Apache Software Foundation CVE Vulnerabilities & CVE List (3,094)

Products (CPE): — CVEs: 3,094

Apache Software Foundation vulnerability overview

Aggregates CVE and security vulnerability intelligence across all Apache Software Foundation-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.

Common weakness patterns include vendor risk memory corruption, vendor risk sql injection, and vendor risk csrf, with potential vendor impact memory corruption across vendor surface http services use cases.

Vulnerability distribution trend (last 24 months)

Showing 101120 of 3094 CVEs
«« First « Prev Page 6 / 155 Next »
CVE Summary Source Max CVSS EPSS % Published Updated
CVE-2026-44046 Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. [email protected] 2.3 0.31% 2026-06-19 2026-06-23
CVE-2026-39999 Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authentication capitalising on certain configurations of jwt-auth plugin. This issue affects Apache APISIX: from v2.2 through v3.16.0. Users are recommended to upgrade to version v3.17.0, which fixes the issue. [email protected] 7.0 0.41% 2026-06-19 2026-06-23
CVE-2026-39998 Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. [email protected] 5.8 0.40% 2026-06-19 2026-06-23
CVE-2026-49268 A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users. This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when [email protected] 8.8 0.52% 2026-06-17 2026-06-18
CVE-2026-50203 A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later. [email protected] 9.1 0.63% 2026-06-17 2026-06-17
CVE-2026-47340 Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. [email protected] 6.5 0.43% 2026-06-17 2026-06-17
CVE-2026-42357 Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. [email protected] 6.5 0.31% 2026-06-17 2026-06-17
CVE-2026-41280 Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. [email protected] 4.9 0.44% 2026-06-17 2026-06-17
CVE-2026-32967 Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. [email protected] 9.1 0.34% 2026-06-17 2026-06-17
CVE-2026-32966 DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. [email protected] 9.8 0.39% 2026-06-17 2026-06-17
CVE-2026-50645 There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message. [email protected] 7.5 0.46% 2026-06-12 2026-06-17
CVE-2026-50634 A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. [email protected] 6.5 0.30% 2026-06-12 2026-06-17
CVE-2026-50633 A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. [email protected] 8.1 0.78% 2026-06-12 2026-07-14
CVE-2026-50632 A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. [email protected] 8.1 0.65% 2026-06-12 2026-07-14
CVE-2026-50631 A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. [email protected] 7.4 0.34% 2026-06-12 2026-06-17
CVE-2026-50630 A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. [email protected] 6.5 0.40% 2026-06-12 2026-06-17
CVE-2026-50629 The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. [email protected] 5.3 0.47% 2026-06-12 2026-06-17
CVE-2026-50628 A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. [email protected] 9.8 0.67% 2026-06-12 2026-07-14
CVE-2026-50627 The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. [email protected] 9.1 0.39% 2026-06-12 2026-07-14
CVE-2026-50623 An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue. [email protected] 4.8 0.43% 2026-06-12 2026-06-17
«« First « Prev Page 6 / 155 Next »
cvelogic Threat Intelligence