Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1803

Browse all 1803 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

Top products by Apache Software Foundation: Apache Airflow Apache HTTP Server Apache Tomcat Apache Superset Apache Traffic Server Apache OFBiz Apache NiFi Apache InLong Apache CloudStack Apache OpenOffice Apache DolphinScheduler Apache Solr Apache Struts Apache OpenMeetings Apache CXF Apache Zeppelin Apache Camel Apache Hadoop Apache Geode Apache Fineract Apache JSPWiki Apache Ambari Apache Kylin Apache Pulsar Apache Dubbo Apache ActiveMQ Apache Hive Apache Spark Apache Thrift Apache Shiro
CVE IDTitleCVSSSeverityPublished
CVE-2026-46718 Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution — Apache CalciteCWE-470--2026-06-02
CVE-2026-41115 Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API — Apache KafkaCWE-285--2026-06-02
CVE-2026-49328 Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF — Apache Fesod (Incubating)CWE-918--2026-06-01
CVE-2026-48827 Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git — Apache MINA SSHDCWE-22 7.1 High2026-06-01
CVE-2026-44825 Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users — Apache SolrCWE-798 8.1 High2026-06-01
CVE-2026-49361 Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability — Apache Fluss (incubating)CWE-770--2026-06-01
CVE-2026-40861 Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler — Apache AirflowCWE-59--2026-06-01
CVE-2026-40961 Apache Airflow: Open Redirect Bypass Vulnerability — Apache AirflowCWE-601--2026-06-01
CVE-2026-40963 Apache Airflow: DAG authorization bypass on /ui/structure/structure_data — Apache AirflowCWE-285--2026-06-01
CVE-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints — Apache AirflowCWE-862--2026-06-01
CVE-2026-49267 Apache Airflow: No certificate validation on SMTP STARTTLS connections — Apache AirflowCWE-295--2026-06-01
CVE-2026-41017 Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy — Apache AirflowCWE-614--2026-06-01
CVE-2026-41084 Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation — Apache AirflowCWE-639--2026-06-01
CVE-2026-42252 Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern — Apache AirflowCWE-1336--2026-06-01
CVE-2026-42360 Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking — Apache AirflowCWE-200--2026-06-01
CVE-2026-42358 Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets — Apache AirflowCWE-200--2026-06-01
CVE-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator — Apache AirflowCWE-502--2026-06-01
CVE-2026-45360 Apache Airflow: Arbitrary import in custom deadline-reference deserialization — Apache AirflowCWE-502--2026-06-01
CVE-2026-45426 Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access — Apache AirflowCWE-863--2026-06-01
CVE-2026-46764 Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter — Apache AirflowCWE-639--2026-06-01
CVE-2026-48726 Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path — Apache AirflowCWE-613--2026-06-01
CVE-2026-49298 Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments — Apache AirflowCWE-538--2026-06-01
CVE-2026-42253 Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties — Apache ActiveMQCWE-79--2026-06-01
CVE-2026-42588 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector — Apache ActiveMQ BrokerCWE-20--2026-06-01
CVE-2026-45505 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass — Apache ActiveMQ BrokerCWE-20--2026-06-01
CVE-2026-46605 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal — Apache ActiveMQ BrokerCWE-285--2026-06-01
CVE-2026-49157 Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default — Apache ActiveMQCWE-276--2026-06-01
CVE-2026-49270 Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire) — Apache ActiveMQ BrokerCWE-1230--2026-06-01
CVE-2026-35563 Apache Directory LDAP API: LDAP client implementation does not verify if the server certificate matches the intended LDAP hostname — Apache Directory LDAP APICWE-297--2026-06-01
CVE-2026-45192 Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response — Apache AirflowCWE-200--2026-06-01

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.