| CVE-2026-38743 | Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities | Apache Software Foundation | Apache Airflow | - | - | 2026-04-24 12:36:40 | Deep Dive |
| CVE-2026-40690 | Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users | Apache Software Foundation | Apache Airflow | - | - | 2026-04-24 12:35:33 | Deep Dive |
| CVE-2026-23902 | Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution. | Apache Software Foundation | Apache DolphinScheduler | - | - | 2026-04-24 10:56:18 | Deep Dive |
| CVE-2025-62233 | Apache DolphinScheduler: Deserialization of untrusted data in RPC | Apache Software Foundation | Apache DolphinScheduler | - | - | 2026-04-24 10:54:55 | Deep Dive |
| CVE-2026-41044 | Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia | Apache Software Foundation | Apache ActiveMQ | - | - | 2026-04-24 10:16:54 | Deep Dive |
| CVE-2026-41043 | Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues | Apache Software Foundation | Apache ActiveMQ | - | - | 2026-04-24 10:16:24 | Deep Dive |
| CVE-2026-40466 | Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI | Apache Software Foundation | Apache ActiveMQ Broker | - | - | 2026-04-24 10:15:44 | Deep Dive |
| CVE-2026-6272 | kuksa.val.v2任意读JWT可伪造信号数据漏洞 | Eclipse Foundation | Eclipse KUKSA - Databroker | - | - | 2026-04-24 08:28:18 | Deep Dive |
| CVE-2026-6019 | BaseCookie.js_output() does not neutralize embedded characters | Python Software Foundation | CPython | - | - | 2026-04-22 19:28:09 | Deep Dive |
| CVE-2026-40542 | Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification | Apache Software Foundation | Apache HttpClient | - | - | 2026-04-22 07:07:21 | Deep Dive |
| CVE-2026-3298 | Out-of-bounds write in Windows asyncio.ProacterEventLoop.sock_recvfrom_into() when using nbytes | Python Software Foundation | CPython | - | - | 2026-04-21 14:45:02 | Deep Dive |
| CVE-2026-33557 | Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication | Apache Software Foundation | Apache Kafka | - | - | 2026-04-20 13:28:44 | Deep Dive |
| CVE-2025-66335 | Apache Doris MCP Server: MCP SQL inject | Apache Software Foundation | Apache Doris MCP Server | - | - | 2026-04-20 13:27:28 | Deep Dive |
| CVE-2026-33558 | Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output | Apache Software Foundation | Apache Kafka | - | - | 2026-04-20 13:20:38 | Deep Dive |
| CVE-2026-40948 | Apache Airflow Providers Keycloak: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager | Apache Software Foundation | Apache Airflow Providers Keycloak | - | - | 2026-04-18 13:22:42 | Deep Dive |
| CVE-2026-32690 | Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1 | Apache Software Foundation | Apache Airflow | - | - | 2026-04-18 06:22:26 | Deep Dive |
| CVE-2026-30898 | Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf | Apache Software Foundation | Apache Airflow | - | - | 2026-04-18 06:20:49 | Deep Dive |
| CVE-2026-30912 | Apache Airflow: Exposing stack trace in case of constraint error | Apache Software Foundation | Apache Airflow | - | - | 2026-04-18 06:20:30 | Deep Dive |
| CVE-2026-25917 | Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5) | Apache Software Foundation | Apache Airflow | - | - | 2026-04-18 06:20:11 | Deep Dive |
| CVE-2026-32228 | Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to | Apache Software Foundation | Apache Airflow | - | - | 2026-04-18 06:19:48 | Deep Dive |