彙總 Apache Software Foundation 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 記憶體損壞、SQL 注入、緩衝區溢位與CSRF,在 HTTP 服務與Web 請求處理 使用場景中可能帶來 記憶體損壞、應用程式崩潰與資料外洩 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-50645 | There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message. | [email protected] | 7.5 | 0.62% | 2026-06-12 | 2026-06-13 |
| CVE-2026-50634 | A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. | [email protected] | 6.5 | 0.30% | 2026-06-12 | 2026-06-12 |
| CVE-2026-50633 | A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | [email protected] | 8.1 | 0.66% | 2026-06-12 | 2026-06-12 |
| CVE-2026-50632 | A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | [email protected] | 8.1 | 0.55% | 2026-06-12 | 2026-06-12 |
| CVE-2026-50631 | A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | [email protected] | 7.4 | 0.34% | 2026-06-12 | 2026-06-12 |
| CVE-2026-50630 | A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | [email protected] | 6.5 | 0.50% | 2026-06-12 | 2026-06-12 |
| CVE-2026-50629 | The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | [email protected] | 5.3 | 0.58% | 2026-06-12 | 2026-06-12 |
| CVE-2026-50628 | A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | [email protected] | 9.8 | 0.68% | 2026-06-12 | 2026-06-15 |
| CVE-2026-50627 | The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | [email protected] | 9.1 | 0.51% | 2026-06-12 | 2026-06-15 |
| CVE-2026-50623 | An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue. | [email protected] | 4.8 | 0.52% | 2026-06-12 | 2026-06-16 |
| CVE-2026-49875 | Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. | [email protected] | 9.8 | 0.42% | 2026-06-12 | 2026-06-15 |
| CVE-2026-50223 | Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue. | [email protected] | 8.8 | 0.66% | 2026-06-10 | 2026-06-12 |
| CVE-2026-47342 | A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue. | [email protected] | 8.8 | 0.34% | 2026-06-10 | 2026-06-12 |
| CVE-2026-25700 | Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | [email protected] | 7.2 | 0.36% | 2026-06-10 | 2026-06-12 |
| CVE-2026-49818 | The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-sam | [email protected] | 6.5 | 0.73% | 2026-06-09 | 2026-06-12 |
| CVE-2026-34905 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted questions, their answers, comments, and revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | [email protected] | 6.5 | 0.33% | 2026-06-09 | 2026-06-10 |
| CVE-2026-34033 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. User-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | [email protected] | 5.4 | 0.31% | 2026-06-09 | 2026-06-11 |
| CVE-2026-34031 | Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The server did not sufficiently validate user-supplied image URLs, allowing arbitrary external content to be embedded as profile images, which could expose users to unintended external requests and tracking by third-party servers. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | [email protected] | 6.5 | 0.40% | 2026-06-09 | 2026-06-10 |
| CVE-2026-33582 | Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. A crafted TIFF image could trigger excessive memory allocation during image decoding, allowing an authenticated user to cause the server process to crash. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | [email protected] | 6.5 | 0.42% | 2026-06-09 | 2026-06-10 |
| CVE-2026-25699 | Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and its revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | [email protected] | 6.1 | 0.36% | 2026-06-09 | 2026-06-10 |