| CVE-2026-31987 | Apache Airflow: JWT token appearing in logs | Apache Software Foundation | Apache Airflow | - | - | 2026-04-16 13:31:52 | Deep Dive |
| CVE-2026-25219 | Apache Airflow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access | Apache Software Foundation | Apache Airflow | 中危 | - | 2026-04-15 12:30:18 | Deep Dive |
| CVE-2026-30778 | Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. | Apache Software Foundation | Apache SkyWalking | 高危 | - | 2026-04-15 10:54:25 | Deep Dive |
| CVE-2025-54550 | Apache Airflow: RCE by race condition in example_xcom dag | Apache Software Foundation | Apache Airflow | 中危 | - | 2026-04-15 00:22:03 | Deep Dive |
| CVE-2026-5713 | Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target | Python Software Foundation | CPython | 中危 | - | 2026-04-14 15:11:51 | Deep Dive |
| CVE-2026-2332 | HTTP Request Smuggling via Chunked Extension Quoted-String Parsing | Eclipse Foundation | Eclipse Jetty | High | 7.4 | 2026-04-14 10:59:10 | Deep Dive |
| CVE-2026-31923 | Apache APISIX: Openid-connect `tls_verify` field is disabled by default | Apache Software Foundation | Apache APISIX | 中危 | - | 2026-04-14 08:38:59 | Deep Dive |
| CVE-2026-33929 | Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code | Apache Software Foundation | Apache PDFBox Examples | 中危 | - | 2026-04-14 08:09:40 | Deep Dive |
| CVE-2026-31924 | Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP | Apache Software Foundation | Apache APISIX | 中危 | - | 2026-04-14 08:08:06 | Deep Dive |
| CVE-2026-31908 | Apache APISIX: forward auth plugin allows header injection | Apache Software Foundation | Apache APISIX | 中危 | - | 2026-04-14 08:06:18 | Deep Dive |
| CVE-2026-4786 | Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() | Python Software Foundation | CPython | 高危 | - | 2026-04-13 21:52:19 | Deep Dive |
| CVE-2026-6100 | Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure | Python Software Foundation | CPython | 高危 | - | 2026-04-13 17:15:48 | Deep Dive |
| CVE-2026-33858 | Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API | Apache Software Foundation | Apache Airflow | 中危 | - | 2026-04-13 14:36:31 | Deep Dive |
| CVE-2025-66236 | Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI | Apache Software Foundation | Apache Airflow | 中危 | - | 2026-04-13 14:20:37 | Deep Dive |
| CVE-2026-34476 | Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server | Apache Software Foundation | Apache SkyWalking MCP | 高危 | - | 2026-04-13 13:01:31 | Deep Dive |
| CVE-2026-35337 | Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling | Apache Software Foundation | Apache Storm Client | 高危 | - | 2026-04-13 09:11:06 | Deep Dive |
| CVE-2026-35565 | Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI | Apache Software Foundation | Apache Storm UI | 中危 | - | 2026-04-13 09:10:17 | Deep Dive |
| CVE-2026-3446 | Base64 decoding stops at first padded quad by default | Python Software Foundation | CPython | - | - | 2026-04-10 18:17:35 | Deep Dive |
| CVE-2026-1502 | HTTP client proxy tunnel headers not validated for CR/LF | Python Software Foundation | CPython | - | - | 2026-04-10 17:54:44 | Deep Dive |
| CVE-2026-40023 | Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to unescaped XML 1.0 forbidden characters | Apache Software Foundation | Apache Log4cxx | 中危 | - | 2026-04-10 15:45:53 | Deep Dive |