Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Apache Software Foundation — Vulnerabilities & Security Advisories 1840

Browse all 1840 CVE security advisories affecting Apache Software Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Apache Software Foundation develops and maintains open-source software, primarily known for the widely deployed Apache HTTP Server and foundational Java frameworks. Its extensive portfolio exposes a significant attack surface, evidenced by the 1717 recorded CVEs. Historically, vulnerabilities frequently involve remote code execution, cross-site scripting, and privilege escalation, often stemming from complex configuration errors or input validation failures in legacy components. While the foundation enforces rigorous security review processes, the sheer volume of projects increases the likelihood of undiscovered flaws. Notable incidents include critical flaws in Log4j, which allowed remote code execution via crafted log messages, highlighting risks in dependency management. The organization relies on community-driven patching, requiring administrators to promptly apply updates to mitigate exploitation. This model ensures transparency but demands active vigilance from users to maintain system integrity against evolving threat vectors.

Top products by Apache Software Foundation: Apache Airflow Apache HTTP Server Apache Tomcat Apache Superset Apache Traffic Server Apache OFBiz Apache NiFi Apache CXF Apache CloudStack Apache InLong Apache DolphinScheduler Apache OpenOffice Apache Solr Apache Struts Apache OpenMeetings Apache Zeppelin Apache Camel Apache Hadoop Apache Answer Apache Fineract Apache JSPWiki Apache Geode Apache Dubbo Apache Pulsar Apache Ambari Apache Kylin Apache ActiveMQ Apache Hive Apache Thrift Apache Spark
CVE IDTitleCVSSSeverityPublished
CVE-2026-34356 Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow — Apache HTTP ServerCWE-122--2026-06-08
CVE-2026-44186 Apache HTTP Server: Loop in `proxy_ftp_handler` in mod_proxy_ftp — Apache HTTP ServerCWE-835--2026-06-08
CVE-2026-29170 Apache HTTP Server: mod_proxy_ftp XSS — Apache HTTP ServerCWE-79--2026-06-08
CVE-2026-29167 Apache HTTP Server: mod_ldap per-dir use-after-free — Apache HTTP ServerCWE-416--2026-06-08
CVE-2026-47430 Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews — Cordova Plugin InAppBrowserCWE-20--2026-06-08
CVE-2026-50076 Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass — Apache ForyCWE-502--2026-06-04
CVE-2026-47065 Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232 — Apache MINACWE-502 9.8 Critical2026-06-03
CVE-2026-46718 Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution — Apache CalciteCWE-470--2026-06-02
CVE-2026-41115 Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API — Apache KafkaCWE-285--2026-06-02
CVE-2026-49328 Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF — Apache Fesod (Incubating)CWE-918--2026-06-01
CVE-2026-48827 Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git — Apache MINA SSHDCWE-22 7.1 High2026-06-01
CVE-2026-44825 Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users — Apache SolrCWE-798 8.1 High2026-06-01
CVE-2026-49361 Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability — Apache Fluss (incubating)CWE-770--2026-06-01
CVE-2026-40861 Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler — Apache AirflowCWE-59--2026-06-01
CVE-2026-40961 Apache Airflow: Open Redirect Bypass Vulnerability — Apache AirflowCWE-601--2026-06-01
CVE-2026-40963 Apache Airflow: DAG authorization bypass on /ui/structure/structure_data — Apache AirflowCWE-285--2026-06-01
CVE-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints — Apache AirflowCWE-862--2026-06-01
CVE-2026-49267 Apache Airflow: No certificate validation on SMTP STARTTLS connections — Apache AirflowCWE-295--2026-06-01
CVE-2026-41017 Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy — Apache AirflowCWE-614--2026-06-01
CVE-2026-41084 Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation — Apache AirflowCWE-639--2026-06-01
CVE-2026-42252 Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern — Apache AirflowCWE-1336--2026-06-01
CVE-2026-42360 Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking — Apache AirflowCWE-200--2026-06-01
CVE-2026-42358 Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets — Apache AirflowCWE-200--2026-06-01
CVE-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator — Apache AirflowCWE-502--2026-06-01
CVE-2026-45360 Apache Airflow: Arbitrary import in custom deadline-reference deserialization — Apache AirflowCWE-502--2026-06-01
CVE-2026-45426 Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access — Apache AirflowCWE-863--2026-06-01
CVE-2026-46764 Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter — Apache AirflowCWE-639--2026-06-01
CVE-2026-48726 Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path — Apache AirflowCWE-613--2026-06-01
CVE-2026-49298 Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments — Apache AirflowCWE-538--2026-06-01
CVE-2026-42253 Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties — Apache ActiveMQCWE-79--2026-06-01

This page lists every published CVE security advisory associated with Apache Software Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.