (Secure Internet Access Enterprise) ThreatAvert, in SPS (Security and Personalization Services) before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization controls for the Admin functionality on the ThreatAvert Policy page. An authenticated user can navigate directly to the /#app/intelligence/threatAvertPolicies URI and disable policy enforcement. | [email protected] | 7.1 | 0.31% | 2024-11-04 | 2026-06-17 |
| CVE-2021-40683 | In Akamai EAA (Enterprise Application Access) Client before 2.3.1, 2.4.x before 2.4.1, and 2.5.x before 2.5.3, an unquoted path may allow an attacker to hijack the flow of execution. | [email protected] | 7.8 | 0.42% | 2021-10-04 | 2026-06-17 |
| CVE-2019-18847 | Enterprise Access Client Auto-Updater allows for Remote Code Execution prior to version 2.0.1. | [email protected] | 9.8 | 2.27% | 2020-08-26 | 2026-06-16 |
| CVE-2019-11011 | Akamai CloudTest before 58.30 allows remote code execution. | [email protected] | 9.8 | 2.60% | 2019-06-21 | 2026-06-16 |
| CVE-2016-10157 | Akamai NetSession 1.9.3.1 is vulnerable to DLL Hijacking: it tries to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because the mentioned DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code within the Akamai NetSession process space. | [email protected] | 9.8 | 2.24% | 2017-01-23 | 2026-06-16 |
| CVE-2008-1770 | CRLF injection vulnerability in Akamai Download Manager ActiveX control before 2.2.3.6 allows remote attackers to force the download and execution of arbitrary files via a URL parameter containing an encoded LF followed by a malicious target line. | [email protected] | 9.3 | 10.42% | 2008-06-04 | 2026-06-16 |