VYPR

HTTP Server

by Apache

Source repositories

CVEs (341)

  • CVE-2026-29169HigMay 4, 2026
    risk 0.42cvss 7.5epss 0.01

    A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from…

  • CVE-2026-34059HigMay 4, 2026
    risk 0.42cvss 7.5epss 0.00

    Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

  • CVE-2018-11763MedSep 25, 2018
    risk 0.42cvss 5.9epss 0.51

    In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2…

  • CVE-2007-4465MedSep 14, 2007
    risk 0.42cvss 6.1epss 0.26

    Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it…

  • CVE-2016-4975MedAug 14, 2018
    risk 0.41cvss 6.1epss 0.20

    Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP…

  • CVE-2026-48913HigJun 8, 2026
    risk 0.40cvss 7.3epss 0.00

    Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67.

  • CVE-2026-44186HigJun 8, 2026
    risk 0.40cvss 7.3epss 0.01

    Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server. This issue affects undefined: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68,…

  • CVE-2026-44185HigJun 8, 2026
    risk 0.40cvss 7.3epss 0.00

    Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

  • CVE-2026-29168HigMay 5, 2026
    risk 0.40cvss 7.3epss 0.01

    Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

  • CVE-2018-1301MedMar 26, 2018
    risk 0.40cvss 5.9epss 0.16

    A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both…

  • CVE-2016-1546MedJul 6, 2016
    risk 0.40cvss 5.9epss 0.15

    The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows.

  • CVE-2018-1302MedMar 26, 2018
    risk 0.39cvss 5.9epss 0.13

    When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual…

  • CVE-2026-43951MedJun 8, 2026
    risk 0.35cvss 6.5epss 0.01

    Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.

  • CVE-2026-33523MedMay 4, 2026
    risk 0.35cvss 6.5epss 0.00

    HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

  • CVE-2018-1283MedMar 26, 2018
    risk 0.35cvss 5.3epss 0.10

    In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by…

  • CVE-2026-29170MedJun 8, 2026
    risk 0.33cvss 6.1epss 0.01

    A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68,…

  • CVE-2026-44119MedJun 8, 2026
    risk 0.29cvss 5.5epss 0.00

    Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version…

  • CVE-2021-42013KEVOct 7, 2021
    risk 0.29cvss epss 1.00

    It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by…

  • CVE-2021-41773KEVOct 5, 2021
    risk 0.29cvss epss 1.00

    A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the…

  • CVE-2026-33007MedMay 4, 2026
    risk 0.28cvss 5.3epss 0.01

    A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Page 3 of 18