VYPR

Vendor CVEs

Apache

All CVEs

2,552 total · sorted by risk
  • CVE-2025-64407Nov 12, 2025
    risk 0.00cvss epss 0.00

    Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. Such links could also be used to transmit system information, such as…

  • CVE-2025-64406Nov 12, 2025
    risk 0.00cvss epss 0.00

    An out-of-bounds Write vulnerability in Apache OpenOffice could allow an attacker to craft a document that would crash the program, or otherwise corrupt other memory areas. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version…

  • CVE-2025-64405Nov 12, 2025
    risk 0.00cvss epss 0.01

    Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, Calc spreadsheet…

  • CVE-2025-64404Nov 12, 2025
    risk 0.00cvss epss 0.01

    Apache OpenOffice documents can contain links to other files. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents…

  • CVE-2025-64403Nov 12, 2025
    risk 0.00cvss epss 0.01

    Apache OpenOffice Calc spreadsheet can contain links to other files, in the form of "external data sources". A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause such links to be loaded without prompt. This issue…

  • CVE-2025-64402Nov 12, 2025
    risk 0.00cvss epss 0.00

    Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used "OLE…

  • CVE-2025-64401Nov 12, 2025
    risk 0.00cvss epss 0.01

    Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used…

  • CVE-2025-56385Nov 12, 2025
    risk 0.00cvss epss 0.00

    A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful…

  • CVE-2025-58337Nov 5, 2025
    risk 0.00cvss epss 0.00

    An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may…

  • CVE-2025-62232Oct 31, 2025
    risk 0.00cvss epss 0.00

    Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following…

  • CVE-2025-54941Oct 30, 2025
    risk 0.00cvss epss 0.00

    An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code…

  • CVE-2025-62402Oct 30, 2025
    risk 0.00cvss epss 0.00

    API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.

  • CVE-2025-62503Oct 30, 2025
    risk 0.00cvss epss 0.00

    User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

  • CVE-2025-61581Oct 16, 2025
    risk 0.00cvss epss 0.01

    ** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control. This issue affects Apache Traffic Control: all versions. People with access to the management interface of the Traffic Router component could specify malicious…

  • CVE-2025-54539Oct 16, 2025
    risk 0.00cvss epss 0.02

    A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client. This issue affects all versions of Apache ActiveMQ NMS AMQP up to and including 2.3.0, when establishing connections to untrusted AMQP servers. Malicious servers could exploit…

  • CVE-2025-30001Oct 10, 2025
    risk 0.00cvss epss 0.01

    Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue.

  • CVE-2025-61622Oct 1, 2025
    risk 0.00cvss epss 0.41

    Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized data from untrusted sources. An…

  • CVE-2025-54831Sep 26, 2025
    risk 0.00cvss epss 0.01

    Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this…

  • CVE-2025-58457Sep 24, 2025
    risk 0.00cvss epss 0.00

    Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.…

  • CVE-2025-59328Sep 15, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of…

  • CVE-2025-48208Sep 9, 2025
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat . The attacker needs to have an authenticated account with access, and the attack can only be triggered by crafting custom commands. A successful…

  • CVE-2025-24404Sep 9, 2025
    risk 0.00cvss epss 0.00

    XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability. This issue…

  • CVE-2025-58782Sep 8, 2025
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for…

  • CVE-2024-43166Sep 3, 2025
    risk 0.00cvss epss 0.01

    Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.

  • CVE-2024-43115Sep 3, 2025
    risk 0.00cvss epss 0.00

    Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.

  • CVE-2025-50977Aug 27, 2025
    risk 0.00cvss epss 0.00

    A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular…

  • CVE-2025-26467Aug 25, 2025
    risk 0.00cvss epss 0.00

    Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on…

  • CVE-2025-54812Aug 22, 2025
    risk 0.00cvss epss 0.01

    Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or…

  • CVE-2025-54813Aug 22, 2025
    risk 0.00cvss epss 0.01

    Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as…

  • CVE-2024-48988Aug 22, 2025
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vulnerability is present only in the distribution package (SpringBoot platform) and…

  • CVE-2025-53192Aug 18, 2025
    risk 0.00cvss epss 0.01

    ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL. This issue affects Apache Commons OGNL: all versions. When using the API Ognl.getValue​, the OGNL engine parses and evaluates the provided…

  • CVE-2025-54466Aug 15, 2025
    risk 0.00cvss epss 0.14

    Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability.…

  • CVE-2025-55675Aug 14, 2025
    risk 0.00cvss epss 0.00

    Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL,…

  • CVE-2025-55674Aug 14, 2025
    risk 0.00cvss epss 0.01

    A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended…

  • CVE-2025-55672Aug 14, 2025
    risk 0.00cvss epss 0.01

    A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's…

  • CVE-2025-55673Aug 14, 2025
    risk 0.00cvss epss 0.01

    When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the…

  • CVE-2025-54472Aug 14, 2025
    risk 0.00cvss epss 0.01

    Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Root Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated…

  • CVE-2025-48913Aug 8, 2025
    risk 0.00cvss epss 0.01

    If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to…

  • CVE-2024-51775Aug 3, 2025
    risk 0.00cvss epss 0.00

    Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs.  This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. …

  • CVE-2024-41177Aug 3, 2025
    risk 0.00cvss epss 0.01

    Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin. This issue affects Apache Zeppelin: before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue.

  • CVE-2024-52279Aug 3, 2025
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes…

  • CVE-2025-54656Jul 30, 2025
    risk 0.00cvss epss 0.01

    ** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering.…

  • CVE-2025-54090Jul 23, 2025
    risk 0.00cvss epss 0.01

    A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.

  • CVE-2025-50151Jul 21, 2025
    risk 0.00cvss epss 0.01

    File access paths in configuration files uploaded by users with administrator access are not validated. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload.

  • CVE-2025-49656Jul 21, 2025
    risk 0.00cvss epss 0.01

    Users with administrator access can create databases files outside the files area of the Fuseki server. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to version 5.5.0, which fixes the issue.

  • CVE-2025-48795Jul 15, 2025
    risk 0.00cvss epss 0.01

    Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing…

  • CVE-2025-53689Jul 14, 2025
    risk 0.00cvss epss 0.00

    Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta…

  • CVE-2024-41169Jul 12, 2025
    risk 0.00cvss epss 0.01

    The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes…

  • CVE-2025-48924Jul 11, 2025
    risk 0.00cvss epss 0.02

    Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can…

  • CVE-2025-53020Jul 10, 2025
    risk 0.00cvss epss 0.04

    Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.

Page 28 of 52